FortiGuard Center

1. FortiGuard Center

Go to the Fortinet FortiGuard Center to access FortiGuard resources such as the Fortinet threat and vulnerabilities database. This database is maintained by our worldwide Threat Response Team and provides 24x7x365 coverage of the latest global threats. You can also access the following FortiGuard resources from the Fortinet Knowledge Center.

1.1. Enabling FortiGuard 30 Day TrialWhen you register your FortiGate unit, you have FortiGuard services available for a 30 day trial. The articles in this section describe how to enable the antivirus and content filtering options.1.1.1. Enabling the FortiGuard 30 Day Trial with FortiOS 2.8 MR8Description FortiGuard 30 Day trial instructions for FortiOS 2.8 MR8Components

• All FortiGate units running FortiOS 2.8 MR8.

Steps or Commands

Antivirus and Intrusion Prevention updates are received automatically when you register your FortiGate unit. Use the steps below to activate antispam and web filtering services in the web-based manager.

Antispam

To enable antispam services

1. Go to Spam Filter > FortiShield.
2. Select Enable Service and Apply.
3. Select Check Status to ensure the FortiGate unit can access the FortiGuard server.
4. Enable Cache.
5. Set the TTL (time to live) for the cache.
6. Select Apply.
   The FortiGuard license type and expiration date appears on the configuration screen.

   You can now enable spam filtering options in the protection profile, and apply the protection profiles to firewall policies.

   Web Filtering

   To enable antispam services

   1. Select Web Filter > Category Block.
   2. Select Enable Service and Apply.
   3. Select Check Status to ensure the FortiGate unit can access the FortiGuard server.
   4. Enable Cache.
   5. Set the TTL (time to live) for the cache.
   6. Select Apply.
      The FortiGuard license type and expiration date appears on the configuration screen.

   You can now enable category blocking and configure categories in the protection profile and apply the protection profiles to firewall policies.

1.1.2. Enabling the FortiGuard 30 Day Trial with FortiOS 2.8 MR12Description FortiGuard 30 Day trial instructions for FortiOS 2.8 MR12Components

• All FortiGate units running FortiOS 2.8 MR12.

Steps or Commands

Antivirus and Intrusion Prevention updates are received automatically when you register your FortiGate unit. Use the steps below to activate antispam and web filtering services in the web-based manager.

Antispam

To enable antispam services

1. Go to Spam Filter > FortiGuard - AntiSpam.
2. Select Enable Service and Apply.
3. Select Check Status to ensure the FortiGate unit can access the FortiGuard server.
4. Enable Cache.
5. Set the TTL (time to live) for the cache.
6. Select Apply.
   The FortiGuard license type and expiration date appears on the configuration screen.

   You can now enable spam filtering options in the protection profile, and apply the protection profiles to firewall policies.

   Web Filtering

   To enable antispam services

   1. Select Web Filter > Category Block.
   2. Select Enable Service and Apply.
   3. Select Check Status to ensure the FortiGate unit can access the FortiGuard server.
   4. Enable Cache.
   5. Set the TTL (time to live) for the cache.
   6. Select Apply.
      The FortiGuard license type and expiration date appears on the configuration screen.

   You can now enable category blocking and configure categories in the protection profile and apply the protection profiles to firewall policies.

1.1.3. Enabling the FortiGuard 30 Day Trial with FortiOS 3.0Description FortiGuard 30 Day trial instructions for FortiOS 3.0Components

• All FortiGate units running FortiOS 3.0.

Steps or Commands

Antivirus and Intrusion Prevention updates are received automatically when you register your FortiGate unit. Use the steps below to activate antispam and web filtering services in the web-based manager.

For more information about enabling the following options and other FortiGuard services, see the FortiGate Administration Guide.

To enable antispam and web services

1. Go to System > Maintenance > FortiGuard.
2. Select the blue arrow beside Web Filtering and AntiSpam Options to reveal the available options. 
3. Select the check box beside Enable Web Filter.
4. Select the check box beside Enable Cache.
5. If required a different number for TTL (time to live in seconds), enter the new number in the TTL field.
6. Select the check box beside Enable AntiSpam.
7. Select the check box beside Enable Cache.
8. If required a different number for TTL (time to live in seconds), enter the new number in the TTL field.
9. If you require an alternate port, select User Alternate Port (8888).
10. Select Test Availability to test the connection of the servers.
    

    You can now enable spam filtering options in the protection profile, and apply the protection profiles to firewall policies.

1.2. About the FortiGuard Center

The Fortinet's FortiGuard Center is where you can find online resources and a timely threat and vulnerabilities database maintained by Fortinet's worldwide Threat Response Team providing 24x7x365 coverage of global threats. The FortiGuard Center is available at http://www.fortiguardcenter.com/.

FortiProtect Center is now FortiGuard Center

In case you were wondering, yes it's true the FortiProtect Center is now the FortiGuard Center. Feel free to browse among the fancy features such as the "Virus Radar" page, or take advantage of the "Online Virus Scanner" page.

The FortiGuard Center includes the following features:

Antivirus - Virus Radar

• Live data from our FDS server statistics showing the most common virus threats in the last 24 hours, 7 days, and 30 days. Data is updated daily.
• Virus world map

Antivirus - Online Virus Scanner

• Allows customers to upload/submit files directly to Fortinet
• Gives customer an instant feedback as to whether we detect a certain virus

Antivirus - alphabetized encyclopedia

• for easy virus information search

Antivirus - EICAR Test

• This lets customers test their antivirus defenses for both HTTP and FTP using standard EICAR file.

IPS - Fortinet Security Advisories

• Provides customers security information of a time critical nature. Advisories contain information about vulnerabilities discovered by Fortinet security research team.

Web Filtering - URL Lookup

• Quick query the Fortiguard URL database for a given URL category rating.

Web Filtering - URL Categories and Classes

• For easy customer reference the breakdown of different categories and their descriptions.

AntiSpam - spam and false positive submission

1.3. FDN Services and Ports

Description

This article lists:

• ports for traffic originating from units
• ports for traffic receivable by units (listening ports)
• ports used to connect to the Fortinet Distribution Network (FDN)

Traffic varies by enabled options and configured ports. Only default ports are listed.

This information is also available in diagram format at the end of this article, and as a downloadable PDF.

For similar information about FortiMail, see FortiMail Traffic Types and TCP/UDP Ports

Components

• FortiOS v3.0, v2.80, and v2.50
• FortiClient v2.x, v3.0
• FortiManager v3.0
• FortiAnalyzer v3.0
• Fortinet Distribution Network (FDN)

Originating Traffic

 

FortiGate

 

FunctionalityPort(s)DNS lookup; RBL lookupUDP 53FortiGuard Antispam or Web Filtering rating lookupUDP 53 or UDP 8888FDN server list
Source and destination port numbers vary by originating or reply traffic. See also the Knowledge Center article How do I troubleshoot performance issues when FortiGuard Web Filtering is enabled?UDP 53 (default) or UDP 8888, and UDP 1027 or UDP 1031NTP synchronizationUDP 123SNMP trapsUDP 162Syslog
All FortiOS versions can use syslog to send log messages to remote syslog servers. FortiOS v2.80 and v3.0 can also view logs stored remotely on a FortiAnalyzer unit. See originating port TCP 514.UDP 514Configuration backup to FortiManager unit or FortiGuard Analysis and Management ServiceTCP 22SMTP alert email; encrypted virus sample auto-submitTCP 25LDAP or PKI authenticationTCP 389 or TCP 636FortiGuard Antivirus or IPS update
When requesting updates from a FortiManager unit instead of directly from the FDN, this port must be reconfigured as TCP 8890.TCP 443FortiGuard Analysis and Management ServiceTCP 443FortiGuard Analysis and Management Service log transmission (OFTP)TCP 514SSL management tunnel to FortiGuard Analysis and Management Service (FortiOS v3.0 MR6 or later)TCP 541FortiGuard Analysis and Management Service contract validationTCP 10151Quarantine, remote access to logs & reports on a FortiAnalyzer unit, device registration with FortiAnalyzer units (OFTP)TCP 514RADIUS authenticationTCP 1812

 

FortiAnalyzer

 

FunctionalityPort(s)DNS lookupUDP 53NTP synchronizationUDP 123Windows shareUDP 137-138SNMP trapsUDP 162Syslog; log forwardingUDP 514Log & report uploadTCP 21 or TCP 22SMTP alert emailTCP 25User name LDAP queries for reportsTCP 389 or TCP 636RVS updateTCP 443RADIUS authenticationTCP 1812Log aggregation clientTCP 3000

 

FortiManager

 

FunctionalityPort(s)DNS lookupUDP 53NTP synchronizationUDP 123SNMP trapsUDP 162SyslogUDP 514Remote management of a FortiGate unitTCP 22 and TCP 443Remote management of a FortiAnalyzer unit (OFTP and web services)TCP 443 and TCP 514 and TCP 8080Firmware image downloads; FortiGuard Antivirus, Antispam, IPS and Web Filtering updatesTCP 443RADIUS authenticationTCP 1812FortiClient Manager clusteringTCP 6028

 

FortiClient

 

FunctionalityPort(s)SyslogUDP 514Keepalive with FortiManager unitsUDP 6022 and UDP 6023FortiGuard Antispam or Web Filtering rating lookupUDP 8888FortiGuard Antivirus updatesTCP 80Device registration with FortiManager unitsTCP 6020VPN settings from a FortiGate unit
FortiOS v3.0 can distribute VPN settings to FortiClients that provide a valid login. See the FortiGate CLI command config vpn ipsec forticlient.TCP 8900

Receivable Traffic

(Listening Ports)

 

FortiGate

 

When operating in the default configuration, FortiGate units do not accept TCP or UDP connections on any port except the default internal interface, which accepts HTTPS connections on TCP port 443.

See also the Knowledge Center article Making your FortiGate unit completely invisible to probes.

FunctionalityPort(s)FortiGuard Antivirus and IPS update push
The FDN sends notice that an update is available. Update downloads then occur on standard originating ports for updates. See originating port TCP 443.UDP 9443SSH administrative access to the CLI; remote management from a FortiManager unitTCP 22Telnet administrative access to the CLI; HA synchronization (FGCP L2)
Changing the telnet administrative access port number also changes the HA synchronization port number.TCP 23HTTP administrative access to the web-based managerTCP 80HTTPS administrative access to the web-based manager; remote management from a FortiManager unit; user authentication for policy overrideTCP 443SSL management tunnel from FortiGuard Analysis and Management Service (FortiOS v3.0 MR6 or later)TCP 541HA heartbeat (FGCP L2)
FortiOS v2.8 used TCP 702.TCP 703User authentication keepalive and logout for policy override (default value of port for HTTP traffic)
Beginning with FortiOS v3.0 MR2, by default, this port is closed until enabled by the auth-keepalive command.TCP 1000User authentication keepalive and logout for policy override (default value of port for HTTPS traffic)
Beginning with FortiOS v3.0 MR2, by default, this port is closed until enabled by the auth-keepalive command.TCP 1003HTTP or HTTPS administrative access to the web-based manager's CLI dashboard widget (v3.0 MR5 only)
Protocol used will match the protocol used by the administrator when logging in to the web-based manager.TCP 2302Windows Active Directory (AD) Collector AgentTCP 8000User authentication for policy override of HTTP trafficTCP 8008FortiClient download portal
This feature is available on FortiGate-1000A, FortiGate-3600A, and FortiGate-5005FA2 only.TCP 8009User authentication for policy override of HTTPS trafficTCP 8010VPN settings distribution to authenticated FortiClient installations
See originating port TCP 8900.TCP 8900SSL VPNTCP 10443HAETH 8890 (Layer 2)

 

FortiAnalyzer

 

FunctionalityPort(s)Windows shareUDP 137-139 and TCP 445SyslogUDP 514SSH administrative access to the CLITCP 22Telnet administrative access to the CLITCP 23HTTP administrative access to the web-based managerTCP 80HTTPS administrative access to the web-based manager; remote management from a FortiManager unitTCP 443Device registration of FortiGate or FortiManager units; remote access to quarantine, logs & reports from a FortiGate unit; remote management from a FortiManager unit (configuration retrieval)(OFTP)TCP 514NFS shareTCP 2049HTTP or HTTPS administrative access to the web-based manager's CLI dashboard widget (v3.0 MR5 only)
Protocol used will match the protocol used by the administrator when logging in to the web-based manager.TCP 2302Log aggregation server
Log aggregation server support requires model FortiAnalyzer-800 or greater.TCP 3000Remote management from a FortiManager unit (configuration installation)TCP 8080

 

FortiManager

 

FunctionalityPort(s)FortiGuard Antispam or Web Filtering rating lookup from a FortiClient or FortiGate unitUDP 53 or 8888SNMP trapsUDP 162Keepalive from a FortiClient installationUDP 6022 and UDP 6023FortiGuard Antivirus and IPS update push
The FDN sends notice that an update is available. Update downloads then occur on standard originating ports for updates. See originating port TCP 443.UDP 9443SSH administrative access to the CLITCP 22Telnet administrative access to the CLITCP 23HTTP administrative access to the web-based manager; FortiGuard Antivirus update request from a FortiClient installationTCP 80HTTPS administrative access to the web-based manager; FortiGuard Antispam, Antivirus, IPS or Web Filtering update request from a FortiGate unitTCP 443Device registration from a FortiClient installationTCP 6020FortiClient Manager clusteringTCP 6028FortiGuard Antivirus or IPS update request from a FortiGate unitTCP 8890HA heartbeat or synchronizationTCP 59415

FDN Ports

FortiGate, FortiAnalyzer, and FortiManager units and FortiClient installations communicate with the Fortinet Distribution Network (FDN) to receive updates or use services.

Product(s)FunctionalityPort(s)FortiManager v3.0FortiGuard Web Filtering and Antispam rating repliesSource: UDP 53 (default) or UDP 8888
Destination: UDP 1027 or UDP 1031FortiOS v3.0FortiGuard Web Filtering and Antispam rating lookup
This can be to the FDN or to a FortiManager acting as a private FDS.Source: UDP 1027 or 1031
Destination: UDP 53 (default) or UDP 8888FortiOS v3.0FDN server list
See also the Knowledge Center article How do I troubleshoot performance issues when FortiGuard Web Filtering is enabled?UDP 53 (default) or UDP 8888, and UDP 1027 or UDP 1031FortiOS v2.80FortiGuard Web FilteringUDP 8888FortiOS v2.80FortiGuard Antispam (FortiShield)UDP 8889FortiOS v3.0, FortiManager v3.0FortiGuard Antivirus and IPS update push
The FDN sends notice that an update is available. Update downloads then occur on standard originating ports for updates. See originating port TCP 443.UDP 9443FortiClientFortiGuard Antivirus updatesTCP 80FortiAnalyzer v3.0Remote Vulnerability Scan (RVS) updatesTCP 443FortiManager v3.0Firmware images from FDNTCP 443FortiManager v3.0FortiGuard Antispam or Web Filtering updatesTCP 443 or TCP 8890FortiOS v3.0FortiGuard Antivirus and IPS updates
When requesting updates from a FortiManager unit instead of directly from the FDN, this port must be reconfigured as TCP 8890.TCP 443FortiOS v2.80FortiGuard Antivirus updatesTCP 443FortiOS v3.0FortiGuard Analysis and Management ServiceTCP 443FortiOS v3.0FortiGuard Analysis and Management Service log transmission (OFTP)TCP 514FortiOS v3.0 MR6 or laterSSL management tunnel to FortiGuard Analysis and Management Service TCP 541FortiOS v3.0FortiGuard Analysis and Management Service contract validationTCP 10151FortiOS v2.50FortiGuard Antivirus updatesTCP 8890
1.4. Accessing and Debugging FortiGuard Services

The FortiGuard Distribution Network (FDN) is a geographically diverse network operated by Fortinet Inc. that provides FortiGuard Antivirus (AV) and FortiGuard Intrusion Prevention System (IPS) updates in addition to FortiGuard Web Filtering and FortiGuard Antispam services to the FortiGate, FortiManager, FortiLog, FortiClient and FortiMail line of products.

This document explains the components of the FortiGuard Distribution Network (FDN) and how FortiGate units and other Fortinet products connect to and interact with the FDN. This document also describes the debugging commands and diagnostic methods that can be used if a Fortinet product, such as a FortiGate unit, has problems connecting to and using FortiGuard services.

This document primarily focuses on the interaction of the FortiGate product line with the FDN. The interaction of the FDN with the other products (including FortiMail, FortiClient, and FortiManager is very similar).

1.5. Why FortiGuard Web Filtering is Better

FortiGuard Web Filtering is a managed Web filtering solution provided by Fortinet that sorts billions of webpages into a wide range of categories. System administrators and individual users can configure licensed FortiGate units and FortiClient applications to allow, block, or monitor access to web pages according to FortiGuard categories. FortiGate units and FortiClient applications access the FortiGuard Distribution Network (FDN) to determine the category and class of a requested webpage. Depending on the response from the FDN the FortiGate unit or FortiClient application can allow, block, or monitor access to the webpage.

FortiGuard Web Filtering categorizes over 28 million websites into 76 categories and 7 classes. These 28 million websites include billions of individual webpages. The FortiGuard URL database of categorized websites is continuously updated as the Internet evolves. New websites are discovered, rated, and added to the database. Outdated websites are removed from the database. Also when websites already in the FortiGuard URL database change, ratings for these pages are reviewed and changed as required.

To make configuration simpler, users of FortiGuard services can choose to allow, block, or monitor entire groups of categories. Blocked pages are replaced with a message indicating that the page is not accessible according to your Internet usage policy.

Fortinet categorizes websites and develops the FortiGuard URL database using a combination of proprietary methods that include text analysis, exploitation of the Web structure, as well as a dedicated team of Web analysts. In addition, FortiGuard Web Filtering customers (and indeed anyone else) can go to the FortiGuard Center Web Filtering URL lookup page to submit a URL for rating. As well if you feel that a URL is rated incorrectly in the FortiGuard URL database, you can use this URL lookup page to enter a URL and request a rating change.

The FDN is a world-wide geographically diverse network operated by Fortinet Inc. that provides FortiGuard Antivirus (AV) and FortiGuard Intrusion Prevention System (IPS) updates in addition to FortiGuard Web Filtering and FortiGuard Antispam services to the FortiGate, FortiManager, FortiAnalyzer, FortiClient and FortiMail line of products.

In addition to the URL lookup page mentioned above, the FortiGuard Web Filtering pages of the Fortinet FortiGuard Center include up-to-date descriptions of FortiGuard URL database categories and classes.

1.6. Windows WMF metafile exploit update : Jan. 6, 2006

 

The official Microsoft patch has been released:
http://www.microsoft.com/technet/security/Bulletin/ms06-001.mspx

 

A zero-day Windows metafile exploit had been discovered in the wild, on Dec. 28, 2005, and an anti-virus signature included in AV Definition v6.230 had been released to detect this.

In the meantime, this exploit has gotten worse. 

New versions of the Microsoft Windows WMF exploit using variable length and highly polymorphic shellcode, are being used by several malware in the wild. This makes it increasingly more difficult for anti-virus vendors to detect all variations.  The exploit can now also be delivered using any type of image extension, such as .jpg , for example.   Simply viewing a malicious web site with these embeded images is sufficient to execute the exploit.

Details of the exploit are available here:
http://secunia.com/advisories/18255/
http://isc.sans.org/diary.php?storyid=972

1.7. How to unblock a site from a blocked FortiGuard category

Description

How to allow access to a specific URL within a FortiGuard blocked category.Components

• All FortiGate units

Steps or Commands

If you have a FortiGuard category blocked, but you want users to access a specific site, within the category, it is possible to create an exemption that will allow a specified site to pass the block. For example, if you have news sites but you want a site regarding the company to be shared with employees.

To create an exemption for a specific URL

1. Go to Web Filter > FortiGuard - Web Filter.
2. Select Create New and configure the following:
   • Set the Type to Domain.
   • Enter the URL.
   • Select the Scope and Profile.
   • Set the Off-site URLs to Allow.
   • Set the Override duration depending how long you want users to visit the site. The maximum number of days is 364.

1.8. Are FortiGuard Web Filtering URL lookups and responses encrypted?All FortiGate units and other Fortinet products encrypt FortiGuard Web Filtering URL lookups using a Fortinet proprietary algorithm. The responses that the FortiGuard Distribution Network (FDN) returns are also encrypted.1.9. How many FortiGuard Web Filtering URLs can fit into the FortiGate unit memory cache?

The exact number of URLs that a FortiGate unit can store in the FortiGuard Web Filtering URL cache depends on the amount of memory allocated for the cache as well as the size of the URLs in the cache. Administrators have no control over URL size, but you can adjust the size of the cache.

By default FortiGate units set aside 2 percent of total memory for the URL cache. From the FortiOS v3.0 CLI you can use the following command to adjust percent of total memory used by the cache to between 1 and 15 percent.

config webfilter fortiguard
    set cache-mem-percent <percent_integer>
end

where <percent_integer> can be 1 to 15 percent. The default value is 2 percent.

In a typical enterprise environment with cache-mem-percent set to the default value, a FortiGate-3000 unit or FortiGate-3600 unit URL cache can contain up to 100,000 URLs. In an environment such as this, the cache hit rate is typically around 45-50%.

The number of URLs that can be cached and the hit rate is expected to increase significantly in future FortiOS v3.0 maintenance releases.

1.10. How do I troubleshoot performance issues when FortiGuard Web Filtering is enabled?Description I'm having performance problems with HTTP traffic when enabling FortiGuard Web Filtering. What can I check?Components

• FortiGuard Web Filtering or Antispam
• FortiOS v3.0

Introduction FortiGuard Web Filtering is enabled, and HTTP traffic is really slow. FortiGate Antispam performance can also be affected. Troubleshooting

Enter this command from the CLI:

diag debug rating

If this returns a small number of servers (usually two), then it is likely that your ISP or an upstream security device is blocking UDP packets with low ephemeral destination ports (typically 1024-1035) to avoid a potential exploit against Microsoft Windows systems.

Some of these ports are required to receive FDN server lists updates.

Solution #1

Have your ISP and/or upstream security device unblock UDP ports 1025 to 1035. Also ensure they are not blocking other TCP or UDP ports used by FortiGuard Web Filtering or Antispam. For a complete listing of ports, see FDN Services and Ports.

Solution #2

If your ISP blocks the lower range of UDP ports (around 1024), you can configure your FortiGate unit to use higher-numbered ports, using the CLI command:

config system global
set ip-src-port-range <start port>-<end port>
end

where the <start port> and <end port> are numbers in the range of 1024 to 4999.

For example, you could configure your FortiGate unit to not use ports lower than 2048 or ports higher than 3999:

config system global
set ip-src-port-range 2048-3999
end

Why does this happen?

FortiGate units contact the FDN to get the latest list of FDN servers by sending UDP packets with typical source ports of 1027 or 1031, and destination ports of 53 or 8888. The FDN reply packets have a destination port of 1027 or 1031.

If your ISP blocks UDP packets in this port range, the FortiGate unit cannot receive the FDN reply packets. As a result, the FortiGate unit will not receive the complete FDN server list.

Using the second solution described in this article, you can select a different source port range for the FortiGate unit to use. Trial and error may be required to select the best source port range. You can also contact your ISP to determine the best range to use.

See also

• Things to check when connections to FortiGuard don't work

1.11. FortiOS v2.80 FortiGuard Web Filtering Technical NoteThe attached FortiGuard technical note describes how to use and configure FortiGuard web filtering on your FortiGate unit running FortiOS v2.80.1.12. Things to check when connections to FortiGuard don't work

Use these FortiGuard troubleshooting tips if updates are not occurring on your FortiGate unit.

1. Verify that FortiGuard is enabled and available.
   
   
   • In FortiOS 2.8, go to WebFilter > Category Block.
   • In FortiOS 3.0, go to System > Maintenance > Fortiguard Center.

   The service should be enabled. The status can be either Unknown or Available. If it is Unknown, select Check status. It should then become Available.

2. Verify that there is no upstream firewall blocking the traffic, or DNS caching.

   UDP port 53 or 8888 must be allowed. This is a common problem when the FGT is running in Transparent mode. For a complete list of ports that FDN uses, see FDN Services and Ports.

3. Verify that you can ping guard.fortinet.net from the CLI.
   

   If you can't, then verify that the DNS entries in the FortiGate unit are correct.

4. If DNS resolution is not working, use the IP address instead of the FQDN.

   Change the settings using the CLI:

   config webfilter catblock
   set status enable
   set ftgd_hostname x.x.x.x
   end

   In FortiOS 3.0 MR6 and MR7:

   config system fortiguard
   set srv-ovrd enable
   config srv-ovrd-list
   edit 1
   set ip x.x.x.x
   end end

   To find out which servers are actually being used, use the following diagnose commands:

   diagnose debug rating

   diagnose spamfilter fortishield servers

   Use the IP address of the FortiGuard server you are trying to connect to in the ftgd_hostname field.

For more information, see How do I troubleshoot performance issues when FortiGuard Web Filtering is enabled?.

1.13. FortiGuard AntiSpam Frequently Asked QuestionsFAQ about blocking and tagging of spam email using FortiGuard AntiSpam.1.14. Legitimate email blocked or tagged by spam filtering if DNS lookups failDescription

If you do not change your FortiGate unit default DNS configuration, FortiGate-initiated DNS queries can fail.

DNS queries that fail can cause address resolution problems and can also cause the FortiGate unit and FortiGuard AntiSpam to identify legitimate email as spam.

Components

• All FortiGate models
• FortiOS version 3.0

Steps or Commands

Problem

FortiOS 3.0 on all FortiGate units includes a default DNS configuration. Most users should change this default configuration to avoid DNS lookup failures.

The default FortiGate DNS configuration assists with resolving FortiGuard Service addresses and for other DNS requirements during the installation of your FortiGate unit.

The default DNS servers are 65.39.139.53 and 65.39.139.63. In all releases of FortiOS 3.0, you can view the default DNS configuration on the FortiGate Web-based manager by going to System > Network > Options.

Symptom

There is a common issue when continuing to use default DNS servers. FortiGuard AntiSpam and spam filtering features such as HELO DNS lookup and Return e-mail DNS check use DNS queries. If DNS queries used by these features fail while analyzing an email message, the email fails a reverse DNS check, even when it should pass. As a result, the FortiGate unit identifies the email as spam when it is not spam. Email identified as spam may be tagged or discarded by the FortiGate unit.

Solution

Change the FortiGate unit DNS configuration.

Go System > Network > Options and enter new primary and secondary DNS server IP addresses. Use the IP addresses of the DNS servers on your local network or the DNS servers recommended by your service provider.

1.15. FortiGuard updates fail on downloadDescription FortiGuard updates (push or scheduled) are not always successfully downloaded.Components

• All FortiGate units with FortiGuard Anti-Virus and IPS updates.

Steps or Commands

You may notice in the event log, entries indicating that the FortiGuard updates were not successful.

The reason of the failure is there is not enough free memory to perform the updates at that very moment, especially if there is heavy traffic, or users are download big files.

To avoid these situations, you can do the following:

• Disable unused services and IPS signatures to free up memory.
• Schedule Anti-Virus and IPS updates for off-peak hours such as late evening/early morning or on weekends.

  You can also downgrade to FortiOS version 3.0 MR2. You can download newer firmware images from http://support.fortinet.com.

  See also:

  • “The system has entered conserve mode” log message explanation
  • Fine tuning IPS predefined signatures for enhanced system performance

1.16. FortiGuard Analysis and Management Service Administration Guide

FortiGuard Analysis and Management Service is a subscription-based service that provides remote management and logging and reporting capabilities for all FortiGate units. The FortiGuard Analysis and Management Service is available for FortiGate units running FortiOS 3.0 MR6 or higher.

The subscription-based service is available from the FortiGuard Analysis and Management Service portal web site, which provides a central location for configuring logging, reporting and remote management. From the FortiGuard Analysis and Management Service portal web site you can also view subscription contract information, such as daily quota and the expiry date of the service.

1.17. Fortiguard Web filtering - rate site by URL and IP addressDescription Fortiguard web filter category lookups performed by a FortiGate show the incorrect category for a web site, but when examining www.fortiguardcenter.com, the rating is appropriate.Explanation

This is expected behavior when the protection profile option "Rate sites by URL and IP address" is selected. That is, when using this option, the IP address rating takes precedence. The rating mismatch can occur for many reasons; most commonly:

• the given web site is hosted using the same IP address as other domains (e.g., virtual hosting)
• a web site changes hosts, and IP address changes along with it
• the domain is hosted in a load-balanced fashion, at different sites that host multiple domains

From the FortiGate Administration Guide:

"When enabled, this option sends both the URL and the IP address of the requested site for checking, providing additional security against attempts to bypass the FortiGuard system. However, because IP rating is not updated as quickly as URL rating, some false ratings may occur. This option is disabled by default."

The Fortiguard Center site, accepts requests to re-rate a given IP address, but the problem may arise that another domain hosted at any of the IP addresses listed will now be mis-categorized. With this in mind, Fortinet Americas TAC recommends disabling this option and using local ratings and categories instead.

This option requires that a list of local ratings and local categories be compiled and that any protection profile managing web filtering for internal users have this option enabled.