Maintaining the system : Configuring FortiGuard updates and antispam queries : Verifying connectivity with FortiGuard services
Verifying connectivity with FortiGuard services
If you subscribe to FortiGuard Antivirus and/or FortiGuard Antispam services, your FortiMail unit needs to connect to the FortiGuard Distribution Network (FDN) in order to verify its license and use the services.
Your FortiMail unit may be able to connect using the default settings; however, you should confirm this by verifying connectivity.
 
FortiMail units use multiple connection types with the FDN. To completely verify connectivity, you should test each connection type by performing both of the following procedures.
 
 
You must first register the FortiMail unit with the Fortinet Technical Support web site, https://support.fortinet.com/, to receive service from the FDN. The FortiMail unit must also have a valid Fortinet Technical Support contract which includes service subscriptions, and be able to connect to the FDN or the FDS that you will configure to override the default FDS addresses. For port numbers required for license validation and update connections, see the appendix in the FortiMail Administration Guide.
Before performing the following procedure, if your FortiMail unit connects to the Internet using a proxy, use the CLI command config system fortiguard antivirus to enable the FortiMail unit to connect to the FDN through the proxy. For more information, see the FortiMail CLI Reference.
 
If the FortiMail unit connects to the Internet/FDN servers through a proxy, FortiMail can only get updates for the antivirus engine, antivirus signatures, and heuristic antispam rules from the FDN server. FortiMail cannot connect to the FDN server to perform realtime FortiGuard antispam queries through the proxy. In this case, you can only use a FortiManager unit locally as the override server.
To verify scheduled update connectivity
1. Go to Maintenance > FortiGuard > Update.
2. If you want your FortiMail unit to connect to a specific FDS other than the default for its time zone, enable Use override server address, enter the fully qualified domain name (FQDN) or IP address of the FDS.
 
If you want to use a FortiManager unit as the override server, enter the FortiManager IP address and port number (8890), such as 192.168.1.1:8890.
On the FortiManager side, use the following CLI command to enable FortiMail support. The default setting is disable.
config fmupdate support-pre-fgt43
set status enable
end
3. Click Apply.
4. Click Refresh.
A dialog appears, notifying you that the process could take a few minutes.
5. Click OK.
The FortiMail unit tests the connection to the FDN and, if any, the override server. Time required varies by the speed of the FortiMail unit’s network connection, and the number of timeouts that occur before the connection attempt is successful or the FortiMail unit determines that it cannot connect. When the connection test completes, the page refreshes. Test results are as follows:
Available: The FortiMail unit successfully connected to the FDN or override server.
Unavailable: The FortiMail unit could not connect to the FDN or override server, and cannot download updates from it. For CLI commands that may assist you in troubleshooting, see “To verify antispam rating query connectivity”.
6. When successful connectivity has been verified, continue by configuring the FortiMail unit to receive engine and definition updates from the FDN or override server using one or more of the following methods:
scheduled updates (see “Configuring scheduled updates”)
push updates (see “Configuring push updates”)
manually initiated updates (see “Manually requesting updates”)
To verify antispam rating query connectivity
1. Go to Maintenance > FortiGuard > AntiSpam.
2. Verify that the Enable service is enabled. Also specify the FortiGuard server port (the default number is 53).
3. Specify a spam outbreak protection level. Higher level means more strict filtering. This feature temporarily hold email for a certain period of time (configurable with CLI command config system fortiguard antispam set outbreak-protection-period) if the enabled FortiGuard antispam check (block IP and/or URI filter) returns no result (see “Configuring FortiGuard options”). After the specified time interval, FortiMail will query the FortiGuard server for the second time. This provides an opportunity for the FortiGuard antispam service to update its database in cases a spam outbreak occurs.
4. If you want to use an override server, such as a local FortiManager unit, instead of the default FDN server, specify it by enabling the option and entering the server address.
5. Optionally enable cache and specify the cache TTL time. Enabling cache can improve performance.
6. For Query type under FortiGuard Query, select one of:
IP and enter a valid IP
URI and enter a valid URI
Hash and use the hash value of a spam email that you can find in the log messages
7. Click Query.
If the query is successful, the Query result field will display if the IP/URI is spam or unknown (not spam).
If the query is unsuccessful, the Query result field will display No response. In this case, you can use the following tips to troubleshoot the issue.
If the FortiMail unit can reach the DNS server, but cannot successfully resolve the domain name of the FDS, a message appears notifying you that a DNS error occurred.
8. Verify that the DNS servers contain A records to resolve service.fortiguard.net and other FDN servers. To try to obtain additional insight into the cause of the query failure, manually perform a DNS query from the FortiMail unit using the following CLI command:
execute nslookup name service.fortiguard.net
If the FortiMail unit cannot successfully connect, or if your FortiGuard Antispam license does not exist or has expired, a message appears notifying you that a connection error occurred.
9. Verify that:
this is no proxy in between FortiMail and the FDN server.
your FortiGuard Antispam license is valid and currently active
the default route (located in System > Network > Routing) is correctly configured
the FortiMail unit can connect to the DNS servers (located in System > Network > DNS) and to the FDN servers
firewalls between the FortiMail unit and the Internet or override server allow FortiGuard Antispam rating query traffic.
The default port number for FortiGuard antispam query is UDP port 53 in v4.0. Prior to v4.0, the port number was 8889.
10. To try to obtain additional insight into the point of the connection failure, trace the connection using the following CLI command:
execute traceroute <address_ipv4>
where <address_ipv4> is the IP address of the DNS server or FDN server.
When query connectivity is successful, antispam profiles can use the FortiGuard option.
You can use the antispam log to monitor for subsequent query connectivity interruptions. When sending email through the FortiMail unit that matches a policy and profile where the FortiGuard option is enabled, if the FortiMail cannot connect to the FDN and/or its license is not valid, and if Information-level logging is enabled, the FortiMail unit records a log message in the antispam log (located in Monitor > Log > AntiSpam) whose Log Id field is 0300023472 and whose Message field is:
FortiGuard-Antispam: No Answer from server.
11. Verify that the FortiGuard Antispam license is still valid, and that network connectivity has not been disrupted for UDP port 53 traffic from the FortiMail unit to the Internet.