Fortinet white logo
Fortinet white logo

Administration Guide

Troubleshoot FortiGuard connection issues

Troubleshoot FortiGuard connection issues

Problem

The FortiMail unit cannot connect to the FDN servers to use FortiGuard Antivirus and/or FortiGuard Antispam services.

Solution

FortiGuard Antivirus and FortiGuard Antispam subscription services use multiple types of connections with the FortiGuard Distribution Network (FDN).

For all FortiGuard connection types, you must:

  • Register your FortiMail unit with the Fortinet Technical Support web site, https://support.fortinet.com/.

  • Get a trial or purchased service contract for FortiGuard Antispam and/or FortiGuard Antivirus, and apply it to your FortiMail unit. If you have multiple FortiMail units operating in high availability (HA) together, all of them must have a service contract. You can view service contracts applied to each of your registered FortiMail units by visiting the Fortinet Technical Support web site:

    https://support.fortinet.com/

  • Configure your FortiMail unit to connect with a DNS server that can resolve the domain names of FortiGuard servers. For more information, see Configuring DNS.

  • Configure your FortiMail unit with at least one route so that the FortiMail unit can connect to the Internet. For more information, see Configuring static routes .

To verify DNS resolution of the FortiGuard Antispam service, enter:

execute nslookup name service.fortiguard.net

To verify DNS resolution of the FortiGuard antivirus service, enter:

execute nslookup name fds1.fortinet.com

To verify network connectivity, enter:

execute traceroute <address_ipv4>

where <address_ipv4> is one of the FortiGuard servers.

If those tests succeed, then also examine requirements specific to the type of communication that is failing:

scheduled updates

(FortiGuard Antivirus and FortiGuard Antispam)

  • Configure the system time of the FortiMail unit, including its time zone. For more information, see Configuring the time and date.
  • Intermediary firewall devices must allow the FortiMail unit to use HTTPS on TCP port 443 to connect to the FDN.
  • If your FortiMail unit connects to the Internet through a proxy, use the CLI command set system autoupdate tunneling to enable the FortiMail unit to connect to the FDN through the proxy. For more information, see the FortiMail CLI Reference.
  • You might need to override the FortiGuard server to which the FortiMail unit is connecting, and connect to one other than the default server for your time zone.

rating queries

(FortiGuard Antispam)

  • Intermediary firewall devices must allow the FortiMail unit to use UDP port 53 to connect to the FDN.

If you suspect that a device on your network is interfering with connectivity, you can analyze traffic and verify that the FortiMail unit is sending and receiving traffic on the required port numbers. Use the CLI command diagnose sniffer to perform packet capture. If traffic is being corrupted or interrupted, you may need to perform packet capture at additional points on your network to locate the source of the interruption.

Troubleshoot FortiGuard connection issues

Troubleshoot FortiGuard connection issues

Problem

The FortiMail unit cannot connect to the FDN servers to use FortiGuard Antivirus and/or FortiGuard Antispam services.

Solution

FortiGuard Antivirus and FortiGuard Antispam subscription services use multiple types of connections with the FortiGuard Distribution Network (FDN).

For all FortiGuard connection types, you must:

  • Register your FortiMail unit with the Fortinet Technical Support web site, https://support.fortinet.com/.

  • Get a trial or purchased service contract for FortiGuard Antispam and/or FortiGuard Antivirus, and apply it to your FortiMail unit. If you have multiple FortiMail units operating in high availability (HA) together, all of them must have a service contract. You can view service contracts applied to each of your registered FortiMail units by visiting the Fortinet Technical Support web site:

    https://support.fortinet.com/

  • Configure your FortiMail unit to connect with a DNS server that can resolve the domain names of FortiGuard servers. For more information, see Configuring DNS.

  • Configure your FortiMail unit with at least one route so that the FortiMail unit can connect to the Internet. For more information, see Configuring static routes .

To verify DNS resolution of the FortiGuard Antispam service, enter:

execute nslookup name service.fortiguard.net

To verify DNS resolution of the FortiGuard antivirus service, enter:

execute nslookup name fds1.fortinet.com

To verify network connectivity, enter:

execute traceroute <address_ipv4>

where <address_ipv4> is one of the FortiGuard servers.

If those tests succeed, then also examine requirements specific to the type of communication that is failing:

scheduled updates

(FortiGuard Antivirus and FortiGuard Antispam)

  • Configure the system time of the FortiMail unit, including its time zone. For more information, see Configuring the time and date.
  • Intermediary firewall devices must allow the FortiMail unit to use HTTPS on TCP port 443 to connect to the FDN.
  • If your FortiMail unit connects to the Internet through a proxy, use the CLI command set system autoupdate tunneling to enable the FortiMail unit to connect to the FDN through the proxy. For more information, see the FortiMail CLI Reference.
  • You might need to override the FortiGuard server to which the FortiMail unit is connecting, and connect to one other than the default server for your time zone.

rating queries

(FortiGuard Antispam)

  • Intermediary firewall devices must allow the FortiMail unit to use UDP port 53 to connect to the FDN.

If you suspect that a device on your network is interfering with connectivity, you can analyze traffic and verify that the FortiMail unit is sending and receiving traffic on the required port numbers. Use the CLI command diagnose sniffer to perform packet capture. If traffic is being corrupted or interrupted, you may need to perform packet capture at additional points on your network to locate the source of the interruption.