Chapter 18 Troubleshooting : ­Troubleshooting tools : FortiGuard troubleshooting : Troubleshooting process for FortiGuard updates
  
Troubleshooting process for FortiGuard updates
The following process are the logical steps to take when troubleshooting FortiGuard update problems. This includes antivirus (AV), intrusion protection services (IPS), antispam (AS), and web filtering (WB).
1. Does the device have a valid licence that includes these services?
Each device requires a valid FortiGuard license to access updates for some or all of these services. You can verify the support contract status for your devices at the Fortinet Support website — https://support.fortinet.com/.
2. If the device is part of an HA cluster, do all members of the cluster have the same level of support?
As with the previous step, you can verify the support contract status for all the devices in your HA cluster at the Fortinet Support website.
3. Have services been enabled on the device?
To see the FortiGuard information and status for a device, in the web-based manager go to System > Config > FortiGuard. On that page you can verify the status of each component, and if required enable each service. If there are problems, see the FortiGuard section of the FortiOS Handbook.
4. Is the device able to communicate with FortiGuard servers?
At System > Config > FortiGuard you can also attempt to update AV and IPS, or test the availability of WF and AS default and alternate ports. If there are problems, see the FortiGuard section of the FortiOS Handbook.
5. Is there proper routing to reach the FortiGuard servers?
Ensure there is a static or dynamic route that enables your ForitGate unit to reach the FortiGuard servers. Usually a generic default route to the internet is enough, but you may need to verify this if your network is complex.
6. Are there issues with DNS?
An easy way to test this is to attempt a traceroute from behind the FortiGate unit to an external network using the FQDN for a location. If the traceroute FQDN name does not resolve, you have general DNS problems.
7. Is there anything upstream that might be blocking FortiGuard traffic, either on the network or ISP side?
Many firewalls block all ports by default, and often ISPs block ports that are low. There may be a firewall between the FortiGate unit and the FortiGuard servers that is blocking the traffic. FortiGuard uses port 53 by default, so if it is being blocked you need to either open a hole for it, or change the port it is using.
8. Is there an issue with source ports?
It is possible that ports used to contact FortiGuard are being changed before reaching FortiGuard or on the return trip before reaching your FortiGate unit. A possible solution for this is to use a fixed-port at NATd firewalls to ensure the port remains the same. Packet sniffing can be used to find more information on what is happening with ports.
9. Are there security policies that include antivirus?
If no security policies include antivirus, the antivirus databse will not be updated. If antivirus is included, only the database type used will be updated.