system : fortiguard
 
fortiguard
Use this command to configure communications with the FortiGuard Distribution Network (FDN) for FortiGuard subscription services such as:
FortiGuard Antivirus and IPS
FortiGuard Web Filtering and Antispam
FortiGuard Analysis and Management Service
FortiGuard DNS-based web filtering
For FortiGuard Antivirus and IPS, Web Filtering and Antispam, you can alternatively use this command to configure the FortiGate unit to communicate with a FortiManager system, which can act as a private FortiGuard Distribution Server (FDS) for those services.
By default, FortiGate units connect to the FDN using a set of default connection settings. You can override these settings to use IP addresses and port numbers other than the defaults. For example, if you have a FortiManager unit, you might download a local copy of FortiGuard service updates to the FortiManager unit, then redistribute those updates by configuring each FortiGate unit’s server override feature to connect to the FortiManager unit’s private FDS IP address.
 
If the FortiGate unit is unable to connect to the FDN, verify connectivity on required ports. For a list of required ports, see the Fortinet Knowledge Center article Traffic Types and TCP/UDP Ports Used by Fortinet Products.
Remote administration by a FortiManager system is mutually exclusive with remote administration by FortiGuard Analysis and Management Service. For information about configuring remote administration by a FortiManager system instead, see system central-management.
Syntax
config system fortiguard
set antispam-cache {enable | disable}
set antispam-cache-mpercent <ram_int>
set antispam-cache-ttl <ttl_int>
set antispam-expiration
set antispam-force-off {enable | disable}
set antispam-license
set antispam-timeout <timeout_int>
set auto-join-forticloud {enable | disable}
set avquery-cache {enable | disable}
set avquery-cache-mpercent <max_int>
set avquery-cache-ttl <ttl_int>
set avquery-expiration
set avquery-force-off {enable | disable}
set avquery-license
set avquery-timeout <timeout_int>
set ddns-server-ip <IPv4_addr>
set ddns-server-port <port_int>
set load-balance-servers <number>
set port {53 | 8888 | 80}
set source-ip <ip4_addr>
set webfilter-cache {enable | disable}
set webfilter-cache-ttl <ttl_int>
set webfilter-expiration
set webfilter-force-off {enable | disable}
set webfilter-license
set webfilter-sdns-server-ip
set webfilter-sdns-server-port
set webfilter-timeout <timeout_int>
end
Variable
Description
Default
antispam-cache {enable | disable}
Enable or disable caching of FortiGuard Antispam query results, including IP address and URL block list.
Enabling the cache can improve performance because the FortiGate unit does not need to access the FDN or FortiManager unit each time the same IP address or URL appears as the source of an email. When the cache is full, the least recently used cache entry is replaced.
enable
antispam-cache-mpercent <ram_int>
Enter the maximum percentage of memory (RAM) to use for antispam caching. Valid percentage ranges from 1 to 15.
2
antispam-cache-ttl <ttl_int>
Enter a time to live (TTL), in seconds, for antispam cache entries. When the TTL expires, the cache entry is removed, requiring the FortiGate unit to query the FDN or FortiManager unit the next time that item occurs in scanned traffic. Valid TTL ranges from 300 to 86400 seconds.
1800
antispam-expiration
The expiration date of the FortiGuard Antispam service contract.
This variable can be viewed with the get command, but cannot be set.
N/A
antispam-force-off {enable | disable}
Enable to stop FortiGuard Antispam service on this FortiGate unit.
disable
antispam-license
The interval of time between license checks for the FortiGuard Antispam service contract.
This variable can be viewed with the get command, but cannot be set.
7
antispam-timeout <timeout_int>
Enter the FortiGuard Antispam query timeout. Valid timeout ranges from 1 to 30 seconds.
7
auto-join-forticloud {enable | disable}
Enable or disable automatically joining FortiCloud service.
disable
avquery-cache {enable | disable}
Enable or disable caching of FortiGuard Antivirus query results.
Enabling the cache can improve performance because the FortiGate unit does not need to access the FDN each time the same IP address or URL appears as the source of an email. When the cache is full, the least recently used cache entry is replaced.
enable
avquery-cache-mpercent <max_int>
Enter the maximum memory to be used for FortiGuard Antivirus query caching. Valid percentage ranges from 1 to 15.
2
avquery-cache-ttl <ttl_int>
Enter a time to live (TTL), in seconds, for antivirus cache entries. When the TTL expires, the cache entry is removed, requiring the FortiGate unit to query the FDN or FortiManager unit the next time that item occurs in scanned traffic. Valid TTL ranges from 300 to 86400 seconds.
1800
avquery-expiration
The expiration date of the FortiGuard Antivirus service contract.
This variable can be viewed with the get command, but cannot be set.
N/A
avquery-force-off {enable | disable}
Enable to stop FortiGuard AV query service on this FortiGate unit.
disable
avquery-license
The interval of time between license checks for the FortiGuard Antivirus service contract.
This variable can be viewed with the get command, but cannot be set.
Unknown
avquery-timeout <timeout_int>
Enter the time limit in seconds for the FortiGuard Antivirus service query timeout. Valid timeout ranges from 1 to 30.
7
ddns-server-ip <IPv4_addr>
Enter the IP address of the FortiDDNS service.
0.0.0.0
ddns-server-port <port_int>
Enter the port used for FortiDDNS service.
443
load-balance-servers <number>
Enter the number of FortiGuard servers to connect to. By default, the FortiGate unit always uses the first server in its FortiGuard server list to connect to the FortiGuard network and load-balance-servers is set to 1. You can increase this number up to 20 if you want the FortiGate unit to use a different FortiGuard server each time it contacts the FortiGuard network. If you set load-balance-servers to 2, the FortiGate unit alternates between checking the first two servers in the FortiGuard server list.
1
port {53 | 8888 | 80}
Enter the port to use for rating queries to the FortiGuard Web Filtering or FortiGuard Antispam service.
53
source-ip <ip4_addr>
Enter the source IP address used to communicate with the FortiGuard servers. This setting is not available if fortimanager-fds-override is enabled in system central-management.
0.0.0.0
webfilter-cache {enable | disable}
Enable or disable caching of FortiGuard Web Filtering query results, including category ratings for URLs.
Enabling the cache can improve performance because the FortiGate unit does not need to access the FDN or FortiManager unit each time the same IP address or URL is requested. When the cache is full, the least recently used cache entry is replaced.
enable
webfilter-cache-ttl <ttl_int>
Enter a time to live (TTL), in seconds, for web filtering cache entries. When the TTL expires, the cache entry is removed, requiring the FortiGate unit to query the FDN or FortiManager unit the next time that item occurs in scanned traffic. Valid TTL ranges from 300 to 86400 seconds.
3600
webfilter-expiration
The expiration date of the FortiGuard Web Filtering service contract.
This variable can be viewed with the get command, but cannot be set.
N/A
webfilter-force-off {enable | disable}
Enable to stop FortiGuard Webfilter service on this FortiGate unit.
disable
webfilter-license
The interval of time between license checks for the FortiGuard Web Filtering service contract. Initially, this value is unknown, and is set after contacting the FDN to validate the FortiGuard Web Filtering license.
This variable can be viewed with the get command, but cannot be set.
Unknown
webfilter-sdns-server-ip
Enter the IP address of the FortiDNS server. This is used for DNS-based web filtering.
0.0.0.0
webfilter-sdns-server-port
Enter the TCP port of the FortiDNS server. This is used for DNS-based web filtering.
443
webfilter-timeout <timeout_int>
Enter the FortiGuard Web Filtering query timeout. Valid timeout ranges from 1 to 30 seconds.
15