Connecting to FortiGuard services
Most exploits and virus exposures occur within the first 2 months of a known vulnerability. Most botnets consist of thousands of zombie computers whose IP addresses are continuously changing. Everyday, spilled account credentials are used to launch credential stuffing attacks. To keep your defenses effective against the evolving threat landscape, Fortinet recommends FortiGuard services. New vulnerabilities, botnets, and stolen account credentials are discovered and new signatures are built by Fortinet researchers every day.
Without connecting to FortiGuard, your FortiWeb cannot detect the latest threats.
After you have subscribed to FortiGuard services (see Appendix E: How to purchase and renew FortiGuard licenses), configure your FortiWeb appliance to connect to the Internet so that it can reach the world-wide Fortinet Distribution Network (FDN) in order to:
- verify its FortiGuard service licenses
- download up-to-date signatures, IP lists, stolen account credentials, and engine packages
FortiWeb appliances can often connect using the default settings. However, due to potential differences in routing and firewalls, you should confirm this by verifying connectivity.
You must first register the FortiWeb appliance with Fortinet Customer Service & Support (https://support.fortinet.com/) to receive service from the FDN. The FortiWeb appliance must also have a valid Fortinet Technical Support contract that includes service subscriptions and be able to connect to the FDN. For port numbers to use to validate the license and update connections, see Appendix A: Port numbers. |
To determine your FortiGuard license status
- If your FortiWeb appliance must connect to the Internet through an explicit (non-transparent) web proxy, configure the proxy connection (see Accessing FortiGuard via a proxy).
- Go to System > Status > Status.
- In the FortiGuard Information widget, look at the Security Service row, Antivirus row, IP Reputation row, and Credential Stuffing Defense row.
The appliance will attempt to validate its license when it boots. If the appliance could not connect because proxy settings were not configured, or due to any other connectivity issue that you have since resolved, you can reboot the appliance to re-attempt license validation.
To access this part of the web UI, your administrator's account access profile must have Read permission to items in the System Configuration category. For details, see Permissions.
Valid—At the last attempt, the FortiWeb appliance was able to successfully contact the FDN and validate its FortiGuard license. Continue with Scheduling automatic signature updates.
Expired—At the last attempt, the license was either expired or FortiWeb was unable to determine license status due to network connection errors with the FDN.
Your FortiWeb appliance cannot detect the latest vulnerabilities and compliance violations unless it is licensed and has network connectivity to download current definitions from the FortiGuard service. |
If the connection did not succeed:
- On FortiWeb, verify the following settings:
- time zone & time
- DNS settings
- network interface up/down status & IP
- static routes
- On your computer, use
nslookup
to verify that FortiGuard domain names are resolving (license authentication queries are sent toupdate.fortiguard.net
):
C:\Users\cschwartz>nslookup update.fortiguard.net
Server: google-public-dns-a.google.com
Address: 8.8.8.8
Non-authoritative answer:
Name: fds1.fortinet.com
Addresses: 209.66.81.150
209.66.81.151
208.91.112.66
Aliases: update.fortiguard.net
- Check the configuration of any NAT or firewall devices that exist between the FortiWeb appliance and the FDN or FDS server override. On FortiWeb, enter the
execute ping
andexecute traceroute
commands to verify that connectivity from FortiWeb to the Internet and FortiGuard is possible:
FortiWeb # exec traceroute update.fortiguard.net
traceroute to update.fortiguard.net (209.66.81.150), 32 hops max, 84 byte packets
1 192.0.2.2 0 ms 0 ms 0 ms
2 209.87.254.221 <static-209-87-254-221.storm.ca> 4 ms 2 ms 3 ms
3 209.87.239.161 <core-2-g0-3.storm.ca> 2 ms 3 ms 3 ms
4 67.69.228.161 3 ms 4 ms 3 ms
5 64.230.164.17 <core2-ottawa23_POS13-1-0.net.bell.ca> 3 ms 5 ms 3 ms
6 64.230.99.250 <tcore4-ottawa23_0-4-2-0.net.bell.ca> 16 ms 17 ms 15 ms
7 64.230.79.222 <tcore3-montreal01_pos0-14-0-0.net.bell.ca> 14 ms 14 ms 15 ms
8 64.230.187.238 <newcore2-newyork83_so6-0-0_0> 63 ms 15 ms 14 ms
9 64.230.187.42 <bxX5-newyork83_POS9-0-0.net.bell.ca> 21 ms 64.230.187.93 <BX5-NEWYORK83_POS12-0-0_core.net.bell.ca> 17 ms 16 ms
10 67.69.246.78 <Abovenet_NY.net.bell.ca> 28 ms 28 ms 28 ms
11 64.125.21.86 <xe-1-3-0.cr2.lga5.us.above.net> 29 ms 29 ms 30 ms
12 64.125.27.33 <xe-0-2-0.cr2.ord2.us.above.net> 31 ms 31 ms 33 ms
13 64.125.25.6 <xe-4-1-0.cr2.sjc2.us.above.net> 82 ms 82 ms 100 ms
14 64.125.26.202 <xe-1-1-0.er2.sjc2.us.above.net> 80 ms 79 ms 82 ms
15 209.66.64.93 <209.66.64.93.t01015-01.above.net> 80 ms 80 ms 79 ms
16 209.66.81.150 <209.66.81.150.available.above.net> 83 ms 82 ms 81 ms
To verify FortiGuard update connectivity
- If your FortiWeb appliance must connect to the Internet (and therefore FDN) through an explicit (non-transparent) web proxy, first you must configure the proxy connection. For details, see Accessing FortiGuard via a proxy.
- Go to System > Config > FortiGuard.
- If you want your FortiWeb appliance to connect to a specific FDS other than the default for its time zone, enable Override default FortiGuard address and enter the IP address and port number of an FDS in the format
<FDS_ipv4>:<port_int>
, such as10.0.0.1:443
, or enter the domain name of an FDS. - Click Apply.
- Click Update Now.
The FortiWeb appliance tests the connection to the FDN and, if any, the server you specified to override the default FDN server. Time required varies by the speed of the FortiWeb appliance’s network connection, and by the number of timeouts that occur before the connection attempt is successful or the FortiWeb appliance determines that it cannot connect. If you have enabled logging via:
- Log & Report > Log Config > Other Log Settings
- Log & Report > Log Config > Global Log Settings
test results are indicated in Log & Report > Log Access > Event
If the connection test did not succeed due to license issues, you would instead see this log message:
FortiWeb
is unauthorized
For more troubleshooting information, enter the following commands:
diagnose debug enable
diagnose debug application fds 8
These commands display cause additional information in your CLI console. For example:
FortiWeb # [update]: Poll timeout.
FortiWeb # *ATTENTION*: license registration status changed to 'VALID',please logout and re-login
For example, poll (license and update request) timeouts can be caused by incorrectly configured static routes and DNS settings, links with high packet loss, and other basic connectivity issues. Unless you override the behavior with a specific FDS address (enable and configure Override default FortiGuard address), FortiWeb connects to the FDN by communicating with the server closest to it according to the configured time zone. Timeouts can therefore also be caused by configuring an incorrect time zone.
See also
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Maintenance category. For details, see Permissions.
Choosing the virus signature database & decompression buffer
Most viruses initially spread, but as hosts are patched and more networks filter them out, their occurrence becomes more rare.
Fortinet’s FortiGuard Global Security Research Team continuously monitors detections of new and older viruses. When a specific virus has not been detected for one year, it is considered to be dormant. It is possible that a new outbreak could revive it, but that is increasingly unlikely as time passes due to the replacement of vulnerable hardware and patching of vulnerable software. As a result, dormant viruses’ signatures are removed from the “Regular” database, but preserved in the “Extended” signature database.
If your FortiWeb’s performance is more critical than the risk of these dormant viruses, you can choose to omit signatures for obsolete viruses by selecting the “Regular” database in System > Config > FortiGuard.
To select the virus database and maximum buffer size
- Go to System > Config > FortiGuard.
- Under the FortiWeb Virus Database section, select the database(s) and maximum antivirus buffer size according to these options:
Regular Virus Database Select to use only the signatures of viruses and greyware that have been detected by FortiGuard’s networks to be recently spreading in the wild. Extended Virus Database Select to use all signatures, regardless of whether the viruses or greyware are currently spreading. Use FortiSandbox Malware Signature Database Enable to use FortiSandbox's malware signature database to enhance FortiWeb's virus detection in addition to using the regular virus database or extended virus database.
FortiWeb downloads the malware signature database from a FortiSandbox appliance or FortiSandboxCloud every 10 minutes. For details, see To configure a FortiSandbox connection.
Maximum Antivirus Buffer Size Type the maximum size in kilobytes (KB) of the memory buffer that FortiWeb uses to temporarily undo the compression that a client or web server has applied to traffic, in order to inspect and/or modify it. The maximum acceptable values are:
102400 KB: FortiWeb 100D, 400C, 400D, 600D, 1000C, 3000CFsx, 3000DFsx, 4000C
204800 KB: FortiWeb 1000D, 2000D, 3000D, 4000D, 1000E, 2000E, 3010E
358400 KB: FortiWeb 3000E, 4000E
Caution: Unless you configure otherwise, compressed requests that are too large for this buffer pass through FortiWeb without scanning or rewriting. This could allow viruses to reach your web servers, and cause HTTP body rewriting to fail. If you prefer to block requests greater than this buffer size, configure Body Length. To be sure that it will not disrupt normal traffic, first configure Action to be Alert. If no problems occur, switch it to Alert & Deny.See also
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Maintenance category. For details, see Permissions.
Accessing FortiGuard via a proxy
You can access FortiGuard via a proxy using two methods:
- Use a FortiWeb as a proxy. For details, see To access FortiGuard via a FortiWeb proxy.
- Use a web proxy server. For details, see Access FortiGuard via a web proxy server.
To use a FortiWeb as a proxy, you must first configure a FortiWeb in the network to act as an FDS proxy. For details, see To configure a FortiWeb as a proxy.
To configure a FortiWeb as a proxy
You can configure FortiWeb to act as an FDS proxy so that other FortiWebs in the network are able to connect to FortiGuard for license validation. Other FortiWebs in the network also can update services from the FortiWeb FDS proxy, but the Fortiweb FDS proxy must first schedule a poll update to get service files. You can further configure the proxy either in the CLI or the web UI to override the default FDS list, but it must first be enabled in the CLI. You can also schedule poll updates for the FDS proxy.
- In the CLI, enter these commands:
- Go to System > Config > FDS Proxy.
- Optionally, enable Override Default FortiGuard IP Address to configure this setting:
- Optionally, enable Scheduled Poll Update to set intervals at which FortiWeb will poll updates from FDS. If enabled, select one of the following:
config system global
set fds-proxy enable
end
Override Default FortiGuard IP Address |
Enter the IP address or domain name of the particular FDS to which you want FortiWeb to connect. |
-
Every—FortiWeb will poll updates every
x
hour(s), wherex
is the integer that you select from the drop-down menu. -
Daily—FortiWeb will poll updates every day at the hour that you specify from the drop-down menu. For example, if you select Daily and specify
15
, FortiWeb will poll updates every day at 15:00 (24-hour), or 03:00pm (12-hour). -
Weekly—FortiWeb will poll updates on the day and time that you specify. For example, if you select Weekly and specify
Tuesday
for the day and16
for the hour, FortiWeb will poll updates every Tuesday at 16:00 (24-hour), or 04:00pm (12-hour).
You can also click Poll Now to immediately poll updates from FDS. Click Refresh to see the status of the FDS proxy update. |
To access FortiGuard via a FortiWeb proxy
You can configure FortiWeb to access FDS for license validation via a FortiWeb proxy in the network, and to update services from the FortiWeb proxy that receives services files from FDS via 'Poll Now' or 'Schedule Poll Update'. To do so, you must first configure a FortiWeb as a FDS proxy. For details, see To configure a FortiWeb as a proxy.
- Go to System > Config > FortiGuard.
- Under the FortiWeb Update Service Options section, enable Override default FortiGuard Address.
- In the Override default FortiGuard Address field, enter the IP address or domain name of the FortiWeb proxy you configured in To configure a FortiWeb as a proxy.
- Click Apply.
Access FortiGuard via a web proxy server
Using the CLI, you can configure FortiWeb to connect through an explicit (non-transparent) web proxy server to the FortiGuard Distribution Network (FDN) for signature updates. FortiWeb connects to the proxy using the HTTP CONNECT
method as described in RFC 2616 (http://tools.ietf.org/rfc/rfc2616.txt).
CLI Syntax
config system autoupdate tunneling
set status enable
set address 192.168.1.10
set port 8080
set username FortiWeb
set password myPassword1
end
For details, see the FortiWeb CLI Reference:
http://docs.fortinet.com/fortiweb/reference
How often does Fortinet provide FortiGuard updates for FortiWeb?
Security is only as good as your most recent update. Without up-to-date signatures and blacklists, your network would be vulnerable to new attacks. However, if updates are released before adequate testing and are not accurate, FortiWeb scans would result in false positives or false negatives. For maximum benefit and minimum risk, updates must balance two needs: to be both accurate and current.
Fortinet releases FortiGuard updates according to the best frequency for each technology.
- Antivirus—Multiple times per day. Updates are fast to test and low risk, while viruses can spread quickly and the newest ones are most common.
- IP reputation—Once per day (approximately). Some time is required to make certain of an IP address’ reputation, but waiting too long would increase the probability of blacklisting innocent DHCP/PPPoE clients that re-use an IP address previously used by an attacker.
- Attack, data type, suspicious URL, and data leak signatures—Once every 1-2 weeks (approximately). Signatures must be tuned to be flexible enough to match heuristic permutations of attacks without triggering false positives in similar but innocent HTTP requests/responses. Signatures must then be thoroughly tested to analyze any performance impacts and mismatches that are an inherent risk in feature-complete regular expression engines. Many exploits and data leaks also continue to be relevant for two years or more, much longer than most viruses.
- Geography-to-IP mappings—Once every month (approximately). These change rarely. FortiWeb can poll for these updates and automatically apply them through the FortiGuard Distribution Servers. Please note that you must manually upload these updates if your deployments do not have an Internet connection.
See also
- Blocking known attacks & data leaks
- Validating parameters (“input rules”)
- Preventing tampering with hidden inputs
- Limiting file uploads
- Predefined data types
- Predefined suspicious request URLs
- Blacklisting source IPs with poor reputation
- Blacklisting & whitelisting countries & regions
Scheduling automatic signature updates
Your FortiWeb appliance uses signatures, IP lists, and data type definitions for many features, including to detect attacks such as:
- Cross-site scripting (XSS)
- SQL injection
- Other common exploits
- Data leaks
FortiWeb can also use virus definitions to block Trojan uploads, IP reputation definitions to allow search engines but block botnets and anonymize proxies preferred by hackers, and the spilled account credential database to prevent credential stuffing attacks. FortiGuard services ensure that your FortiWeb is using the most advanced attack protections. Timely updates are crucial to defending your network.
You can configure the FortiWeb appliance to periodically poll for FortiGuard service updates from the FDN, and automatically download and apply updates if they exist.
For example, you might schedule update requests every night at 2 AM local time, when traffic volume is light.
Alternatively, you can manually upload update packages, or initiate an update request. For details, see Manually initiating update requests and Uploading signature & geography-to-IP updates. You can manually initiate updates as alternatives or in conjunction with scheduled updates. For additional/alternative update methods, see Manually initiating update requests. |
To configure automatic updates
- Verify that the FortiWeb appliance has a valid license and can connect to the FDN, or (if destination NAT is used, for example) the IP address that you are using to override the default IPs for FDN servers. For details, see To determine your FortiGuard license status and To verify FortiGuard update connectivity.
- Go to System > Config > FortiGuard.
- Enable Scheduled Update.
- Select one of the following options:
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Maintenance category. For details, see Permissions.
The page informs you if you are not registered or if registration has expired. If your registration is active, continue scheduling updates; otherwise, click Register or Renew.
- Every—Select to request to update once every 1 to 23 hours, then select the number of hours between each update request.
- Daily—Select to update once every day, then select the hour. The update attempt occurs at a randomly determined time within the selected hour.
-
Weekly—Select to request to update once a week, then select the day of the week, the hour, and the minute of the day to check for updates.
If you select 00 minutes, the update request occurs at a randomly determined time within the selected hour.
The FortiWeb appliance next requests an update according to the schedule.
At the scheduled time, FortiWeb starts the update. Under Current update status, the following information is displayed:
- The name of the update package that is currently downloading, the start time of the download operation, and the percentage complete.
- A Refresh button, which allows you to update the package download status information.
- If FortiWeb is downloading an anti-virus package, a Stop Download button.
This option is useful if the download is slow and you want to stop it and try again later. It can also be useful if you want to stop the scheduled update and instead update your anti-virus package using a file you have manually downloaded from the Fortinet Technical Support website (Uploading signature & geography-to-IP updates.)
Results of the update activity appear in Security Service in the FortiGuard Information widget. If you have enabled logging in:
- Log & Report > Log Config > Other Log Settings
- Log & Report > Log Config > Global Log Settings
when the FortiWeb appliance requests an update, the event is recorded in Log & Report > Log Access > Event. Example log messages include:
FortiWeb virus signature is already up-to-date
FortiWeb IP reputation signature update succeeded
If the FortiWeb appliance cannot successfully connect, it records a log with a message that varies by the cause of the error, such as:
FortiWeb is unauthorized
.
Once the attack signature update is complete, FortiWeb immediately begins to use them. No reboot is required.
See also
- How often does Fortinet provide FortiGuard updates for FortiWeb?
- Blocking known attacks & data leaks
- Validating parameters (“input rules”)
- Preventing tampering with hidden inputs
- Limiting file uploads
- Predefined data types
- Predefined suspicious request URLs
- Blacklisting source IPs with poor reputation
- Blacklisting & whitelisting countries & regions
Manually initiating update requests
If an important update has been released but there is too much time remaining until your appliance’s next scheduled update poll, you can manually trigger the FortiWeb appliance to connect to the FDN or FDS server override to request available updates for its FortiGuard service packages.
You can manually initiate updates as an alternative or in addition to other update methods. For details, see Scheduling automatic signature updates and Uploading signature & geography-to-IP updates. |
To manually request updates
- Before manually initiating an update, first verify that the FortiWeb appliance has a valid license and can connect to the FDN or override server. For details, see To determine your FortiGuard license status and To verify FortiGuard update connectivity.
- Go to System > Config > FortiGuard.
- Click Update Now.
The web UI displays a message similar to the following:
Your update request has been sent. Your database will be updated in a few minutes. Please check your update page for the status of the update.
After the update starts, under Current update status, the following information is displayed:
- The name of the update package that is currently downloading
- The start time of the download operation
- The percentage complete
- A Refresh button, which allows you to update the package download status information.
- If FortiWeb is downloading an anti-virus package, a Stop Download button.
This option is useful if, for example, the download is slow and you want to stop it and try again later. It can also be useful if you want to stop the scheduled update and instead update your anti-virus package using a file you have manually downloaded from the Fortinet Technical Support website. For details, see Uploading signature & geography-to-IP updates.
Results of the update activity appear in FortiWeb Security Service in the FortiGuard Information widget. If you have enabled logging in:
- Log & Report > Log Config > Other Log Settings
- Log & Report > Log Config > Global Log Settings
when the FortiWeb appliance requests an update, the event is recorded in Log & Report > Log Access > Event. Example log messages include:
FortiWeb virus signature is already up-to-date
FortiWeb IP reputation signature update
succeeded
If the FortiWeb appliance cannot successfully connect, it will record a log with a message that varies by the cause of the error, such as:
FortiWeb is unauthorized.
Once the attack signature update is complete, FortiWeb will immediately begin to use them. No reboot is required.
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Maintenance category. For details, see Permissions.
Uploading signature & geography-to-IP updates
You can manually update the geography-to-IP mappings and the attack, virus, and botnet signatures that your FortiWeb appliance uses to detect attacks. Updating these ensures that your FortiWeb appliance can detect recently discovered variations of these attacks, and that it knows about the current statuses of all IP addresses on the public Internet.
After restoring the firmware of the FortiWeb appliance, you should install the most currently available packages through FortiGuard. Restoring firmware installs the packages that were current at the time the firmware image file was made: they may no longer be up-to-date.
Alternatively, you can schedule automatic updates, or manually trigger the appliance to immediately request an update. For details, see Scheduling automatic signature updates and Manually initiating update requests. This does not, however, update geography-to-IP mappings, which still must be uploaded manually. |
To manually upload signatures
- Download the file from the Fortinet Technical Support website:
- Log in to the web UI of the FortiWeb appliance as the
admin
administrator, or an administrator account whose access profile contains Read and Write permissions in the Maintenance category. - Go to System > Config > FortiGuard.
- In the row next to the service whose signatures you want to upload, click the Update link.
- Click the Browse button (its name varies by browser) and select the signatures file, then click OK.
Your browser uploads the file. Time required varies by the size of the file and the speed of your network connection. Once the attack signature update is complete, FortiWeb will immediately begin to use them. No reboot is required.
A dialog appears that allows you to upload the file.
See also
Enforcing new FortiGuard signature updates
FortiWeb now allows to deploy new signature updates in alert mode. This provides a mechanism for customers to first test new signatures in their environment before setting them to block mode.
When you update the FDS, new signatures in the update will be listed in Signature Update Management pane, and you can view the new signatures here.
The Signature Update Management option is disabled by default, enable it by CLI console first. |
When you update the FDS, those untreated signatures will be automatically applied. |
To update the FortiGuard signature
- Connect to the CLI console, and run the following commands to enable it.
config waf signature_update_policy
set status enable
end
- Go to System > Config > FortiGuard.
- Click Signature Update Management tab.
New signatures in the update if any are listed here. You can see the signature ID, description, and status (Applied, Unapplied) of each signature.
- Select one signature, and you can perform any of the three actions:
- Disable: disable the signature across all the web protection policies. If this signature related rule brings multiple blocks, you can confirm the false positive and enable this option.
- Approve: change the Alert mode of the signature to normal status, with the action as configured in signature protection policy.
- Undo: use this option to cancel the "Disable" and "Approve" operations for a signature.