Connecting to FortiGuard services
After the FortiMail unit is physically installed and configured to operate in your network, if you have subscribed to FortiGuard Antivirus and/or FortiGuard Antispam services, connect the FortiMail unit to the Fortinet Distribution Network (FDN).
Connecting your FortiMail unit to the FDN or override server ensures that your FortiMail unit can:
- download the most recent FortiGuard Antivirus definitions and engine packages
- query the FDN for blocklisted servers and other real-time information during FortiGuard Antispam scans, if configured
This way, you scan email using the most up-to-date protection.
The FDN is a world-wide network of Fortinet Distribution Servers (FDS). When a FortiMail unit connects to the FDN to download FortiGuard engine and definition updates, by default, it connects to the nearest FDS based on the current time zone setting. You can override the FDS to which the FortiMail unit connects.
Your FortiMail unit may be able to connect using the default settings. However, you should confirm this by verifying connectivity.
You must first register the FortiMail unit with the Fortinet Technical Support web site, https://support.fortinet.com/, to receive service from the FDN. The FortiMail unit must also have a valid Fortinet Technical Support contract which includes service subscriptions, and be able to connect to the FDN or the FDS that you will configure to override the default FDS addresses.
Before performing the next procedure, if your FortiMail unit connects to the Internet using a proxy, use the CLI command
config system fortiguard antivirus to enable the FortiMail unit to connect to the FDN through the proxy.
To verify rating query connectivity
- Go to System > FortiGuard > AntiSpam in the advanced mode of the web UI.
- Make sure the Enable Service check box is marked. If it is not, mark it and click Apply.
- Verify that the DNS servers contain A records to resolve service.fortiguard.net and other FDN servers. You may be able to obtain additional insight into the cause of the query failure by manually performing a DNS query from the FortiMail unit using the following CLI command:
- Verify that:
If the FortiMail unit can reach the DNS server, but cannot successfully resolve the domain name of the FDS, a message appears notifying you that a DNS error has occurred.
DNS error when resolving the FortiGuard Antispam domain name
execute nslookup name service.fortiguard.net
If the FortiMail unit cannot successfully connect, or if your FortiGuard Antispam license does not exist or is expired, a message appears notifying you that a connection error has occurred.
Connection error when verifying FortiGuard Antispam rating query connectivity
- your FortiGuard Antispam license is valid and currently active
- the default route (located in System > Network > Routing) is correctly configured
- the FortiMail unit can connect to the DNS servers you configured during the Quick Start Wizard (located in System > Network > DNS), and to the FDN servers
- firewalls between the FortiMail unit and the Internet or override server allow FDN traffic (For configuration examples specific to your operation mode, see Gateway mode deployment, Transparent mode deployment, or Server mode deployment.)
execute traceroute <address_ipv4>
<address_ipv4> is the IP address of the DNS server or FDN server.
When query connectivity is successful, antispam profiles can use the FortiGuard-AntiSpam scan option.
If FortiGuard Antispam scanning is enabled, you can use the antispam log to analyze any query connectivity interruptions caused because FortiMail cannot connect to the FDN and/or its license is not valid. To enable the antispam log, go to Log & Report > Log Setting > Local in the advanced mode of the web UI. To view the antispam log, go to Monitor > Log > AntiSpam, then mark the check box of a log file and click View.
If FortiMail cannot connect with the FDN server, the log Message field contains:
FortiGuard-Antispam: No Answer from server.
Antispam log when FortiGuard Antispam query fails
Verify that the FortiGuard Antispam license is still valid, and that network connectivity has not been disrupted for UDP port 53 traffic from the FortiMail unit to the Internet.
Configuring antivirus updates
You can configure the FortiMail unit to periodically request FortiGuard Antivirus engine and definition updates from the FDN or override server.
You can use push updates or manually initiate updates as alternatives or in conjunction with scheduled updates. If protection from the latest viral threats is a high priority, you could configure both scheduled updates and push updates, using scheduled updates as a failover method to increase the likelihood that the FortiMail unit will still periodically retrieve updates if connectivity is interrupted during a push notification. While using only scheduled updates could potentially leave your network vulnerable to a new virus, it minimizes short disruptions to antivirus scans that can occur if the FortiMail unit applies push updates during peak volume times.
For example, you might schedule updates every night at 2 AM or weekly on Sunday, when email traffic volume is light.
To configure scheduled updates
Go to System > FortiGuard > AntiVirus in the advanced mode of the web UI.
Updating FortiGuard Antivirus definitions can cause a short disruption in traffic currently being scanned while the FortiMail unit applies the new signature database. To minimize disruptions, update when traffic is light, such as during the night.