FortiGuard
The FortiGuard Distribution Network (FDN) of servers provides updates to antivirus, antispam and IPS definitions to your FortiGate. Worldwide coverage of FortiGuard services is provided by FortiGuard service points. FortiGuard Subscription Services provide comprehensive Unified Threat Management (UTM) security solutions to enable protection against content and network level threats.
The FortiGuard team can be found around the globe, monitoring virus, spyware and vulnerability activities. As vulnerabilities are found, signatures are created and pushed to the subscribed FortiGates. The Global Threat Research Team enables Fortinet to deliver a combination of multi-layered security intelligence and provide true zero-day protection from new and emerging threats.The FortiGuard Network has data centers around the world located in secure, high availability locations that automatically deliver updates to the Fortinet security platforms to and protect the network with the most up-to-date information.
The FortiGuard services provide a number of services to monitor world-wide activity and provide the best possible security:
- Intrusion Prevention System (IPS) - The FortiGuard Intrusion Prevention System (IPS) uses a customizable database of more than 4000 known threats to stop attacks that evade conventional firewall defenses. It also provides behavior-based heuristics, enabling the system to recognize threats when no signature has yet been developed. It also provides more than 1000 application identity signatures for complete application control.
- Application Control - Application Control allows you to identify and control applications on networks and endpoints regardless of port, protocol, and IP address used. It gives you unmatched visibility and control over application traffic, even traffic from unknown applications and sources.
- AntiVirus -The FortiGuard AntiVirus Service provides fully automated updates to ensure protection against the latest content level threats. It employs advanced virus, spyware, and heuristic detection engines to prevent both new and evolving threats from gaining access to your network and protects against vulnerabilities.
- Web Filtering - Web Filtering provides Web URL filtering to block access to harmful, inappropriate, and dangerous web sites that may contain phishing/pharming attacks, malware such as spyware, or objectionable content that can expose your organization to legal liability. Based on automatic research tools and targeted research analysis, real-time updates enable you to apply highly-granular policies that filter web access based on 78 web content categories, over 45 million rated web sites, and more than two billion web pages - all continuously updated.
- Vulnerability Scanning - FortiGuard Services provide comprehensive and continuous updates for vulnerabilities, remediation, patch scan, and configuration benchmarks.
- Email Filtering - The FortiGuard Antispam Service uses both a sender IP reputation database and a spam signature database, along with sophisticated spam filtering tools on Fortinet appliances and agents, to detect and block a wide range of spam messages. Updates to the IP reputation and spam signature databases are provided continuously via the FDN.
- Messaging Services - Messaging Services allow a secure email server to be automatically enabled on your FortiGate to send alert email or send email authentication tokens. With the SMS gateway, you can enter phone numbers where the FortiGate will send the SMS messages. Note that depending on your carrier, there may be a slight time delay on receiving messages.
- DNS and DDNS - The FortiGuard DNS and DDNS services provide an efficient method of DNS lookups once subscribed to the FortiGuard network. This is the default option. The FortiGate connects automatically to the FortiGuard DNS server. If you do not register, you need to configure an alternate DNS server.
Configure the DDNS server settings using the CLI commands:
config system fortiguard
set ddns-server-ip
set ddns-server-port
end
Support Contract and FortiGuard Subscription Services
The Support Contract and FortiGuard Subscription Services sections are displayed in abbreviated form within the License Information widget. A detailed version is available by going to System > FortiGuard.
The Support Contract area displays the availability or status of your FortiGate’s support contract. The status displays can be either Unreachable, Not Registered, or Valid Contract.
The FortiGuard Subscription Services area displays detailed information about your FortiGate’s support contract and FortiGuard subscription services. On this page, you can also manually update the antivirus and IPS engines.
The status icons for each section Indicates the state of the subscription service. The icon corresponds to the availability description.
- Gray (Unreachable) – the FortiGate is not able to connect to service.
- Orange (Not Registered) – the FortiGate can connect, but not subscribed.
- Yellow (Expired) – the FortiGate had a valid license that has expired.
- Green (Valid license) – the FortiGate can connect to FDN and has a registered support contract. If the Status icon is green, the expiry date also appears.
Verifying your Connection to FortiGuard
If you are not getting FortiGuard web filtering or antispam services, there are a few things to verify communication to the FortiGuard Distribution Network (FDN) is working. Before any troubleshooting, ensure that the FortiGate has been registered and you or your company, has subscribed to the FortiGuard services.
Verification - GUI
The simplest method to check that the FortiGate is communicating with the FDN, is to check the License Information dashboard widget. Any subscribed services should have a green check mark beside them indicating that connections are successful. Any other icon indicates a problem with the connection, or you are not subscribed to the FortiGuard services.
You can also view the FortiGuard connection status by going to System > FortiGuard.
Verification - CLI
You can also use the CLI to see what FortiGuard servers are available to your FortiGate. Use the following CLI command to ping the FDN for a connection:
ping guard.fortinet.net
You can also use diagnose command to find out what FortiGuard servers are available:
diagnose debug rating
From this command, you will see output similar to the following:
Locale : english
License : Contract
Expiration : Sun Jul 24 20:00:00 2011
Hostname : service.fortiguard.net
-=- Server List (Tue Nov 2 11:12:28 2010) -=-
IP Weight RTT Flags TZ Packets Curr Lost Total Lost
69.20.236.180 0 10 -5 77200 0 42
69.20.236.179 0 12 -5 52514 0 34
66.117.56.42 0 32 -5 34390 0 62
80.85.69.38 50 164 0 34430 0 11763
208.91.112.194 81 223 D -8 42530 0 8129
216.156.209.26 286 241 DI -8 55602 0 21555
An extensive list of servers are available. Should you see a list of three to five available servers, the FortiGuard servers are responding to DNS replies to service.FortiGuard.net, but the INIT requests are not reaching FDS services on the servers.
The rating flags indicate the server status:
| D | Indicates the server was found via the DNS lookup of the hostname. If the hostname returns more than one IP address, all of them will be flagged with 'D' and will be used first for INIT requests before falling back to the other servers. |
| I | Indicates the server to which the last INIT request was sent |
| F | The server has not responded to requests and is considered to have failed. |
| T | The server is currently being timed. |
The server list is sorted first by weight and then the server with the smallest RTT is put at the top of the list, regardless of weight. When a packet is lost, it will be resent to the next server in the list.
The weight for each server increases with failed packets and decreases with successful packets. To lower the possibility of using a faraway server, the weight is not allowed to dip below a base weight, which is calculated as the difference in hours between the FortiGate and the server multiplied by 10. The further away the server is, the higher its base weight and the lower in the list it will appear.
Port assignment
FortiGates contact the FortiGuard Distribution Network (FDN) for the latest list of FDN servers by sending UDP packets with typical source ports of 1027 or 1031, and destination ports of 53 or 8888. The FDN reply packets have a destination port of 1027 or 1031.
If your ISP blocks UDP packets in this port range, the FortiGate cannot receive the FDN reply packets. As a result, the FortiGate will not receive the complete FDN server list.
If your ISP blocks the lower range of UDP ports (around 1024), you can configure your FortiGate to use higher-numbered ports, using the CLI command…
config system global
set ip-src-port-range <start port>-<end port>
end
…where the <start port> and <end port> are numbers ranging of 1024 to 25000.
For example, you could configure the FortiGate to not use ports lower than 2048 or ports higher than the following range:
config system global
set ip-src-port-range 2048-20000
end
Trial and error may be required to select the best source port range. You can also contact your ISP to determine the best range to use. Push updates might be unavailable if:
- there is a NAT device installed between the unit and the FDN
- your unit connects to the Internet using a proxy server.
FortiCloud is a hosted security management and log retention service for FortiGate products. It gives you a centralized reporting, traffic analysis, configuration and log retention without the need for additional hardware and software.
Sending malware statistics to FortiGuard
To support following Malware trends and making zero-day discoveries, FortiGate units send encrypted statistics to FortiGuard about IPS, Application Control, and AntiVirus events detected by the FortiGuard services running on your FortiGate. FortiGuard uses the statistics collected to achieve a balance between performance and security effectiveness by moving inactive signatures to an extended signature database.
The statistics include some non-personal information that identifies your FortiGate and its country. The information is never shared with external parties. You can choose to disable the sharing of this information by entering the following CLI command.
config system global
set fds-statistics disable
end
Configuring AntiVirus and IPS Options
Go to System > FortiGuard, and expand the AV and IPS Options section to configure the antivirus and IPS options for connecting and downloading definition files.
| Use override server address | Select to configure an override server if you cannot connect to the FDN or if your organization provides updates using their own FortiGuard server. |
| Allow Push Update | Select to allow updates sent automatically to your FortiGate when they are available |
| Allow Push Update status icon | The status of the FortiGate for receiving push updates: • Gray (Unreachable) - the FortiGate is not able to connect to push update service • Yellow (Not Available) - the push update service is not available with your current support license • Green (Available) - the push update service is allowed. |
| Use override push IP and Port | Available only if both Use override server address and Allow Push Update are enabled. Enter the IP address and port of the NAT device in front of your FortiGate. FDS will connect to this device when attempting to reach the FortiGate. The NAT device must be configured to forward the FDS traffic to the FortiGate on UDP port 9443. |
| Schedule Updates | Select this check box to enable updates to be sent to your FortiGate at a specific time. For example, to minimize traffic lag times, you can schedule the update to occur on weekends or after work hours. Note that a schedule of once a week means any urgent updates will not be pushed until the scheduled time. However, if there is an urgent update required, select the Update Now button. |
| Update Now | Select to manually initiate an FDN update. |
| Submit attack characteristics… (recommended) |
Select to help Fortinet maintain and improve IPS signatures. The information sent to the FortiGuard servers when an attack occurs and can be used to keep the database current as variants of attacks evolve. |
Manual updates
To manually update the signature definitions file, you need to first go to the Support web site at https://support.fortinet.com. Once logged in, select FortiGuard Service Updates from the Download area of the web page. The browser will present you the most current antivirus and IPS signature definitions which you can download.
Once downloaded to your computer, log into the FortiGate to load the definition file.
To load the definition file onto the FortiGate
- Go to System > FortiGuard.
- Select the Update link for either AV Definitions or IPS Definitions.
- Locate the downloaded file and select OK.
The upload may take a few minutes to complete.
Automatic updates
The FortiGate can be configured to request updates from the FortiGuard Distribution Network. You can configure this to be on a scheduled basis, or with push notifications.
Scheduling updates
Scheduling updates ensures that the virus and IPS definitions are downloaded to your FortiGate on a regular basis, ensuring that you do not forget to check for the definition files yourself. Note that updating definitions can cause a very short disruption in traffic currently being scanned while the FortiGate unit applies the new signature database. Schedule updates during off-peak hours, such as evenings or weekends, when network usage is minimal, ensures that the network activity will not suffer from the added traffic of downloading the definition files.
To enable scheduled updates - GUI
- Go to System > FortiGuard.
- Click the Expand Arrow for AV and IPS Options.
- Select the Scheduled Update check box.
- Select the frequency of the updates and when within that frequency.
- Select Apply.
To enable scheduled updates - CLI
config system autoupdate schedule
set status enable
set frequency {every | daily | weekly}
set time <hh:mm>
set day <day_of_week>
end
Push updates
Push updates enable you to get immediate updates when new virus or intrusions have been discovered and new signatures are created. This ensures that when the latest signature is available it will be sent to the FortiGate.
When a push notification occurs, the FortiGuard server sends a notice to the FortiGate that there is a new signature definition file available. The FortiGate then initiates a download of the definition file, similar to the scheduled update.
To ensure maximum security for your network, you should have a scheduled update as well as enable the push update, in case an urgent signature is created, and your cycle of the updates only occurs weekly.
To enable push updates - GUI
- Go to System > FortiGuard.
- Click the Expand Arrow for AV and IPS Options.
- Select Allow Push Update.
- Select Apply.
To enable push updates - CLI
config system autoupdate push-update
set status enable
end
Push IP override
If the FortiGate is behind another NAT device (or another FortiGate), to ensure it receives the push update notifications, you need to use an override IP address for the notifications. To do this, you create a virtual IP to map to the external port of the NAT device.
Generally speaking, if there are two FortiGate devices as in the diagram below, the following steps need to be completed on the FortiGate NAT device to ensure the FortiGate on the internal network receives the updates:
- Add a port forwarding virtual IP to the FortiGate NAT device that connects to the Internet by going to Firewall Objects > Virtual IP.
- Add a security policy to the FortiGate NAT device that connects to the Internet that includes the port forwarding virtual IP.
- Configure the FortiGate on the internal network with an override push IP and port.
On the FortiGate internal device, the virtual IP is entered as the Use push override IP address.
To enable push update override- GUI
- Go to System > FortiGuard.
- Under AntiVirus & IPS Updates, enable Accept Push Updates.
- Enable Use override push.
- Enter the virtual IP address configured on the NAT device.
- Select Apply.
To enable push updates - CLI
config system autoupdate push-update
set status enable
set override enable
set address <vip_address>
end
Configuring Web Filtering and Email Filtering Options
Go to System > FortiGuard, and expand arrow to view Web Filtering and Email Filtering Options for setting the size of the caches and ports used.
| Web Filter cache TTL | Set the Time To Live value. This is the number of seconds the FortiGate will store a blocked IP or URL locally, saving time and network access traffic, checking the FortiGuard server. Once the TTL has expired, the FortiGate will contact an FDN server to verify a web address. The TTL must be between 300 and 86400 seconds. |
| Antispam cache TTL | Set the Time To Live value. This is the number of seconds the FortiGate will store a blocked IP or URL locally, saving time and network access traffic, checking the FortiGuard server. Once the TTL has expired, the FortiGate will contact an FDN server to verify a web address. The TTL must be between 300 and 86400 seconds. |
| Port Section | Select the port assignments for contacting the FortiGuard servers. Select the Test Availability button to verify the connection using the selected port. |
| To have a URL's category rating re-evaluated, please click here | Select to re-evaluate a URL’s category rating on the FortiGuard Web Filter service. |
Email filtering
The FortiGuard data centers monitor and update email databases of known spam sources. With FortiGuard Anti-Spam filtering enabled, the FortiGate verifies incoming email sender address and IPs against the database, and take the necessary action as defined within the antivirus profiles.
Spam source IP addresses can also be cached locally on the FortiGate, providing a quicker response time, while easing load on the FortiGuard servers, aiding in a quicker response time for less common email address requests.
By default, the antispam cache is enabled. The cache includes a time-to-live (TTL) value, which is the amount of time an email address will stay in the cache before expiring. You can change this value to shorten or extend the time between 5 and 1,440 minutes.
To modify the antispam cache TTL - GUI
- Go to System > FortiGuard.
- Under Filtering, enable Anti-Spam Cache.
- Enter the TTL value in minutes.
- Select Apply.
To modify the Anti-Spam filter TTL - CLI
config system fortiguard
set antispam-cache-ttl <integer>
end
Further antispam filtering options can be configured to block, allow or quarantine, specific email addresses. These configurations are available through the Security Profiles > Antispam menu. For more information, see the Security Profiles handbookchapter.
Online Security Tools
The FortiGuard online center provides a number of online security tools that enable you to verify or check ratings of web sites, email addresses as well as check file for viruses:
- URL lookup - By entering a web site address, you can see if it has been rated and what category and classification it is filed as. If you find your web site or a site you commonly go to has been wrongly categorized, you can use this page to request that the site be re-evaluated.
https://fortiguard.com/webfilter - IP and signature lookup - The IP and signature lookup enables you to check whether an IP address is blacklisted in the FortiGuard IP reputation database or whether a URL or email address is in the signature database.
https://fortiguard.com/webfilter - Online virus scanner - If you discover a suspicious file on your machine, or suspect that a program you downloaded from the Internet might be malicious you can scan it using the FortiGuard online scanner. The questionable file can be uploaded from your computer to a dedicated server where it will be scanned using FortiClient Antivirus. Only one file of up to 1 MB can be checked at any one time. All files will be forwarded to our research labs for analysis.
https://fortiguard.com/virusscanner - Malware removal tools - FortiGuard Labs developed and maintains tools to disable and remove the specific malware and related variants. Some tools have been developed to remove specific malware, often tough to remove. A universal cleaning tool, FortiCleanup, is also available for download.
The FortiCleanup is a tool developed to identify and cleanse systems of malicious rootkit files and their associated malware. Rootkits consist of code installed on a system with kernel level privileges, often used to hide malicious files, keylog and thwart detection / security techniques. The aim of this tool is to reduce the effectiveness of such malware by finding and eliminating rootkits. The tool offers a quick memory scan as well as a full system scan. FortiCleanup will not only remove malicious files, but also can cleanse registry entries, kernel module patches, and other tricks commonly used by rootkits - such as SSDT hooks and process enumeration hiding.
A license to use these applications is provided free of charge, courtesy of Fortinet.
https://fortiguard.com/malwareremoval
Copyright © 2020 Fortinet, Inc. All Rights Reserved. | Terms of Service | Privacy Policy
