Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiWeb 7.6.0 Administration Guide
    7.6.0
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.3.23
    6.2.8
    6.1.4
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    Connecting to FortiGuard services

    Connecting to FortiGuard services

    Most exploits and virus exposures occur within the first 2 months of a known vulnerability. Most botnets consist of thousands of zombie computers whose IP addresses are continuously changing. Everyday, spilled account credentials are used to launch credential stuffing attacks. To keep your defenses effective against the evolving threat landscape, Fortinet recommends FortiGuard services. New vulnerabilities, botnets, and stolen account credentials are discovered and new signatures are built by Fortinet researchers every day.

    Without connecting to FortiGuard, your FortiWeb cannot detect the latest threats.

    After you have subscribed to FortiGuard services (see Appendix F: How to purchase and renew FortiGuard licenses), configure your FortiWeb appliance to connect to the Internet so that it can reach the world-wide Fortinet Distribution Network (FDN) in order to:

    • verify its FortiGuard service licenses
    • download up-to-date signatures, IP lists, stolen account credentials, and engine packages

    FortiWeb appliances can often connect using the default settings. However, due to potential differences in routing and firewalls, you should confirm this by verifying connectivity.

    You must first register the FortiWeb appliance with Fortinet Customer Service & Support (https://support.fortinet.com/) to receive service from the FDN. The FortiWeb appliance must also have a valid Fortinet Technical Support contract that includes service subscriptions and be able to connect to the FDN. For port numbers to use to validate the license and update connections, see Appendix A: Port numbers.
    To determine your FortiGuard license status
    1. If your FortiWeb appliance must connect to the Internet through an explicit (non-transparent) web proxy, configure the proxy connection (see Accessing FortiGuard via a proxy).

      2. The appliance will attempt to validate its license when it boots. If the appliance could not connect because proxy settings were not configured, or due to any other connectivity issue that you have since resolved, you can reboot the appliance to re-attempt license validation.
      If FortiWeb is deployed in a closed network, you can also use FortiManager as a proxy and connect FortiWeb with it to validate the license and update the FortiGuard services. See License validation with FortiManager.

    2. Go to System > Status > Status.

      3. To access this part of the web UI, your administrator's account access profile must have Read permission to items in the System Configuration category. For details, see Permissions.

    3. In the Licenses widget, check the status icon for each service package.

    Valid—At the last attempt, the FortiWeb appliance was able to successfully contact the FDN and validate its FortiGuard license. Continue with Connecting to FortiGuard services.

    Expired—At the last attempt, the license was either expired or FortiWeb was unable to determine license status due to network connection errors with the FDN. See the following for how to verify the connection status. If the license is expired, see Appendix F: How to purchase and renew FortiGuard licenses

    Your FortiWeb appliance cannot detect the latest vulnerabilities and compliance violations unless it is licensed and has network connectivity to download current definitions from the FortiGuard service.

    If the connection did not succeed:

    • On FortiWeb, verify the following settings:
      • time zone & time
      • DNS settings
      • network interface up/down status & IP
      • static routes
    • On your computer, use nslookup to verify that FortiGuard domain names are resolving (license authentication queries are sent to update.fortiguard.net):

    C:\Users\cschwartz>nslookup update.fortiguard.net

    Server: google-public-dns-a.google.com

    Address: 8.8.8.8

    Non-authoritative answer:

    Name: fds1.fortinet.com

    Addresses: 209.66.81.150

    209.66.81.151

    208.91.112.66

    Aliases: update.fortiguard.net

    • Check the configuration of any NAT or firewall devices that exist between the FortiWeb appliance and the FDN or FDS server override. On FortiWeb, enter the execute ping and execute traceroute commands to verify that connectivity from FortiWeb to the Internet and FortiGuard is possible:

    FortiWeb # exec traceroute update.fortiguard.net

    traceroute to update.fortiguard.net (209.66.81.150), 32 hops max, 84 byte packets

    1 192.0.2.2 0 ms 0 ms 0 ms

    2 209.87.254.221 <static-209-87-254-221.storm.ca> 4 ms 2 ms 3 ms

    3 209.87.239.161 <core-2-g0-3.storm.ca> 2 ms 3 ms 3 ms

    4 67.69.228.161 3 ms 4 ms 3 ms

    5 64.230.164.17 <core2-ottawa23_POS13-1-0.net.bell.ca> 3 ms 5 ms 3 ms

    6 64.230.99.250 <tcore4-ottawa23_0-4-2-0.net.bell.ca> 16 ms 17 ms 15 ms

    7 64.230.79.222 <tcore3-montreal01_pos0-14-0-0.net.bell.ca> 14 ms 14 ms 15 ms

    8 64.230.187.238 <newcore2-newyork83_so6-0-0_0> 63 ms 15 ms 14 ms

    9 64.230.187.42 <bxX5-newyork83_POS9-0-0.net.bell.ca> 21 ms 64.230.187.93 <BX5-NEWYORK83_POS12-0-0_core.net.bell.ca> 17 ms 16 ms

    10 67.69.246.78 <Abovenet_NY.net.bell.ca> 28 ms 28 ms 28 ms

    11 64.125.21.86 <xe-1-3-0.cr2.lga5.us.above.net> 29 ms 29 ms 30 ms

    12 64.125.27.33 <xe-0-2-0.cr2.ord2.us.above.net> 31 ms 31 ms 33 ms

    13 64.125.25.6 <xe-4-1-0.cr2.sjc2.us.above.net> 82 ms 82 ms 100 ms

    14 64.125.26.202 <xe-1-1-0.er2.sjc2.us.above.net> 80 ms 79 ms 82 ms

    15 209.66.64.93 <209.66.64.93.t01015-01.above.net> 80 ms 80 ms 79 ms

    16 209.66.81.150 <209.66.81.150.available.above.net> 83 ms 82 ms 81 ms

    License validation with FortiManager

    If FortiWeb is deployed in a closed network, you can validate your FortiWeb-VM license through FortiManager because it has built-in FDS (FortiGuard Distribution Servers) feature. This requires FortiManager to have Internet connection. To configure FortiWeb-VM to validate its license using FortiManager, before you upload the license, enter the following command:

    config system autoupdate override

    set status enable

    set address <fortimanager_ip>:8890

    set fail-over disable

    end

    where <fortimanager_ip> is the IP address of the FortiManager. (TCP port 8890 is the port where the built-in FDS feature listens for requests.)

    For more information on the FortiManager built-in FDS feature, see the FortiManager Administration Guide.

    To verify FortiGuard update connectivity
    1. If your FortiWeb appliance must connect to the Internet (and therefore FDN) through an explicit (non-transparent) web proxy, first you must configure the proxy connection. For details, see Accessing FortiGuard via a proxy.
    2. Go to System > Config > FortiGuard.

      3. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Maintenance category. For details, see Permissions.

    3. If you want your FortiWeb appliance to connect to a specific FDS other than the default for its time zone, enable Override default FortiGuard address and enter the IP address and port number of an FDS in the format <FDS_ipv4>:<port_int>, such as 10.0.0.1:443, or enter the domain name of an FDS.
    4. Click Apply.
    5. Click Update Now.

      The FortiWeb appliance tests the connection to the FDN and, if any, the server you specified to override the default FDN server. Time required varies by the speed of the FortiWeb appliance’s network connection, and by the number of timeouts that occur before the connection attempt is successful or the FortiWeb appliance determines that it cannot connect. If you have enabled logging via:

      • Log & Report > Log Config > Other Log Settings
      • Log & Report > Log Config > Global Log Settings

      test results are indicated in Log & Report > Log Access > Event

      If the connection test did not succeed due to license issues, you would instead see this log message:

      FortiWeb is unauthorized

      For more troubleshooting information, enter the following commands:

      diagnose debug enable

      diagnose debug application fds 8

      These commands display cause additional information in your CLI console. For example:

      FortiWeb # [update]: Poll timeout.

      FortiWeb # *ATTENTION*: license registration status changed to 'VALID',please logout and re-login

      For example, poll (license and update request) timeouts can be caused by incorrectly configured static routes and DNS settings, links with high packet loss, and other basic connectivity issues. Unless you override the behavior with a specific FDS address (enable and configure Override default FortiGuard address), FortiWeb connects to the FDN by communicating with the server closest to it according to the configured time zone. Timeouts can therefore also be caused by configuring an incorrect time zone.

      See also

    Choosing the virus signature database & decompression buffer

    Most viruses initially spread, but as hosts are patched and more networks filter them out, their occurrence becomes more rare.

    Fortinet’s FortiGuard Global Security Research Team continuously monitors detections of new and older viruses. When a specific virus has not been detected for one year, it is considered to be dormant. It is possible that a new outbreak could revive it, but that is increasingly unlikely as time passes due to the replacement of vulnerable hardware and patching of vulnerable software. As a result, dormant viruses’ signatures are removed from the “Regular” database, but preserved in the “Extended” signature database.

    If your FortiWeb’s performance is more critical than the risk of these dormant viruses, you can choose to omit signatures for obsolete viruses by selecting the “Regular” database in System > Config > FortiGuard.

    To select the virus database and maximum buffer size
    1. Go to System > Config > FortiGuard.

      2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Maintenance category. For details, see Permissions.

    2. Under the FortiWeb Virus Database section, select the database(s) and maximum antivirus buffer size according to these options:
      Regular Virus DatabaseSelect to use only the signatures of viruses and greyware that have been detected by FortiGuard’s networks to be recently spreading in the wild.
      Extended Virus DatabaseSelect to use all signatures, regardless of whether the viruses or greyware are currently spreading.
      Use FortiSandbox Malware Signature Database

      Enable to use FortiSandbox's malware signature database to enhance FortiWeb's virus detection in addition to using the regular virus database or extended virus database.

      FortiWeb downloads the malware signature database from a FortiSandbox appliance or FortiWeb Cloud Sandbox every 10 minutes. For details, see To configure a FortiSandbox connection.

      Maximum Antivirus Buffer Size

      Type the maximum size in kilobytes (KB) of the memory buffer that FortiWeb uses to temporarily undo the compression that a client or web server has applied to traffic, in order to inspect and/or modify it. The maximum acceptable values are:

      102400 KB: FortiWeb 100D, 100E, 100F, 400C, 400D, 400E, 400F, 600D, 600E, 600F, 1000C, 3000CFsx, 4000C

      204800 KB: FortiWeb 1000D, 2000D, 3000D, 3000DFsx, 4000D, 1000E, 2000E, 3010E, 1000F, 2000F

      358400 KB: FortiWeb 3000E, 4000E, 3000F, 4000F

      Caution: Unless you configure otherwise, compressed requests that are too large for this buffer pass through FortiWeb without scanning or rewriting. This could allow viruses to reach your web servers, and cause HTTP body rewriting to fail. If you prefer to block requests greater than this buffer size, configure Body Length. To be sure that it will not disrupt normal traffic, first configure Action to be Alert. If no problems occur, switch it to Alert & Deny.

      See also

    Accessing FortiGuard via a proxy

    You can access FortiGuard via a proxy using two methods:

    To use a FortiWeb as a proxy, you must first configure a FortiWeb in the network to act as an FDS proxy. For details, see To configure a FortiWeb as a proxy.

    To configure a FortiWeb as a proxy

    You can configure FortiWeb to act as an FDS proxy so that other FortiWebs in the network are able to connect to FortiGuard for license validation. Other FortiWebs in the network also can update services from the FortiWeb FDS proxy, but the Fortiweb FDS proxy must first schedule a poll update to get service files. You can further configure the proxy either in the CLI or the web UI to override the default FDS list, but it must first be enabled in the CLI. You can also schedule poll updates for the FDS proxy.

    1. In the CLI, enter these commands:

      2. config system global

      set fds-proxy enable

      end

    2. Go to System > Config > FDS Proxy.
    3. Optionally, enable Override Default FortiGuard IP Address, so that the FortiWeb proxy can connect with the specified IP address instead of the default FortiGuard server to poll update:

      4. Override Default FortiGuard IP Address

      Enter the IP address or domain name of the particular FDS to which you want FortiWeb to connect.
    4. Optionally, enable Scheduled Poll Update to set intervals at which FortiWeb will poll updates from FDS. If enabled, select one of the following:
    • EveryFortiWeb will poll updates every x hour(s), where x is the integer that you select from the drop-down menu.
    • DailyFortiWeb will poll updates every day at the hour that you specify from the drop-down menu. For example, if you select Daily and specify 15, FortiWeb will poll updates every day at 15:00 (24-hour), or 03:00pm (12-hour).
    • Weekly—FortiWeb will poll updates on the day and time that you specify. For example, if you select Weekly and specify Tuesday for the day and 16 for the hour, FortiWeb will poll updates every Tuesday at 16:00 (24-hour), or 04:00pm (12-hour).
    note icon

    You can also click Poll Now to immediately poll updates from FDS. Click Refresh to see the status of the FDS proxy update.
  • Click Apply.

    • If you want other FortiWeb devices to update services from this FortiWeb proxy, configure the corresponding settings on other FortiWeb devices as introduced in To access FortiGuard via a FortiWeb proxy.

    To access FortiGuard via a FortiWeb proxy

    You can configure FortiWeb to access FDS for license validation via a FortiWeb proxy in the network, and to update services from the FortiWeb proxy that receives services files from FDS via 'Poll Now' or 'Schedule Poll Update'. To do so, you must first configure a FortiWeb as a FDS proxy. For details, see To configure a FortiWeb as a proxy.

    Perform the following steps to connect with a FortiWeb proxy for license validation and service update.

    1. Go to System > Config > FortiGuard.
    2. Under the FortiWeb Update Service Options section, enable Override default FortiGuard Address.
    3. In the Override default FortiGuard Address field, enter the IP address or domain name of the FortiWeb proxy you configured in To configure a FortiWeb as a proxy.
    4. Click Apply.
    Access FortiGuard via a web proxy server

    Using the CLI, you can configure FortiWeb to connect through an explicit (non-transparent) web proxy server to the FortiGuard Distribution Network (FDN) for signature updates. FortiWeb connects to the proxy using the HTTP CONNECT method as described in RFC 2616 (http://tools.ietf.org/rfc/rfc2616.txt).

    CLI Syntax

    config system autoupdate tunneling

    set status enable

    set address 192.168.1.10

    set port 8080

    set username FortiWeb

    set password myPassword1

    end

    For details, see the FortiWeb CLI Reference:

    https://docs.fortinet.com/product/fortiweb/

    Previous
    Next

    Connecting to FortiGuard services

    Connecting to FortiGuard services

    Most exploits and virus exposures occur within the first 2 months of a known vulnerability. Most botnets consist of thousands of zombie computers whose IP addresses are continuously changing. Everyday, spilled account credentials are used to launch credential stuffing attacks. To keep your defenses effective against the evolving threat landscape, Fortinet recommends FortiGuard services. New vulnerabilities, botnets, and stolen account credentials are discovered and new signatures are built by Fortinet researchers every day.

    Without connecting to FortiGuard, your FortiWeb cannot detect the latest threats.

    After you have subscribed to FortiGuard services (see Appendix F: How to purchase and renew FortiGuard licenses), configure your FortiWeb appliance to connect to the Internet so that it can reach the world-wide Fortinet Distribution Network (FDN) in order to:

    • verify its FortiGuard service licenses
    • download up-to-date signatures, IP lists, stolen account credentials, and engine packages

    FortiWeb appliances can often connect using the default settings. However, due to potential differences in routing and firewalls, you should confirm this by verifying connectivity.

    You must first register the FortiWeb appliance with Fortinet Customer Service & Support (https://support.fortinet.com/) to receive service from the FDN. The FortiWeb appliance must also have a valid Fortinet Technical Support contract that includes service subscriptions and be able to connect to the FDN. For port numbers to use to validate the license and update connections, see Appendix A: Port numbers.
    To determine your FortiGuard license status
    1. If your FortiWeb appliance must connect to the Internet through an explicit (non-transparent) web proxy, configure the proxy connection (see Accessing FortiGuard via a proxy).

      2. The appliance will attempt to validate its license when it boots. If the appliance could not connect because proxy settings were not configured, or due to any other connectivity issue that you have since resolved, you can reboot the appliance to re-attempt license validation.
      If FortiWeb is deployed in a closed network, you can also use FortiManager as a proxy and connect FortiWeb with it to validate the license and update the FortiGuard services. See License validation with FortiManager.

    2. Go to System > Status > Status.

      3. To access this part of the web UI, your administrator's account access profile must have Read permission to items in the System Configuration category. For details, see Permissions.

    3. In the Licenses widget, check the status icon for each service package.

    Valid—At the last attempt, the FortiWeb appliance was able to successfully contact the FDN and validate its FortiGuard license. Continue with Connecting to FortiGuard services.

    Expired—At the last attempt, the license was either expired or FortiWeb was unable to determine license status due to network connection errors with the FDN. See the following for how to verify the connection status. If the license is expired, see Appendix F: How to purchase and renew FortiGuard licenses

    Your FortiWeb appliance cannot detect the latest vulnerabilities and compliance violations unless it is licensed and has network connectivity to download current definitions from the FortiGuard service.

    If the connection did not succeed:

    • On FortiWeb, verify the following settings:
      • time zone & time
      • DNS settings
      • network interface up/down status & IP
      • static routes
    • On your computer, use nslookup to verify that FortiGuard domain names are resolving (license authentication queries are sent to update.fortiguard.net):

    C:\Users\cschwartz>nslookup update.fortiguard.net

    Server: google-public-dns-a.google.com

    Address: 8.8.8.8

    Non-authoritative answer:

    Name: fds1.fortinet.com

    Addresses: 209.66.81.150

    209.66.81.151

    208.91.112.66

    Aliases: update.fortiguard.net

    • Check the configuration of any NAT or firewall devices that exist between the FortiWeb appliance and the FDN or FDS server override. On FortiWeb, enter the execute ping and execute traceroute commands to verify that connectivity from FortiWeb to the Internet and FortiGuard is possible:

    FortiWeb # exec traceroute update.fortiguard.net

    traceroute to update.fortiguard.net (209.66.81.150), 32 hops max, 84 byte packets

    1 192.0.2.2 0 ms 0 ms 0 ms

    2 209.87.254.221 <static-209-87-254-221.storm.ca> 4 ms 2 ms 3 ms

    3 209.87.239.161 <core-2-g0-3.storm.ca> 2 ms 3 ms 3 ms

    4 67.69.228.161 3 ms 4 ms 3 ms

    5 64.230.164.17 <core2-ottawa23_POS13-1-0.net.bell.ca> 3 ms 5 ms 3 ms

    6 64.230.99.250 <tcore4-ottawa23_0-4-2-0.net.bell.ca> 16 ms 17 ms 15 ms

    7 64.230.79.222 <tcore3-montreal01_pos0-14-0-0.net.bell.ca> 14 ms 14 ms 15 ms

    8 64.230.187.238 <newcore2-newyork83_so6-0-0_0> 63 ms 15 ms 14 ms

    9 64.230.187.42 <bxX5-newyork83_POS9-0-0.net.bell.ca> 21 ms 64.230.187.93 <BX5-NEWYORK83_POS12-0-0_core.net.bell.ca> 17 ms 16 ms

    10 67.69.246.78 <Abovenet_NY.net.bell.ca> 28 ms 28 ms 28 ms

    11 64.125.21.86 <xe-1-3-0.cr2.lga5.us.above.net> 29 ms 29 ms 30 ms

    12 64.125.27.33 <xe-0-2-0.cr2.ord2.us.above.net> 31 ms 31 ms 33 ms

    13 64.125.25.6 <xe-4-1-0.cr2.sjc2.us.above.net> 82 ms 82 ms 100 ms

    14 64.125.26.202 <xe-1-1-0.er2.sjc2.us.above.net> 80 ms 79 ms 82 ms

    15 209.66.64.93 <209.66.64.93.t01015-01.above.net> 80 ms 80 ms 79 ms

    16 209.66.81.150 <209.66.81.150.available.above.net> 83 ms 82 ms 81 ms

    License validation with FortiManager

    If FortiWeb is deployed in a closed network, you can validate your FortiWeb-VM license through FortiManager because it has built-in FDS (FortiGuard Distribution Servers) feature. This requires FortiManager to have Internet connection. To configure FortiWeb-VM to validate its license using FortiManager, before you upload the license, enter the following command:

    config system autoupdate override

    set status enable

    set address <fortimanager_ip>:8890

    set fail-over disable

    end

    where <fortimanager_ip> is the IP address of the FortiManager. (TCP port 8890 is the port where the built-in FDS feature listens for requests.)

    For more information on the FortiManager built-in FDS feature, see the FortiManager Administration Guide.

    To verify FortiGuard update connectivity
    1. If your FortiWeb appliance must connect to the Internet (and therefore FDN) through an explicit (non-transparent) web proxy, first you must configure the proxy connection. For details, see Accessing FortiGuard via a proxy.
    2. Go to System > Config > FortiGuard.

      3. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Maintenance category. For details, see Permissions.

    3. If you want your FortiWeb appliance to connect to a specific FDS other than the default for its time zone, enable Override default FortiGuard address and enter the IP address and port number of an FDS in the format <FDS_ipv4>:<port_int>, such as 10.0.0.1:443, or enter the domain name of an FDS.
    4. Click Apply.
    5. Click Update Now.

      The FortiWeb appliance tests the connection to the FDN and, if any, the server you specified to override the default FDN server. Time required varies by the speed of the FortiWeb appliance’s network connection, and by the number of timeouts that occur before the connection attempt is successful or the FortiWeb appliance determines that it cannot connect. If you have enabled logging via:

      • Log & Report > Log Config > Other Log Settings
      • Log & Report > Log Config > Global Log Settings

      test results are indicated in Log & Report > Log Access > Event

      If the connection test did not succeed due to license issues, you would instead see this log message:

      FortiWeb is unauthorized

      For more troubleshooting information, enter the following commands:

      diagnose debug enable

      diagnose debug application fds 8

      These commands display cause additional information in your CLI console. For example:

      FortiWeb # [update]: Poll timeout.

      FortiWeb # *ATTENTION*: license registration status changed to 'VALID',please logout and re-login

      For example, poll (license and update request) timeouts can be caused by incorrectly configured static routes and DNS settings, links with high packet loss, and other basic connectivity issues. Unless you override the behavior with a specific FDS address (enable and configure Override default FortiGuard address), FortiWeb connects to the FDN by communicating with the server closest to it according to the configured time zone. Timeouts can therefore also be caused by configuring an incorrect time zone.

      See also

    Choosing the virus signature database & decompression buffer

    Most viruses initially spread, but as hosts are patched and more networks filter them out, their occurrence becomes more rare.

    Fortinet’s FortiGuard Global Security Research Team continuously monitors detections of new and older viruses. When a specific virus has not been detected for one year, it is considered to be dormant. It is possible that a new outbreak could revive it, but that is increasingly unlikely as time passes due to the replacement of vulnerable hardware and patching of vulnerable software. As a result, dormant viruses’ signatures are removed from the “Regular” database, but preserved in the “Extended” signature database.

    If your FortiWeb’s performance is more critical than the risk of these dormant viruses, you can choose to omit signatures for obsolete viruses by selecting the “Regular” database in System > Config > FortiGuard.

    To select the virus database and maximum buffer size
    1. Go to System > Config > FortiGuard.

      2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Maintenance category. For details, see Permissions.

    2. Under the FortiWeb Virus Database section, select the database(s) and maximum antivirus buffer size according to these options:
      Regular Virus DatabaseSelect to use only the signatures of viruses and greyware that have been detected by FortiGuard’s networks to be recently spreading in the wild.
      Extended Virus DatabaseSelect to use all signatures, regardless of whether the viruses or greyware are currently spreading.
      Use FortiSandbox Malware Signature Database

      Enable to use FortiSandbox's malware signature database to enhance FortiWeb's virus detection in addition to using the regular virus database or extended virus database.

      FortiWeb downloads the malware signature database from a FortiSandbox appliance or FortiWeb Cloud Sandbox every 10 minutes. For details, see To configure a FortiSandbox connection.

      Maximum Antivirus Buffer Size

      Type the maximum size in kilobytes (KB) of the memory buffer that FortiWeb uses to temporarily undo the compression that a client or web server has applied to traffic, in order to inspect and/or modify it. The maximum acceptable values are:

      102400 KB: FortiWeb 100D, 100E, 100F, 400C, 400D, 400E, 400F, 600D, 600E, 600F, 1000C, 3000CFsx, 4000C

      204800 KB: FortiWeb 1000D, 2000D, 3000D, 3000DFsx, 4000D, 1000E, 2000E, 3010E, 1000F, 2000F

      358400 KB: FortiWeb 3000E, 4000E, 3000F, 4000F

      Caution: Unless you configure otherwise, compressed requests that are too large for this buffer pass through FortiWeb without scanning or rewriting. This could allow viruses to reach your web servers, and cause HTTP body rewriting to fail. If you prefer to block requests greater than this buffer size, configure Body Length. To be sure that it will not disrupt normal traffic, first configure Action to be Alert. If no problems occur, switch it to Alert & Deny.

      See also

    Accessing FortiGuard via a proxy

    You can access FortiGuard via a proxy using two methods:

    To use a FortiWeb as a proxy, you must first configure a FortiWeb in the network to act as an FDS proxy. For details, see To configure a FortiWeb as a proxy.

    To configure a FortiWeb as a proxy

    You can configure FortiWeb to act as an FDS proxy so that other FortiWebs in the network are able to connect to FortiGuard for license validation. Other FortiWebs in the network also can update services from the FortiWeb FDS proxy, but the Fortiweb FDS proxy must first schedule a poll update to get service files. You can further configure the proxy either in the CLI or the web UI to override the default FDS list, but it must first be enabled in the CLI. You can also schedule poll updates for the FDS proxy.

    1. In the CLI, enter these commands:

      2. config system global

      set fds-proxy enable

      end

    2. Go to System > Config > FDS Proxy.
    3. Optionally, enable Override Default FortiGuard IP Address, so that the FortiWeb proxy can connect with the specified IP address instead of the default FortiGuard server to poll update:

      4. Override Default FortiGuard IP Address

      Enter the IP address or domain name of the particular FDS to which you want FortiWeb to connect.
    4. Optionally, enable Scheduled Poll Update to set intervals at which FortiWeb will poll updates from FDS. If enabled, select one of the following:
    • EveryFortiWeb will poll updates every x hour(s), where x is the integer that you select from the drop-down menu.
    • DailyFortiWeb will poll updates every day at the hour that you specify from the drop-down menu. For example, if you select Daily and specify 15, FortiWeb will poll updates every day at 15:00 (24-hour), or 03:00pm (12-hour).
    • Weekly—FortiWeb will poll updates on the day and time that you specify. For example, if you select Weekly and specify Tuesday for the day and 16 for the hour, FortiWeb will poll updates every Tuesday at 16:00 (24-hour), or 04:00pm (12-hour).
    note icon

    You can also click Poll Now to immediately poll updates from FDS. Click Refresh to see the status of the FDS proxy update.
  • Click Apply.

    • If you want other FortiWeb devices to update services from this FortiWeb proxy, configure the corresponding settings on other FortiWeb devices as introduced in To access FortiGuard via a FortiWeb proxy.

    To access FortiGuard via a FortiWeb proxy

    You can configure FortiWeb to access FDS for license validation via a FortiWeb proxy in the network, and to update services from the FortiWeb proxy that receives services files from FDS via 'Poll Now' or 'Schedule Poll Update'. To do so, you must first configure a FortiWeb as a FDS proxy. For details, see To configure a FortiWeb as a proxy.

    Perform the following steps to connect with a FortiWeb proxy for license validation and service update.

    1. Go to System > Config > FortiGuard.
    2. Under the FortiWeb Update Service Options section, enable Override default FortiGuard Address.
    3. In the Override default FortiGuard Address field, enter the IP address or domain name of the FortiWeb proxy you configured in To configure a FortiWeb as a proxy.
    4. Click Apply.
    Access FortiGuard via a web proxy server

    Using the CLI, you can configure FortiWeb to connect through an explicit (non-transparent) web proxy server to the FortiGuard Distribution Network (FDN) for signature updates. FortiWeb connects to the proxy using the HTTP CONNECT method as described in RFC 2616 (http://tools.ietf.org/rfc/rfc2616.txt).

    CLI Syntax

    config system autoupdate tunneling

    set status enable

    set address 192.168.1.10

    set port 8080

    set username FortiWeb

    set password myPassword1

    end

    For details, see the FortiWeb CLI Reference:

    https://docs.fortinet.com/product/fortiweb/

    Previous
    Next