Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Handbook

Connecting to FortiGuard services

After you have subscribed to FortiGuard services, configure your FortiADC to connect to the Internet so that it can reach the world-wide Fortinet Distribution Network (FDN) in order to:

  • verify its FortiGuard service licenses

  • download up-to-date signatures, IP lists, stolen account credentials, and engine packages

FortiADC appliances can often connect using the default settings. However, due to potential differences in routing and firewalls, you should confirm this by verifying connectivity.

You must first register the FortiADC appliance with Fortinet Customer Service & Support (https://support.fortinet.com/) to receive service from the FDN. The FortiADC appliance must also have a valid Fortinet Technical Support contract that includes service subscriptions and be able to connect to the FDN. For port numbers to use to validate the license and update connections, see Appendix B: Port Numbers.

Connecting your FortiADC to the FDN will enable FortiGuard to periodically update the WAF Signature Database, IP Reputation Database, and Geo IP Database. You can go to the FortiGuard website to download the update packages that you can upload to FortiADC, or you can schedule automatic updates. However, if you want to perform a manual update, you must download the update file from the FortiGuard website.

To determine your FortiGuard license status
  1. If your FortiADC appliance must connect to the Internet through an explicit (non-transparent) web proxy, configure the proxy connection (see Accessing FortiGuard via a proxy).
    If FortiADC is deployed in a closed network, you can also use FortiManager as a proxy and connect FortiADC with it to validate the license. Please note although FortiManager can provide FortiGuard security service updates to some Fortinet devices, for FortiADC, its FDS features can provide license validation only.
  2. Go to Dashboard > Main.
  3. In the Licenses widget, check the status icon for each service package.
    Valid — At the last attempt, the FortiADC appliance was able to successfully contact the FDN and validate its FortiGuard license. Continue with Scheduling automatic signature updates.
    Expired — At the last attempt, the license was either expired or FortiADC was unable to determine license status due to network connection errors with the FDN. See the following for how to verify the connection status.

    Your FortiADC appliance cannot detect the latest vulnerabilities and compliance violations unless it is licensed and has network connectivity to download current definitions from the FortiGuard service.


    If the connection did not succeed:
    • On FortiADC, verify the following settings:
      • time and time zone
      • DNS settings
      • network interface up/down status and IP
      • static routes
    • On your computer, use nslookup to verify that FortiGuard domain names are resolving (license authentication queries are sent to update.fortiguard.net):

      C:\Users\cschwartz>nslookup update.fortiguard.net

      Server: google-public-dns-a.google.com

      Address: 8.8.8.8


      Non-authoritative answer:

      Name: fds1.fortinet.com

      Addresses: 209.66.81.150

      209.66.81.151

      208.91.112.66

      Aliases: update.fortiguard.net


    • Check the configuration of any NAT or firewall devices that exist between the FortiADC appliance and the FDN or FDS server override. On FortiADC, enter the execute ping and execute traceroute commands to verify that connectivity from FortiADC to the Internet and FortiGuard is possible:

      FortiADC # exec traceroute update.fortiguard.net

      traceroute to update.fortiguard.net (209.66.81.150), 32 hops max, 84 byte packets

      1 192.0.2.2 0 ms 0 ms 0 ms

      2 209.87.254.221 <static-209-87-254-221.storm.ca> 4 ms 2 ms 3 ms

      3 209.87.239.161 <core-2-g0-3.storm.ca> 2 ms 3 ms 3 ms

      4 67.69.228.161 3 ms 4 ms 3 ms

      5 64.230.164.17 <core2-ottawa23_POS13-1-0.net.bell.ca> 3 ms 5 ms 3 ms

      6 64.230.99.250 <tcore4-ottawa23_0-4-2-0.net.bell.ca> 16 ms 17 ms 15 ms

      7 64.230.79.222 <tcore3-montreal01_pos0-14-0-0.net.bell.ca> 14 ms 14 ms 15 ms

      8 64.230.187.238 <newcore2-newyork83_so6-0-0_0> 63 ms 15 ms 14 ms

      9 64.230.187.42 <bxX5-newyork83_POS9-0-0.net.bell.ca> 21 ms 64.230.187.93 <BX5-NEWYORK83_POS12-0-0_core.net.bell.ca> 17 ms 16 ms

      10 67.69.246.78 <Abovenet_NY.net.bell.ca> 28 ms 28 ms 28 ms

      11 64.125.21.86 <xe-1-3-0.cr2.lga5.us.above.net> 29 ms 29 ms 30 ms

      12 64.125.27.33 <xe-0-2-0.cr2.ord2.us.above.net> 31 ms 31 ms 33 ms

      13 64.125.25.6 <xe-4-1-0.cr2.sjc2.us.above.net> 82 ms 82 ms 100 ms

      14 64.125.26.202 <xe-1-1-0.er2.sjc2.us.above.net> 80 ms 79 ms 82 ms

      15 209.66.64.93 <209.66.64.93.t01015-01.above.net> 80 ms 80 ms 79 ms

      16 209.66.81.150 <209.66.81.150.available.above.net> 83 ms 82 ms 81 ms

License validation with FortiManager

If FortiADC is deployed in a closed network, you can validate your FortiADC-VM license through FortiManager because it has the built-in FDS (FortiGuard Distribution Servers) feature. This requires FortiManager to have Internet connection. To configure FortiADC-VM to validate its license using FortiManager, before you upload the license, enter the following command:

config system fortiguard

set override-server-status enable

set override-server-address <fortimanager_ip>:8890

end

where <fortimanager_ip> is the IP address of the FortiManager. (TCP port 8890 is the port where the built-in FDS feature listens for requests.)

For more information on the FortiManager built-in FDS feature, see the FortiManager Administration Guide.

Although FortiManager can provide FortiGuard security service updates to some Fortinet devices, for FortiADC, its FDS features can provide license validation only.

To verify FortiGuard update connectivity
  1. If your FortiADC appliance must connect to the Internet (and therefore FDN) through an explicit (non-transparent) web proxy, first you must configure the proxy connection. For details, see Accessing FortiGuard via a proxy.
  2. Go to System > FortiGuard.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System category.
  3. If you want your FortiADC appliance to connect to a specific FDS other than the default for its time zone, enable Override Server address and enter the IP address and port number of an FDS in the format <FDS_ipv4>:<port_int>, such as 10.0.0.1:443, or enter the domain name of an FDS.
  4. Click Save.
  5. Click Update FortiGuard service definitions.
    The FortiADC appliance tests the connection to the FDN and the server you specified to override the default FDN server. The time required varies by the speed of the FortiADC appliance’s network connection, and by the number of timeouts that occur before the connection attempt is successful or the FortiADC appliance determines that it cannot connect. If you have enabled logging via Log Settings > Event, test results will be indicated in Event Log.
    If the connection test is successful, you would see this log message:

    VM License validated

    For more troubleshooting information, enter the following commands:

    diagnose debug enable

    diagnose debug module updated all


    These commands display cause additional information in your CLI console. For example:

    FortiADC # [update]: Poll timeout.

    FortiADC # *ATTENTION*: license registration status changed to 'VALID',please logout and re-login


    For example, poll (license and update request) timeouts can be caused by incorrectly configured static routes and DNS settings, links with high packet loss, and other basic connectivity issues. Unless you override the behavior with a specific FDS address (enable and configure Override Server address), FortiADC will connect to the FDN by communicating with the server closest according to the configured time zone. Timeouts can also be caused by configuring an incorrect time zone.

Accessing FortiGuard via a proxy

You can access FortiGuard via a web proxy server. Using the CLI, you can configure FortiADC to connect through an explicit (non-transparent) web proxy server to the FortiGuard Distribution Network (FDN) for signature updates. FortiADC connects to the proxy using the HTTP CONNECT method as described in RFC 2616 (http://tools.ietf.org/rfc/rfc2616.txt).

CLI Syntax

config system fortiguard

set tunneling-status enable

set tunneling-address 0.0.0.0

set tunneling-password mypassword

set tunneling-port 8080

set tunneling-username FortADC

end

For details, see the FortiADC CLI Reference: https://docs.fortinet.com/product/fortiadc/.

Connecting to FortiGuard services

After you have subscribed to FortiGuard services, configure your FortiADC to connect to the Internet so that it can reach the world-wide Fortinet Distribution Network (FDN) in order to:

  • verify its FortiGuard service licenses

  • download up-to-date signatures, IP lists, stolen account credentials, and engine packages

FortiADC appliances can often connect using the default settings. However, due to potential differences in routing and firewalls, you should confirm this by verifying connectivity.

You must first register the FortiADC appliance with Fortinet Customer Service & Support (https://support.fortinet.com/) to receive service from the FDN. The FortiADC appliance must also have a valid Fortinet Technical Support contract that includes service subscriptions and be able to connect to the FDN. For port numbers to use to validate the license and update connections, see Appendix B: Port Numbers.

Connecting your FortiADC to the FDN will enable FortiGuard to periodically update the WAF Signature Database, IP Reputation Database, and Geo IP Database. You can go to the FortiGuard website to download the update packages that you can upload to FortiADC, or you can schedule automatic updates. However, if you want to perform a manual update, you must download the update file from the FortiGuard website.

To determine your FortiGuard license status
  1. If your FortiADC appliance must connect to the Internet through an explicit (non-transparent) web proxy, configure the proxy connection (see Accessing FortiGuard via a proxy).
    If FortiADC is deployed in a closed network, you can also use FortiManager as a proxy and connect FortiADC with it to validate the license. Please note although FortiManager can provide FortiGuard security service updates to some Fortinet devices, for FortiADC, its FDS features can provide license validation only.
  2. Go to Dashboard > Main.
  3. In the Licenses widget, check the status icon for each service package.
    Valid — At the last attempt, the FortiADC appliance was able to successfully contact the FDN and validate its FortiGuard license. Continue with Scheduling automatic signature updates.
    Expired — At the last attempt, the license was either expired or FortiADC was unable to determine license status due to network connection errors with the FDN. See the following for how to verify the connection status.

    Your FortiADC appliance cannot detect the latest vulnerabilities and compliance violations unless it is licensed and has network connectivity to download current definitions from the FortiGuard service.


    If the connection did not succeed:
    • On FortiADC, verify the following settings:
      • time and time zone
      • DNS settings
      • network interface up/down status and IP
      • static routes
    • On your computer, use nslookup to verify that FortiGuard domain names are resolving (license authentication queries are sent to update.fortiguard.net):

      C:\Users\cschwartz>nslookup update.fortiguard.net

      Server: google-public-dns-a.google.com

      Address: 8.8.8.8


      Non-authoritative answer:

      Name: fds1.fortinet.com

      Addresses: 209.66.81.150

      209.66.81.151

      208.91.112.66

      Aliases: update.fortiguard.net


    • Check the configuration of any NAT or firewall devices that exist between the FortiADC appliance and the FDN or FDS server override. On FortiADC, enter the execute ping and execute traceroute commands to verify that connectivity from FortiADC to the Internet and FortiGuard is possible:

      FortiADC # exec traceroute update.fortiguard.net

      traceroute to update.fortiguard.net (209.66.81.150), 32 hops max, 84 byte packets

      1 192.0.2.2 0 ms 0 ms 0 ms

      2 209.87.254.221 <static-209-87-254-221.storm.ca> 4 ms 2 ms 3 ms

      3 209.87.239.161 <core-2-g0-3.storm.ca> 2 ms 3 ms 3 ms

      4 67.69.228.161 3 ms 4 ms 3 ms

      5 64.230.164.17 <core2-ottawa23_POS13-1-0.net.bell.ca> 3 ms 5 ms 3 ms

      6 64.230.99.250 <tcore4-ottawa23_0-4-2-0.net.bell.ca> 16 ms 17 ms 15 ms

      7 64.230.79.222 <tcore3-montreal01_pos0-14-0-0.net.bell.ca> 14 ms 14 ms 15 ms

      8 64.230.187.238 <newcore2-newyork83_so6-0-0_0> 63 ms 15 ms 14 ms

      9 64.230.187.42 <bxX5-newyork83_POS9-0-0.net.bell.ca> 21 ms 64.230.187.93 <BX5-NEWYORK83_POS12-0-0_core.net.bell.ca> 17 ms 16 ms

      10 67.69.246.78 <Abovenet_NY.net.bell.ca> 28 ms 28 ms 28 ms

      11 64.125.21.86 <xe-1-3-0.cr2.lga5.us.above.net> 29 ms 29 ms 30 ms

      12 64.125.27.33 <xe-0-2-0.cr2.ord2.us.above.net> 31 ms 31 ms 33 ms

      13 64.125.25.6 <xe-4-1-0.cr2.sjc2.us.above.net> 82 ms 82 ms 100 ms

      14 64.125.26.202 <xe-1-1-0.er2.sjc2.us.above.net> 80 ms 79 ms 82 ms

      15 209.66.64.93 <209.66.64.93.t01015-01.above.net> 80 ms 80 ms 79 ms

      16 209.66.81.150 <209.66.81.150.available.above.net> 83 ms 82 ms 81 ms

License validation with FortiManager

If FortiADC is deployed in a closed network, you can validate your FortiADC-VM license through FortiManager because it has the built-in FDS (FortiGuard Distribution Servers) feature. This requires FortiManager to have Internet connection. To configure FortiADC-VM to validate its license using FortiManager, before you upload the license, enter the following command:

config system fortiguard

set override-server-status enable

set override-server-address <fortimanager_ip>:8890

end

where <fortimanager_ip> is the IP address of the FortiManager. (TCP port 8890 is the port where the built-in FDS feature listens for requests.)

For more information on the FortiManager built-in FDS feature, see the FortiManager Administration Guide.

Although FortiManager can provide FortiGuard security service updates to some Fortinet devices, for FortiADC, its FDS features can provide license validation only.

To verify FortiGuard update connectivity
  1. If your FortiADC appliance must connect to the Internet (and therefore FDN) through an explicit (non-transparent) web proxy, first you must configure the proxy connection. For details, see Accessing FortiGuard via a proxy.
  2. Go to System > FortiGuard.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System category.
  3. If you want your FortiADC appliance to connect to a specific FDS other than the default for its time zone, enable Override Server address and enter the IP address and port number of an FDS in the format <FDS_ipv4>:<port_int>, such as 10.0.0.1:443, or enter the domain name of an FDS.
  4. Click Save.
  5. Click Update FortiGuard service definitions.
    The FortiADC appliance tests the connection to the FDN and the server you specified to override the default FDN server. The time required varies by the speed of the FortiADC appliance’s network connection, and by the number of timeouts that occur before the connection attempt is successful or the FortiADC appliance determines that it cannot connect. If you have enabled logging via Log Settings > Event, test results will be indicated in Event Log.
    If the connection test is successful, you would see this log message:

    VM License validated

    For more troubleshooting information, enter the following commands:

    diagnose debug enable

    diagnose debug module updated all


    These commands display cause additional information in your CLI console. For example:

    FortiADC # [update]: Poll timeout.

    FortiADC # *ATTENTION*: license registration status changed to 'VALID',please logout and re-login


    For example, poll (license and update request) timeouts can be caused by incorrectly configured static routes and DNS settings, links with high packet loss, and other basic connectivity issues. Unless you override the behavior with a specific FDS address (enable and configure Override Server address), FortiADC will connect to the FDN by communicating with the server closest according to the configured time zone. Timeouts can also be caused by configuring an incorrect time zone.

Accessing FortiGuard via a proxy

You can access FortiGuard via a web proxy server. Using the CLI, you can configure FortiADC to connect through an explicit (non-transparent) web proxy server to the FortiGuard Distribution Network (FDN) for signature updates. FortiADC connects to the proxy using the HTTP CONNECT method as described in RFC 2616 (http://tools.ietf.org/rfc/rfc2616.txt).

CLI Syntax

config system fortiguard

set tunneling-status enable

set tunneling-address 0.0.0.0

set tunneling-password mypassword

set tunneling-port 8080

set tunneling-username FortADC

end

For details, see the FortiADC CLI Reference: https://docs.fortinet.com/product/fortiadc/.