Fortinet black logo

Cookbook

Troubleshooting process for FortiGuard updates

Troubleshooting process for FortiGuard updates

The following process shows the logical steps you should take when troubleshooting problems with FortiGuard updates:

  1. Does the device have a valid license that includes these services?

    Each device requires a valid FortiGuard license to access updates for some or all of these services. You can verify the status of the support contract for your devices at the Fortinet Support website.

  2. If the device is part of a high availability (HA) cluster, do all members of the cluster have the same level of support?

    You can verify the status of the support contract for all of the devices in your HA cluster at the Fortinet Support website.

  3. Are services enabled on the device?

    To see the FortiGuard information and status for a device in the GUI, go to System > FortiGuard.

    Use this page to verify the status of each component, and enable each service.

  4. Can the device communicate with FortiGuard servers?

    Go to System > FortiGuard in the GUI, and try to update AntiVirus and IPS, or test the availability of Web Filtering and AS default and alternate ports.

  5. Is there proper routing to reach the FortiGuard servers?

    Ensure there is a static or dynamic route that allows your FortiGate to reach the FortiGuard servers. Usually a generic default route to the internet is enough, but you may need to verify this if your network is complex.

  6. Are there issues with DNS?

    An easy way to test this is to attempt a traceroute from behind the FortiGate to an external network using the Fully Qualified Domain Name (FQDN) for a location. If the traceroute FQDN name doesn't resolve, you have general DNS problems.

  7. Is there anything upstream that might be blocking FortiGuard traffic, either on the network or ISP side?

    Many firewalls block all ports, by default, and ISPs often block ports that are low. There may be a firewall between the FortiGate and the FortiGuard servers that's blocking the traffic. By default, FortiGuard uses port 53. If that port is blocked you need to either open a hole for it or change the port it is using.

  8. Is there an issue with source ports?

    It is possible that ports that FortiGate uses to contact FortiGuard are being changed before they reach FortiGuard or on the return trip before they reach FortiGate. A possible solution for this is to use a fixed-port at NAT'd firewalls to ensure the port remains the same. You can use packet sniffing to find more information about what's happening with ports.

  9. Are there security policies that include antivirus?

    If none of the security policies include antivirus, the antivirus database will not be updated. If antivirus is included, only the database type that's used will be updated.

Troubleshooting process for FortiGuard updates

Troubleshooting process for FortiGuard updates

The following process shows the logical steps you should take when troubleshooting problems with FortiGuard updates:

  1. Does the device have a valid license that includes these services?

    Each device requires a valid FortiGuard license to access updates for some or all of these services. You can verify the status of the support contract for your devices at the Fortinet Support website.

  2. If the device is part of a high availability (HA) cluster, do all members of the cluster have the same level of support?

    You can verify the status of the support contract for all of the devices in your HA cluster at the Fortinet Support website.

  3. Are services enabled on the device?

    To see the FortiGuard information and status for a device in the GUI, go to System > FortiGuard.

    Use this page to verify the status of each component, and enable each service.

  4. Can the device communicate with FortiGuard servers?

    Go to System > FortiGuard in the GUI, and try to update AntiVirus and IPS, or test the availability of Web Filtering and AS default and alternate ports.

  5. Is there proper routing to reach the FortiGuard servers?

    Ensure there is a static or dynamic route that allows your FortiGate to reach the FortiGuard servers. Usually a generic default route to the internet is enough, but you may need to verify this if your network is complex.

  6. Are there issues with DNS?

    An easy way to test this is to attempt a traceroute from behind the FortiGate to an external network using the Fully Qualified Domain Name (FQDN) for a location. If the traceroute FQDN name doesn't resolve, you have general DNS problems.

  7. Is there anything upstream that might be blocking FortiGuard traffic, either on the network or ISP side?

    Many firewalls block all ports, by default, and ISPs often block ports that are low. There may be a firewall between the FortiGate and the FortiGuard servers that's blocking the traffic. By default, FortiGuard uses port 53. If that port is blocked you need to either open a hole for it or change the port it is using.

  8. Is there an issue with source ports?

    It is possible that ports that FortiGate uses to contact FortiGuard are being changed before they reach FortiGuard or on the return trip before they reach FortiGate. A possible solution for this is to use a fixed-port at NAT'd firewalls to ensure the port remains the same. You can use packet sniffing to find more information about what's happening with ports.

  9. Are there security policies that include antivirus?

    If none of the security policies include antivirus, the antivirus database will not be updated. If antivirus is included, only the database type that's used will be updated.