Fortinet black logo

FortiGuard

6.2.0
Copy Link
Copy Doc ID 119f8f7c-1f55-11e9-b86b-00505692583a:649403
Download PDF

FortiGuard

FortiGuard services can be purchased and registered to your FortiGate unit. The FortiGate must be connected to the Internet in order to automatically connect to the FortiGuard Distribution Network (FDN) to validate the license and download FDN updates.

The FortiGuard subscription update services include:

  • AntiVirus (AV)
  • Intrusion Protection Service (IPS)
  • Application Control
  • Anti-Spam
  • Web Filtering
  • Web Application Firewall (WAF)

The FDN sends notice that a FortiGuard AntiVirus and IPS update is available on UDP/9443.

The following information concerns certain considerations in regards to FortiGate receiving FortiGuard updates through FDN, how the submission of malware statistics to FortiGuard is handled, an automatic update behavior when FortiGate has expired licenses, and related CLI commands.

Enabling FDN updates and FortiGuard services

In order to receive FortiGuard subscription updates, the unit needs to have access to the Internet and be able to connect to a DNS server in order to resolve the following URLs:

  • update.fortiguard.net: For AV and IPS updates.
  • service.fortiguard.net: For web filtering and anti-spam updates.
  • support.fortinet.com
  1. Go to System > FortiGuard.
  2. Under AntiVirus & IPS Updates, enable Scheduled Updates, and configure an update schedule.
  3. You can force the unit to connect to the AV/IPS server by selecting Update AV & IPS Definitions.
  4. You can view your subscription details above in the License Information table.
  5. Once the schedule has been enabled, select Apply.

To see if the service is viable, open the CLI console and enter the following commands:.

For Web Filtering:

diagnose debug rating

For Anti-Spam:

diagnose spamfilter fortishield servers

If only one or two IPs are displayed in the command outputs, it could be one of the following issues:

  • No response from the DNS server: Either the DNS server is unreachable or there is a problem with the routing. Make sure that contact to the DNS server is available by resolving some URLs from the CLI, for example:

    execute ping www.google.com

    execute ping service.fortiguard.net

You can also

  • Review update errors: Review update information from the last update, enable debug outputs and force the update:

    diagnose test update info

    diagnose debug enable

    diagnose debug application update 255

    execute update-ase

    execute update-av

    execute update-ips

    After troubleshooting, it is highly recommended to turn off debug mode:

    diagnose debug disable

    diagnose debug application update 0

  • FortiGuard Web filtering: Port blocking or packet inspection is occurring downstream. The default port used by the FortiGuard for the FortiGuard services is 8888.

    You can change this port using the following command:

    config system fortiguard

    set port <port_number>

    end

    You can also change the source port for management traffic with the following CLI command:

    config system global

    set ip-src-port-range 1035-25000

    end

    diagnose test application urlfilter 99

    diagnose test application smtp 99

Submission of malware statistics to FortiGuard

FortiGates periodically send encrypted AntiVirus, IPS, botnet IP list, and Application Control event statistics to FortiGuard. Included with these malware statistics is the IP address and serial number of the FortiGate and the country in which the FortiGate is located.

The statistics are used to improve various aspects of FortiGate malware protection. For example, AntiVirus statistics allow FortiGuard to determine the viruses that are active in the wild. Signatures for such viruses are kept in the Active AV Signature Database that is used by many Fortinet products. Signatures for inactive viruses are moved to the Extended/Extreme AV Signature Database used by some customers. If the events for inactive viruses start appearing in malware statistics, these signatures can be moved back to the Active AV Signature Database.

The FortiGate and FortiGuard servers go through a 2-way SSL/TLS 1.2 authentication before any data is transmitted. The certificates used in this process must be trusted by each other and signed by Fortinet CA server.

Malware statistics are accumulated and sent periodically (by default every 60 minutes).

Fortinet products can only accept data from authorized FortiGuard severs. Fortinet products use DNS to find FortiGuard servers and periodically update their FortiGate server list. All other servers are provided by a list that is updated through the encrypted channel.

Note

The submission of malware data is in accordance with Fortinet's “Automatically-Collected Information” detailed in the Fortinet Privacy Policy, and the purpose of this collection is outlined in the “Use of your Information” section of the privacy policy.

There is no sensitive or personal information included in these submissions. Only malware statistics are sent.

Fortinet uses the malware statistics collected in this manner to improve the performance of the FortiGate services and to display statistics on the Fortinet Support website for customers registered FortiGate devices.

Fortinet may also publish or share statistics or results derived from this malware data with various audiences. The malware statistics shared in this way do not include any customer data.

To enable, disable, and/or customize how often statistics are sent to FortiGuard, use the following command:

CLI syntax

config system global

set fds-statistics {enable | disable}

set fds-statistics-period <minutes>

end

In addition to secure submission of statistics to FortiGuard, there are other mechanisms in place to prevent unauthorized FortiGuard updates from clients:

  • The server certificate has to be authenticated by FortiGates, and it only trusts Fortinet's root certificate.
  • Proprietary encryption (including FGCP, an application-level proprietary protocol) that only Fortinet's own servers/devices can prepare.

FortiGates can only accept data from Fortinet's own list of servers, although the list can be updated through previously connected servers. DNS is used on the initial server, but all other servers are provided by a list that is updated through SSL, meaning that only FortiGates accept data from those servers.

Automatic update at every GUI login

FortiGates running FortiOS 5.6.1 and above may perform automatic "update now" updates when one of the "core" licenses is unavailable: Application Control, IPS, or AntiVirus. Please note that this automatic update is triggered even if the following CLI command is set:

config system autoupdate schedule

set status disable

end

CLI syntax

The following section contains commands to control FortiGuard.

system autoupdate push-update

The following command will set the FDN push update port:

config system autoupdate push-update

set port <integer>

end

system autoupdate tunneling

The following command will set the proxy server port that the FortiGate will use to connect to the FortiGuard Distribution Network (FDN):

config system autoupdate tunneling

set port <integer>

end

system fortiguard

The following command will set the port by which scheduled FortiGuard service updates will be received:

config system fortiguard

set port {53 | 8888 | 80}

end

webfilter fortiguard

The following command will close ports used for HTTPS/HTTP override authentication and disable user overrides:

config webfilter fortiguard

set close-ports {enable | disable}

end

For more information, including FortiGuard execute commands used to manage FortiCloud domains and operations, see the CLI Reference.

FortiGuard

FortiGuard services can be purchased and registered to your FortiGate unit. The FortiGate must be connected to the Internet in order to automatically connect to the FortiGuard Distribution Network (FDN) to validate the license and download FDN updates.

The FortiGuard subscription update services include:

  • AntiVirus (AV)
  • Intrusion Protection Service (IPS)
  • Application Control
  • Anti-Spam
  • Web Filtering
  • Web Application Firewall (WAF)

The FDN sends notice that a FortiGuard AntiVirus and IPS update is available on UDP/9443.

The following information concerns certain considerations in regards to FortiGate receiving FortiGuard updates through FDN, how the submission of malware statistics to FortiGuard is handled, an automatic update behavior when FortiGate has expired licenses, and related CLI commands.

Enabling FDN updates and FortiGuard services

In order to receive FortiGuard subscription updates, the unit needs to have access to the Internet and be able to connect to a DNS server in order to resolve the following URLs:

  • update.fortiguard.net: For AV and IPS updates.
  • service.fortiguard.net: For web filtering and anti-spam updates.
  • support.fortinet.com
  1. Go to System > FortiGuard.
  2. Under AntiVirus & IPS Updates, enable Scheduled Updates, and configure an update schedule.
  3. You can force the unit to connect to the AV/IPS server by selecting Update AV & IPS Definitions.
  4. You can view your subscription details above in the License Information table.
  5. Once the schedule has been enabled, select Apply.

To see if the service is viable, open the CLI console and enter the following commands:.

For Web Filtering:

diagnose debug rating

For Anti-Spam:

diagnose spamfilter fortishield servers

If only one or two IPs are displayed in the command outputs, it could be one of the following issues:

  • No response from the DNS server: Either the DNS server is unreachable or there is a problem with the routing. Make sure that contact to the DNS server is available by resolving some URLs from the CLI, for example:

    execute ping www.google.com

    execute ping service.fortiguard.net

You can also

  • Review update errors: Review update information from the last update, enable debug outputs and force the update:

    diagnose test update info

    diagnose debug enable

    diagnose debug application update 255

    execute update-ase

    execute update-av

    execute update-ips

    After troubleshooting, it is highly recommended to turn off debug mode:

    diagnose debug disable

    diagnose debug application update 0

  • FortiGuard Web filtering: Port blocking or packet inspection is occurring downstream. The default port used by the FortiGuard for the FortiGuard services is 8888.

    You can change this port using the following command:

    config system fortiguard

    set port <port_number>

    end

    You can also change the source port for management traffic with the following CLI command:

    config system global

    set ip-src-port-range 1035-25000

    end

    diagnose test application urlfilter 99

    diagnose test application smtp 99

Submission of malware statistics to FortiGuard

FortiGates periodically send encrypted AntiVirus, IPS, botnet IP list, and Application Control event statistics to FortiGuard. Included with these malware statistics is the IP address and serial number of the FortiGate and the country in which the FortiGate is located.

The statistics are used to improve various aspects of FortiGate malware protection. For example, AntiVirus statistics allow FortiGuard to determine the viruses that are active in the wild. Signatures for such viruses are kept in the Active AV Signature Database that is used by many Fortinet products. Signatures for inactive viruses are moved to the Extended/Extreme AV Signature Database used by some customers. If the events for inactive viruses start appearing in malware statistics, these signatures can be moved back to the Active AV Signature Database.

The FortiGate and FortiGuard servers go through a 2-way SSL/TLS 1.2 authentication before any data is transmitted. The certificates used in this process must be trusted by each other and signed by Fortinet CA server.

Malware statistics are accumulated and sent periodically (by default every 60 minutes).

Fortinet products can only accept data from authorized FortiGuard severs. Fortinet products use DNS to find FortiGuard servers and periodically update their FortiGate server list. All other servers are provided by a list that is updated through the encrypted channel.

Note

The submission of malware data is in accordance with Fortinet's “Automatically-Collected Information” detailed in the Fortinet Privacy Policy, and the purpose of this collection is outlined in the “Use of your Information” section of the privacy policy.

There is no sensitive or personal information included in these submissions. Only malware statistics are sent.

Fortinet uses the malware statistics collected in this manner to improve the performance of the FortiGate services and to display statistics on the Fortinet Support website for customers registered FortiGate devices.

Fortinet may also publish or share statistics or results derived from this malware data with various audiences. The malware statistics shared in this way do not include any customer data.

To enable, disable, and/or customize how often statistics are sent to FortiGuard, use the following command:

CLI syntax

config system global

set fds-statistics {enable | disable}

set fds-statistics-period <minutes>

end

In addition to secure submission of statistics to FortiGuard, there are other mechanisms in place to prevent unauthorized FortiGuard updates from clients:

  • The server certificate has to be authenticated by FortiGates, and it only trusts Fortinet's root certificate.
  • Proprietary encryption (including FGCP, an application-level proprietary protocol) that only Fortinet's own servers/devices can prepare.

FortiGates can only accept data from Fortinet's own list of servers, although the list can be updated through previously connected servers. DNS is used on the initial server, but all other servers are provided by a list that is updated through SSL, meaning that only FortiGates accept data from those servers.

Automatic update at every GUI login

FortiGates running FortiOS 5.6.1 and above may perform automatic "update now" updates when one of the "core" licenses is unavailable: Application Control, IPS, or AntiVirus. Please note that this automatic update is triggered even if the following CLI command is set:

config system autoupdate schedule

set status disable

end

CLI syntax

The following section contains commands to control FortiGuard.

system autoupdate push-update

The following command will set the FDN push update port:

config system autoupdate push-update

set port <integer>

end

system autoupdate tunneling

The following command will set the proxy server port that the FortiGate will use to connect to the FortiGuard Distribution Network (FDN):

config system autoupdate tunneling

set port <integer>

end

system fortiguard

The following command will set the port by which scheduled FortiGuard service updates will be received:

config system fortiguard

set port {53 | 8888 | 80}

end

webfilter fortiguard

The following command will close ports used for HTTPS/HTTP override authentication and disable user overrides:

config webfilter fortiguard

set close-ports {enable | disable}

end

For more information, including FortiGuard execute commands used to manage FortiCloud domains and operations, see the CLI Reference.