FortiGuard
FortiGuard services comprise of signature packages and querying services that provide content, web and device security. It is delivered via various types of FortiGuard servers that are part of the FortiGuard Distribution Network (FDN).
FortiGuard service subscriptions can be purchased and registered to your FortiGate unit. The FortiGate must be connected to the Internet in order to automatically connect to the FDN to validate the license and download FDN updates or perform real-time queries.
To view FDN support contract information, go to System > FortiGuard. The License Information table shows the status of your FortiGate’s entitlements and breaks down the status of each service.
The following topics contain more information:
- Anycast
- Connection and OCSP stapling
- Configuring FortiGuard updates
- Configuring a proxy server for FortiGuard updates
- Manual updates
- Automatic updates
- Scheduled updates
- Sending malware statistics to FortiGuard
- Update server location
- Filtering
- Online security tools
- Anycast and unicast services
- Using FortiManager as a local FortiGuard server
- Cloud service communication statistics
- IoT detection service
- FortiAP query to FortiGuard IoT service to determine device details
- FortiGate Cloud / FDN communication through an explicit proxy
- FDS-only ISDB package in firmware images
- Licensing in air-gap environments
- License expiration
Anycast
FortiGuard servers use Anycast addresses in order to optimize and distribute traffic across many servers. Anycast is the default access mode for FortiGates when connecting to FortiGuard which by default utilizes HTTPS and port 443.
Each type of FortiGuard servers and services have a FortiGuard domain name that resolves to a single Anycast IP address. Regardless of where the FortiGate is located, the resolution is still the same. Fortinet maintains the network in the background to ensure routes to the FortiGuard servers are optimized. In the below diagram, several servers have the same Anycast IP, but the FortiGate will connect to the one with the least hops.
Connection and OCSP stapling
When the FortiGate connects to a FortiGuard server, it is important for it to validate the server is indeed a real FortiGuard server. Hence, FortiGuard servers provide the following security:
-
The domain name of each FortiGuard service is the common name in that service's certificate, which is signed by a third-party intermediate CA.
-
The FortiGuard server also applies Online Certificate Status Protocol (OCSP) stapling check, in which it attaches a time-stamped OCSP status of the server certificate from the OCSP server to the TLS response.
This ensures FortiGate can validate the FortiGuard server certificate efficiently during the TLS handshake.
The following illustrates the connection process:
FortiGate will only complete the TLS handshake with an anycast server when abort conditions are not met. Abort conditions include:
-
The CN in the server's certificate does not match the domain name resolved from the DNS.
-
The OCSP status is revoked or unknown.
-
The issuer-CA is revoked by the root-CA.
To configure the anycast FortiGuard access mode:
config system fortiguard set fortiguard-anycast enable end
If FortiGuard is not reachable via Anycast, choose between the following options to work around this issue:
-
Switch to other Anycast servers:
config system fortiguard set fortiguard-anycast enable set fortiguard-anycast-source aws end
-
Disable Anycast and use HTTPS:
config system fortiguard set fortiguard-anycast disable set protocol https set port 8888 end
-
Disable Anycast and use UDP:
config system fortiguard set fortiguard-anycast disable set protocol udp set port 53 end