Fortinet black logo

FortiGuard

6.4.0
Copy Link
Copy Doc ID 23a6ef88-6864-11ea-9384-00505692583a:649403
Download PDF

FortiGuard

The FortiGuard communication protocol is used by FortiGuard to communicate with Fortinet devices.

FortiGuard services can be purchased and registered to your FortiGate unit. The FortiGate must be connected to the internet in order to automatically connect to the FortiGuard Distribution Network (FDN) to validate the license and download FDN updates.

If accepting push updates is enabled, the FDN sends notice that a FortiGuard AV and IPS update is available on UDP/9443.

When the FortiGuard protocol is configured to use HTTPS (default), third party certificate verification and OCSP stapling check is implemented for all FortiGuard servers that are connected to FortiOS. The default FortiGuard access mode is anycast.

See Anycast and unicast services for a list of services.

For more information, see FortiGuard in the FortiOS Administration guide.

Submission of malware statistics to FortiGuard

FortiGates periodically send encrypted Antivirus, IPS, botnet IP list, and Application Control event statistics to FortiGuard. Included with these malware statistics is the IP address and serial number of the FortiGate and the country in which the FortiGate is located. This information is never shared with external parties (Fortinet Privacy Policy).

The malware statistics are used to improve various aspects of FortiGate malware protection. For example, antivirus data allow FortiGuard to determine what viruses are currently active. Signatures for those viruses are kept in the Active AV Signature Database that is used by multiple Fortinet products. Inactive virus signatures are moved to the Extended AV Signature Database (see Configuring antivirus and IPS options in the FortiOS Administration guide.). When events for inactive viruses start appearing in the malware data, the signatures are moved back into the AV Signature Database.

The FortiGate and FortiGuard servers go through a 2-way SSL/TLS 1.2 authentication before any data is transmitted. The certificates used in this process must be trusted by each other and signed by Fortinet CA server.

Fortinet products only accepts data from authorized FortiGuard severs. Fortinet products use DNS to find FortiGuard servers and periodically update their FortiGate server list. All other servers are provided by a list that is updated through the encrypted channel.

Malware statistics are accumulated and sent periodically (by default every 60 minutes).

To configure sharing this information:

config system global

set fds-statistics {enable | disable}

set fds-statistics-period <minutes>

end

Note

The submission of malware data is in accordance with Fortinet's “Automatically-Collected Information” detailed in the Fortinet Privacy Policy, and the purpose of this collection is outlined in the “Use of your Information” section of the privacy policy.

There is no sensitive or personal information included in these submissions. Only malware statistics are sent.

Fortinet uses the malware statistics collected in this manner to improve the performance of the FortiGate services and to display statistics on the Fortinet Support website for customers registered FortiGate devices.

Fortinet may also publish or share statistics or results derived from this malware data with various audiences. The malware statistics shared in this way do not include any customer data.

In addition to secure submission of statistics to FortiGuard, there are other mechanisms in place to prevent unauthorized FortiGuard updates from clients:

  • The server certificate has to be authenticated by FortiGates, and it only trusts Fortinet's root certificate.
  • Proprietary encryption (including FGCP, an application-level proprietary protocol) that only Fortinet's own servers/devices can prepare.

FortiGates can only accept data from Fortinet's own list of servers, although the list can be updated through previously connected servers. DNS is used on the initial server, but all other servers are provided by a list that is updated through SSL, meaning that only FortiGates accept data from those servers.

Automatic update at every GUI login

FortiGates running FortiOS 5.6.1 and above may perform automatic "update now" updates when one of the "core" licenses is unavailable: Application Control, IPS, or Antivirus. Please note that this automatic update is triggered even if the following CLI command is set:

config system autoupdate schedule

set status disable

end

FortiGuard related CLI commands

To set the FDN push update port:

config system autoupdate push-update

set port <integer>

end

To set the proxy server port that the FortiGate will use to connect to the FortiGuard Distribution Network (FDN):

config system autoupdate tunneling

set port <integer>

end

To set the port that scheduled FortiGuard service updates will be received on:

config system fortiguard

set port {53 | 8888 | 80}

end

To enable or disable ports that are used for HTTPS/HTTP override authentication and disable user overrides:

config webfilter fortiguard

set close-ports {enable | disable}

end

For more information, including FortiGuard execute commands used to manage FortiCloud domains and operations, see the CLI Reference.

FortiGuard

The FortiGuard communication protocol is used by FortiGuard to communicate with Fortinet devices.

FortiGuard services can be purchased and registered to your FortiGate unit. The FortiGate must be connected to the internet in order to automatically connect to the FortiGuard Distribution Network (FDN) to validate the license and download FDN updates.

If accepting push updates is enabled, the FDN sends notice that a FortiGuard AV and IPS update is available on UDP/9443.

When the FortiGuard protocol is configured to use HTTPS (default), third party certificate verification and OCSP stapling check is implemented for all FortiGuard servers that are connected to FortiOS. The default FortiGuard access mode is anycast.

See Anycast and unicast services for a list of services.

For more information, see FortiGuard in the FortiOS Administration guide.

Submission of malware statistics to FortiGuard

FortiGates periodically send encrypted Antivirus, IPS, botnet IP list, and Application Control event statistics to FortiGuard. Included with these malware statistics is the IP address and serial number of the FortiGate and the country in which the FortiGate is located. This information is never shared with external parties (Fortinet Privacy Policy).

The malware statistics are used to improve various aspects of FortiGate malware protection. For example, antivirus data allow FortiGuard to determine what viruses are currently active. Signatures for those viruses are kept in the Active AV Signature Database that is used by multiple Fortinet products. Inactive virus signatures are moved to the Extended AV Signature Database (see Configuring antivirus and IPS options in the FortiOS Administration guide.). When events for inactive viruses start appearing in the malware data, the signatures are moved back into the AV Signature Database.

The FortiGate and FortiGuard servers go through a 2-way SSL/TLS 1.2 authentication before any data is transmitted. The certificates used in this process must be trusted by each other and signed by Fortinet CA server.

Fortinet products only accepts data from authorized FortiGuard severs. Fortinet products use DNS to find FortiGuard servers and periodically update their FortiGate server list. All other servers are provided by a list that is updated through the encrypted channel.

Malware statistics are accumulated and sent periodically (by default every 60 minutes).

To configure sharing this information:

config system global

set fds-statistics {enable | disable}

set fds-statistics-period <minutes>

end

Note

The submission of malware data is in accordance with Fortinet's “Automatically-Collected Information” detailed in the Fortinet Privacy Policy, and the purpose of this collection is outlined in the “Use of your Information” section of the privacy policy.

There is no sensitive or personal information included in these submissions. Only malware statistics are sent.

Fortinet uses the malware statistics collected in this manner to improve the performance of the FortiGate services and to display statistics on the Fortinet Support website for customers registered FortiGate devices.

Fortinet may also publish or share statistics or results derived from this malware data with various audiences. The malware statistics shared in this way do not include any customer data.

In addition to secure submission of statistics to FortiGuard, there are other mechanisms in place to prevent unauthorized FortiGuard updates from clients:

  • The server certificate has to be authenticated by FortiGates, and it only trusts Fortinet's root certificate.
  • Proprietary encryption (including FGCP, an application-level proprietary protocol) that only Fortinet's own servers/devices can prepare.

FortiGates can only accept data from Fortinet's own list of servers, although the list can be updated through previously connected servers. DNS is used on the initial server, but all other servers are provided by a list that is updated through SSL, meaning that only FortiGates accept data from those servers.

Automatic update at every GUI login

FortiGates running FortiOS 5.6.1 and above may perform automatic "update now" updates when one of the "core" licenses is unavailable: Application Control, IPS, or Antivirus. Please note that this automatic update is triggered even if the following CLI command is set:

config system autoupdate schedule

set status disable

end

FortiGuard related CLI commands

To set the FDN push update port:

config system autoupdate push-update

set port <integer>

end

To set the proxy server port that the FortiGate will use to connect to the FortiGuard Distribution Network (FDN):

config system autoupdate tunneling

set port <integer>

end

To set the port that scheduled FortiGuard service updates will be received on:

config system fortiguard

set port {53 | 8888 | 80}

end

To enable or disable ports that are used for HTTPS/HTTP override authentication and disable user overrides:

config webfilter fortiguard

set close-ports {enable | disable}

end

For more information, including FortiGuard execute commands used to manage FortiCloud domains and operations, see the CLI Reference.