Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.4.0 Administration Guide

FortiGuard

7.4.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
Copy Link
Copy Doc ID 187b45d8-d7ee-11ed-8e6d-fa163e15d75b:42459
Download PDF

FortiGuard

FortiGuard services comprise of signature packages and querying services that provide content, web and device security. It is delivered via various types of FortiGuard servers that are part of the FortiGuard Distribution Network (FDN).

FortiGuard service subscriptions can be purchased and registered to your FortiGate unit. The FortiGate must be connected to the Internet in order to automatically connect to the FDN to validate the license and download FDN updates or perform real-time queries.

To view FDN support contract information, go to System > FortiGuard. The License Information table shows the status of your FortiGate’s entitlements and breaks down the status of each service.

The following topics contain more information:

Anycast

FortiGuard servers use Anycast addresses in order to optimize and distribute traffic across many servers. Anycast is the default access mode for FortiGates when connecting to FortiGuard which by default utilizes HTTPS and port 443.

Each type of FortiGuard servers and services have a FortiGuard domain name that resolves to a single Anycast IP address. Regardless of where the FortiGate is located, the resolution is still the same. Fortinet maintains the network in the background to ensure routes to the FortiGuard servers are optimized. In the below diagram, several servers have the same Anycast IP, but the FortiGate will connect to the one with the least hops.

Connection and OCSP stapling

When the FortiGate connects to a FortiGuard server, it is important for it to validate the server is indeed a real FortiGuard server. Hence, FortiGuard servers provide the following security:

  • The domain name of each FortiGuard service is the common name in that service's certificate, which is signed by a third-party intermediate CA.

  • The FortiGuard server also applies Online Certificate Status Protocol (OCSP) stapling check, in which it attaches a time-stamped OCSP status of the server certificate from the OCSP server to the TLS response.

This ensures FortiGate can validate the FortiGuard server certificate efficiently during the TLS handshake.

The following illustrates the connection process:

FortiGate will only complete the TLS handshake with an anycast server when abort conditions are not met. Abort conditions include:

  • The CN in the server's certificate does not match the domain name resolved from the DNS.

  • The OCSP status is revoked or unknown.

  • The issuer-CA is revoked by the root-CA.

To configure the anycast FortiGuard access mode:

config system fortiguard
    set fortiguard-anycast enable 
end

If FortiGuard is not reachable via Anycast, choose between the following options to work around this issue:

  1. Switch to other Anycast servers:

    config system fortiguard
    set fortiguard-anycast enable
    set fortiguard-anycast-source aws
end

  2. Disable Anycast and use HTTPS:

    config system fortiguard
    set fortiguard-anycast disable
    set protocol https 
    set port 8888
end

  3. Disable Anycast and use UDP:

    config system fortiguard
    set fortiguard-anycast disable
    set protocol udp 
    set port 53         
end
Previous
Next

FortiGuard

FortiGuard services comprise of signature packages and querying services that provide content, web and device security. It is delivered via various types of FortiGuard servers that are part of the FortiGuard Distribution Network (FDN).

FortiGuard service subscriptions can be purchased and registered to your FortiGate unit. The FortiGate must be connected to the Internet in order to automatically connect to the FDN to validate the license and download FDN updates or perform real-time queries.

To view FDN support contract information, go to System > FortiGuard. The License Information table shows the status of your FortiGate’s entitlements and breaks down the status of each service.

The following topics contain more information:

Anycast

FortiGuard servers use Anycast addresses in order to optimize and distribute traffic across many servers. Anycast is the default access mode for FortiGates when connecting to FortiGuard which by default utilizes HTTPS and port 443.

Each type of FortiGuard servers and services have a FortiGuard domain name that resolves to a single Anycast IP address. Regardless of where the FortiGate is located, the resolution is still the same. Fortinet maintains the network in the background to ensure routes to the FortiGuard servers are optimized. In the below diagram, several servers have the same Anycast IP, but the FortiGate will connect to the one with the least hops.

Connection and OCSP stapling

When the FortiGate connects to a FortiGuard server, it is important for it to validate the server is indeed a real FortiGuard server. Hence, FortiGuard servers provide the following security:

  • The domain name of each FortiGuard service is the common name in that service's certificate, which is signed by a third-party intermediate CA.

  • The FortiGuard server also applies Online Certificate Status Protocol (OCSP) stapling check, in which it attaches a time-stamped OCSP status of the server certificate from the OCSP server to the TLS response.

This ensures FortiGate can validate the FortiGuard server certificate efficiently during the TLS handshake.

The following illustrates the connection process:

FortiGate will only complete the TLS handshake with an anycast server when abort conditions are not met. Abort conditions include:

  • The CN in the server's certificate does not match the domain name resolved from the DNS.

  • The OCSP status is revoked or unknown.

  • The issuer-CA is revoked by the root-CA.

To configure the anycast FortiGuard access mode:

config system fortiguard
    set fortiguard-anycast enable 
end

If FortiGuard is not reachable via Anycast, choose between the following options to work around this issue:

  1. Switch to other Anycast servers:

    config system fortiguard
    set fortiguard-anycast enable
    set fortiguard-anycast-source aws
end

  2. Disable Anycast and use HTTPS:

    config system fortiguard
    set fortiguard-anycast disable
    set protocol https 
    set port 8888
end

  3. Disable Anycast and use UDP:

    config system fortiguard
    set fortiguard-anycast disable
    set protocol udp 
    set port 53         
end
Previous
Next