FortiGuard Center

1. FortiGuard Center

Go to the Fortinet FortiGuard Center to access FortiGuard resources such as the Fortinet threat and vulnerabilities database. This database is maintained by our worldwide Threat Response Team and provides 24x7x365 coverage of the latest global threats. You can also access the following FortiGuard resources from the Fortinet Knowledge Center.

1.1. Enabling FortiGuard 30 Day Trial
When you register your FortiGate unit, you have FortiGuard services available for a 30 day trial. The articles in this section describe how to enable the antivirus and content filtering options.
1.1.1. Enabling the FortiGuard 30 Day Trial with FortiOS 2.8 MR8
Description FortiGuard 30 Day trial instructions for FortiOS 2.8 MR8
Components
  • All FortiGate units running FortiOS 2.8 MR8.
Steps or Commands

Antivirus and Intrusion Prevention updates are received automatically when you register your FortiGate unit. Use the steps below to activate antispam and web filtering services in the web-based manager.

Antispam

To enable antispam services

  1. Go to Spam Filter > FortiShield.
  2. Select Enable Service and Apply.
  3. Select Check Status to ensure the FortiGate unit can access the FortiGuard server.
  4. Enable Cache.
  5. Set the TTL (time to live) for the cache.
  6. Select Apply.
    The FortiGuard license type and expiration date appears on the configuration screen.

    You can now enable spam filtering options in the protection profile, and apply the protection profiles to firewall policies.

    Web Filtering

    To enable antispam services

    1. Select Web Filter > Category Block.
    2. Select Enable Service and Apply.
    3. Select Check Status to ensure the FortiGate unit can access the FortiGuard server.
    4. Enable Cache.
    5. Set the TTL (time to live) for the cache.
    6. Select Apply.
      The FortiGuard license type and expiration date appears on the configuration screen.

    You can now enable category blocking and configure categories in the protection profile and apply the protection profiles to firewall policies.

1.1.2. Enabling the FortiGuard 30 Day Trial with FortiOS 2.8 MR12
Description FortiGuard 30 Day trial instructions for FortiOS 2.8 MR12
Components
  • All FortiGate units running FortiOS 2.8 MR12.
Steps or Commands

Antivirus and Intrusion Prevention updates are received automatically when you register your FortiGate unit. Use the steps below to activate antispam and web filtering services in the web-based manager.

Antispam

To enable antispam services

  1. Go to Spam Filter > FortiGuard - AntiSpam.
  2. Select Enable Service and Apply.
  3. Select Check Status to ensure the FortiGate unit can access the FortiGuard server.
  4. Enable Cache.
  5. Set the TTL (time to live) for the cache.
  6. Select Apply.
    The FortiGuard license type and expiration date appears on the configuration screen.

    You can now enable spam filtering options in the protection profile, and apply the protection profiles to firewall policies.

    Web Filtering

    To enable antispam services

    1. Select Web Filter > Category Block.
    2. Select Enable Service and Apply.
    3. Select Check Status to ensure the FortiGate unit can access the FortiGuard server.
    4. Enable Cache.
    5. Set the TTL (time to live) for the cache.
    6. Select Apply.
      The FortiGuard license type and expiration date appears on the configuration screen.

    You can now enable category blocking and configure categories in the protection profile and apply the protection profiles to firewall policies.

1.1.3. Enabling the FortiGuard 30 Day Trial with FortiOS 3.0
Description FortiGuard 30 Day trial instructions for FortiOS 3.0
Components
  • All FortiGate units running FortiOS 3.0.
Steps or Commands

Antivirus and Intrusion Prevention updates are received automatically when you register your FortiGate unit. Use the steps below to activate antispam and web filtering services in the web-based manager.

For more information about enabling the following options and other FortiGuard services, see the FortiGate Administration Guide.

To enable antispam and web services

  1. Go to System > Maintenance > FortiGuard.
  2. Select the blue arrow beside Web Filtering and AntiSpam Options to reveal the available options. 
  3. Select the check box beside Enable Web Filter.
  4. Select the check box beside Enable Cache.
  5. If required a different number for TTL (time to live in seconds), enter the new number in the TTL field.
  6. Select the check box beside Enable AntiSpam.
  7. Select the check box beside Enable Cache.
  8. If required a different number for TTL (time to live in seconds), enter the new number in the TTL field.
  9. If you require an alternate port, select User Alternate Port (8888).
  10. Select Test Availability to test the connection of the servers.

    You can now enable spam filtering options in the protection profile, and apply the protection profiles to firewall policies.

1.2. About the FortiGuard Center

The Fortinet's FortiGuard Center is where you can find online resources and a timely threat and vulnerabilities database maintained by Fortinet's worldwide Threat Response Team providing 24x7x365 coverage of global threats. The FortiGuard Center is available at http://www.fortiguardcenter.com/.

FortiProtect Center is now FortiGuard Center

In case you were wondering, yes it's true the FortiProtect Center is now the FortiGuard Center. Feel free to browse among the fancy features such as the "Virus Radar" page, or take advantage of the "Online Virus Scanner" page.

The FortiGuard Center includes the following features:

Antivirus - Virus Radar

  • Live data from our FDS server statistics showing the most common virus threats in the last 24 hours, 7 days, and 30 days. Data is updated daily.
  • Virus world map

Antivirus - Online Virus Scanner

  • Allows customers to upload/submit files directly to Fortinet
  • Gives customer an instant feedback as to whether we detect a certain virus

Antivirus - alphabetized encyclopedia

  • for easy virus information search

Antivirus - EICAR Test

  • This lets customers test their antivirus defenses for both HTTP and FTP using standard EICAR file.

IPS - Fortinet Security Advisories

  • Provides customers security information of a time critical nature. Advisories contain information about vulnerabilities discovered by Fortinet security research team.

Web Filtering - URL Lookup

  • Quick query the Fortiguard URL database for a given URL category rating.

Web Filtering - URL Categories and Classes

  • For easy customer reference the breakdown of different categories and their descriptions.

AntiSpam - spam and false positive submission

1.3. FDN Services and Ports

Description

This article lists:

Traffic varies by enabled options and configured ports. Only default ports are listed.

This information is also available in diagram format at the end of this article, and as a downloadable PDF.

For similar information about FortiMail, see FortiMail Traffic Types and TCP/UDP Ports

Components

  • FortiOS v3.0, v2.80, and v2.50
  • FortiClient v2.x, v3.0
  • FortiManager v3.0
  • FortiAnalyzer v3.0
  • Fortinet Distribution Network (FDN)

Originating Traffic

 

FortiGate

 

Functionality Port(s)
DNS lookup; RBL lookup UDP 53
FortiGuard Antispam or Web Filtering rating lookup UDP 53 or UDP 8888
FDN server list
Source and destination port numbers vary by originating or reply traffic. See also the Knowledge Center article How do I troubleshoot performance issues when FortiGuard Web Filtering is enabled?
UDP 53 (default) or UDP 8888, and UDP 1027 or UDP 1031
NTP synchronization UDP 123
SNMP traps UDP 162
Syslog
All FortiOS versions can use syslog to send log messages to remote syslog servers. FortiOS v2.80 and v3.0 can also view logs stored remotely on a FortiAnalyzer unit. See originating port TCP 514.
UDP 514
Configuration backup to FortiManager unit or FortiGuard Analysis and Management Service TCP 22
SMTP alert email; encrypted virus sample auto-submit TCP 25
LDAP or PKI authentication TCP 389 or TCP 636
FortiGuard Antivirus or IPS update
When requesting updates from a FortiManager unit instead of directly from the FDN, this port must be reconfigured as TCP 8890.
TCP 443
FortiGuard Analysis and Management Service TCP 443
FortiGuard Analysis and Management Service log transmission (OFTP) TCP 514
SSL management tunnel to FortiGuard Analysis and Management Service (FortiOS v3.0 MR6 or later) TCP 541
FortiGuard Analysis and Management Service contract validation TCP 10151
Quarantine, remote access to logs & reports on a FortiAnalyzer unit, device registration with FortiAnalyzer units (OFTP) TCP 514
RADIUS authentication TCP 1812

 

FortiAnalyzer

 

Functionality Port(s)
DNS lookup UDP 53
NTP synchronization UDP 123
Windows share UDP 137-138
SNMP traps UDP 162
Syslog; log forwarding UDP 514
Log & report upload TCP 21 or TCP 22
SMTP alert email TCP 25
User name LDAP queries for reports TCP 389 or TCP 636
RVS update TCP 443
RADIUS authentication TCP 1812
Log aggregation client TCP 3000

 

FortiManager

 

Functionality Port(s)
DNS lookup UDP 53
NTP synchronization UDP 123
SNMP traps UDP 162
Syslog UDP 514
Remote management of a FortiGate unit TCP 22 and TCP 443
Remote management of a FortiAnalyzer unit (OFTP and web services) TCP 443 and TCP 514 and TCP 8080
Firmware image downloads; FortiGuard Antivirus, Antispam, IPS and Web Filtering updates TCP 443
RADIUS authentication TCP 1812
FortiClient Manager clustering TCP 6028

 

FortiClient

 

Functionality Port(s)
Syslog UDP 514
Keepalive with FortiManager units UDP 6022 and UDP 6023
FortiGuard Antispam or Web Filtering rating lookup UDP 8888
FortiGuard Antivirus updates TCP 80
Device registration with FortiManager units TCP 6020
VPN settings from a FortiGate unit
FortiOS v3.0 can distribute VPN settings to FortiClients that provide a valid login. See the FortiGate CLI command config vpn ipsec forticlient.
TCP 8900

Receivable Traffic

(Listening Ports)

 

FortiGate

 

When operating in the default configuration, FortiGate units do not accept TCP or UDP connections on any port except the default internal interface, which accepts HTTPS connections on TCP port 443.

See also the Knowledge Center article Making your FortiGate unit completely invisible to probes.

Functionality Port(s)
FortiGuard Antivirus and IPS update push
The FDN sends notice that an update is available. Update downloads then occur on standard originating ports for updates. See originating port TCP 443.
UDP 9443
SSH administrative access to the CLI; remote management from a FortiManager unit TCP 22
Telnet administrative access to the CLI; HA synchronization (FGCP L2)
Changing the telnet administrative access port number also changes the HA synchronization port number.
TCP 23
HTTP administrative access to the web-based manager TCP 80
HTTPS administrative access to the web-based manager; remote management from a FortiManager unit; user authentication for policy override TCP 443
SSL management tunnel from FortiGuard Analysis and Management Service (FortiOS v3.0 MR6 or later) TCP 541
HA heartbeat (FGCP L2)
FortiOS v2.8 used TCP 702.
TCP 703
User authentication keepalive and logout for policy override (default value of port for HTTP traffic)
Beginning with FortiOS v3.0 MR2, by default, this port is closed until enabled by the auth-keepalive command.
TCP 1000
User authentication keepalive and logout for policy override (default value of port for HTTPS traffic)
Beginning with FortiOS v3.0 MR2, by default, this port is closed until enabled by the auth-keepalive command.
TCP 1003
HTTP or HTTPS administrative access to the web-based manager's CLI dashboard widget (v3.0 MR5 only)
Protocol used will match the protocol used by the administrator when logging in to the web-based manager.
TCP 2302
Windows Active Directory (AD) Collector Agent TCP 8000
User authentication for policy override of HTTP traffic TCP 8008
FortiClient download portal
This feature is available on FortiGate-1000A, FortiGate-3600A, and FortiGate-5005FA2 only.
TCP 8009
User authentication for policy override of HTTPS traffic TCP 8010
VPN settings distribution to authenticated FortiClient installations
See originating port TCP 8900.
TCP 8900
SSL VPN TCP 10443
HA ETH 8890 (Layer 2)

 

FortiAnalyzer

 

Functionality Port(s)
Windows share UDP 137-139 and TCP 445
Syslog UDP 514
SSH administrative access to the CLI TCP 22
Telnet administrative access to the CLI TCP 23
HTTP administrative access to the web-based manager TCP 80
HTTPS administrative access to the web-based manager; remote management from a FortiManager unit TCP 443
Device registration of FortiGate or FortiManager units; remote access to quarantine, logs & reports from a FortiGate unit; remote management from a FortiManager unit (configuration retrieval)(OFTP) TCP 514
NFS share TCP 2049
HTTP or HTTPS administrative access to the web-based manager's CLI dashboard widget (v3.0 MR5 only)
Protocol used will match the protocol used by the administrator when logging in to the web-based manager.
TCP 2302
Log aggregation server
Log aggregation server support requires model FortiAnalyzer-800 or greater.
TCP 3000
Remote management from a FortiManager unit (configuration installation) TCP 8080

 

FortiManager

 

Functionality Port(s)
FortiGuard Antispam or Web Filtering rating lookup from a FortiClient or FortiGate unit UDP 53 or 8888
SNMP traps UDP 162
Keepalive from a FortiClient installation UDP 6022 and UDP 6023
FortiGuard Antivirus and IPS update push
The FDN sends notice that an update is available. Update downloads then occur on standard originating ports for updates. See originating port TCP 443.
UDP 9443
SSH administrative access to the CLI TCP 22
Telnet administrative access to the CLI TCP 23
HTTP administrative access to the web-based manager; FortiGuard Antivirus update request from a FortiClient installation TCP 80
HTTPS administrative access to the web-based manager; FortiGuard Antispam, Antivirus, IPS or Web Filtering update request from a FortiGate unit TCP 443
Device registration from a FortiClient installation TCP 6020
FortiClient Manager clustering TCP 6028
FortiGuard Antivirus or IPS update request from a FortiGate unit TCP 8890
HA heartbeat or synchronization TCP 59415

FDN Ports

FortiGate, FortiAnalyzer, and FortiManager units and FortiClient installations communicate with the Fortinet Distribution Network (FDN) to receive updates or use services.

Product(s) Functionality Port(s)
FortiManager v3.0 FortiGuard Web Filtering and Antispam rating replies Source: UDP 53 (default) or UDP 8888
Destination: UDP 1027 or UDP 1031
FortiOS v3.0 FortiGuard Web Filtering and Antispam rating lookup
This can be to the FDN or to a FortiManager acting as a private FDS.
Source: UDP 1027 or 1031
Destination: UDP 53 (default) or UDP 8888
FortiOS v3.0 FDN server list
See also the Knowledge Center article How do I troubleshoot performance issues when FortiGuard Web Filtering is enabled?
UDP 53 (default) or UDP 8888, and UDP 1027 or UDP 1031
FortiOS v2.80 FortiGuard Web Filtering UDP 8888
FortiOS v2.80 FortiGuard Antispam (FortiShield) UDP 8889
FortiOS v3.0, FortiManager v3.0 FortiGuard Antivirus and IPS update push
The FDN sends notice that an update is available. Update downloads then occur on standard originating ports for updates. See originating port TCP 443.
UDP 9443
FortiClient FortiGuard Antivirus updates TCP 80
FortiAnalyzer v3.0 Remote Vulnerability Scan (RVS) updates TCP 443
FortiManager v3.0 Firmware images from FDN TCP 443
FortiManager v3.0 FortiGuard Antispam or Web Filtering updates TCP 443 or TCP 8890
FortiOS v3.0 FortiGuard Antivirus and IPS updates
When requesting updates from a FortiManager unit instead of directly from the FDN, this port must be reconfigured as TCP 8890.
TCP 443
FortiOS v2.80 FortiGuard Antivirus updates TCP 443
FortiOS v3.0 FortiGuard Analysis and Management Service TCP 443
FortiOS v3.0 FortiGuard Analysis and Management Service log transmission (OFTP) TCP 514
FortiOS v3.0 MR6 or later SSL management tunnel to FortiGuard Analysis and Management Service TCP 541
FortiOS v3.0 FortiGuard Analysis and Management Service contract validation TCP 10151
FortiOS v2.50 FortiGuard Antivirus updates TCP 8890

1.4. Accessing and Debugging FortiGuard Services

The FortiGuard Distribution Network (FDN) is a geographically diverse network operated by Fortinet Inc. that provides FortiGuard Antivirus (AV) and FortiGuard Intrusion Prevention System (IPS) updates in addition to FortiGuard Web Filtering and FortiGuard Antispam services to the FortiGate, FortiManager, FortiLog, FortiClient and FortiMail line of products.

This document explains the components of the FortiGuard Distribution Network (FDN) and how FortiGate units and other Fortinet products connect to and interact with the FDN. This document also describes the debugging commands and diagnostic methods that can be used if a Fortinet product, such as a FortiGate unit, has problems connecting to and using FortiGuard services.

This document primarily focuses on the interaction of the FortiGate product line with the FDN. The interaction of the FDN with the other products (including FortiMail, FortiClient, and FortiManager is very similar).

1.5. Why FortiGuard Web Filtering is Better

FortiGuard Web Filtering is a managed Web filtering solution provided by Fortinet that sorts billions of webpages into a wide range of categories. System administrators and individual users can configure licensed FortiGate units and FortiClient applications to allow, block, or monitor access to web pages according to FortiGuard categories. FortiGate units and FortiClient applications access the FortiGuard Distribution Network (FDN) to determine the category and class of a requested webpage. Depending on the response from the FDN the FortiGate unit or FortiClient application can allow, block, or monitor access to the webpage.

FortiGuard Web Filtering categorizes over 28 million websites into 76 categories and 7 classes. These 28 million websites include billions of individual webpages. The FortiGuard URL database of categorized websites is continuously updated as the Internet evolves. New websites are discovered, rated, and added to the database. Outdated websites are removed from the database. Also when websites already in the FortiGuard URL database change, ratings for these pages are reviewed and changed as required.

To make configuration simpler, users of FortiGuard services can choose to allow, block, or monitor entire groups of categories. Blocked pages are replaced with a message indicating that the page is not accessible according to your Internet usage policy.

Fortinet categorizes websites and develops the FortiGuard URL database using a combination of proprietary methods that include text analysis, exploitation of the Web structure, as well as a dedicated team of Web analysts. In addition, FortiGuard Web Filtering customers (and indeed anyone else) can go to the FortiGuard Center Web Filtering URL lookup page to submit a URL for rating. As well if you feel that a URL is rated incorrectly in the FortiGuard URL database, you can use this URL lookup page to enter a URL and request a rating change.

The FDN is a world-wide geographically diverse network operated by Fortinet Inc. that provides FortiGuard Antivirus (AV) and FortiGuard Intrusion Prevention System (IPS) updates in addition to FortiGuard Web Filtering and FortiGuard Antispam services to the FortiGate, FortiManager, FortiAnalyzer, FortiClient and FortiMail line of products.

In addition to the URL lookup page mentioned above, the FortiGuard Web Filtering pages of the Fortinet FortiGuard Center include up-to-date descriptions of FortiGuard URL database categories and classes.

1.6. Windows WMF metafile exploit update : Jan. 6, 2006

 

The official Microsoft patch has been released:
http://www.microsoft.com/technet/security/Bulletin/ms06-001.mspx

 

A zero-day Windows metafile exploit had been discovered in the wild, on Dec. 28, 2005, and an anti-virus signature included in AV Definition v6.230 had been released to detect this.

In the meantime, this exploit has gotten worse. 

New versions of the Microsoft Windows WMF exploit using variable length and highly polymorphic shellcode, are being used by several malware in the wild. This makes it increasingly more difficult for anti-virus vendors to detect all variations.  The exploit can now also be delivered using any type of image extension, such as .jpg , for example.   Simply viewing a malicious web site with these embeded images is sufficient to execute the exploit.

Details of the exploit are available here:
http://secunia.com/advisories/18255/
http://isc.sans.org/diary.php?storyid=972

1.7. How to unblock a site from a blocked FortiGuard category

Description

How to allow access to a specific URL within a FortiGuard blocked category.
Components
  • All FortiGate units
Steps or Commands

If you have a FortiGuard category blocked, but you want users to access a specific site, within the category, it is possible to create an exemption that will allow a specified site to pass the block. For example, if you have news sites but you want a site regarding the company to be shared with employees.

To create an exemption for a specific URL

  1. Go to Web Filter > FortiGuard - Web Filter.
  2. Select Create New and configure the following:
    • Set the Type to Domain.
    • Enter the URL.
    • Select the Scope and Profile.
    • Set the Off-site URLs to Allow.
    • Set the Override duration depending how long you want users to visit the site. The maximum number of days is 364.
1.8. Are FortiGuard Web Filtering URL lookups and responses encrypted?
All FortiGate units and other Fortinet products encrypt FortiGuard Web Filtering URL lookups using a Fortinet proprietary algorithm. The responses that the FortiGuard Distribution Network (FDN) returns are also encrypted.
1.9. How many FortiGuard Web Filtering URLs can fit into the FortiGate unit memory cache?

The exact number of URLs that a FortiGate unit can store in the FortiGuard Web Filtering URL cache depends on the amount of memory allocated for the cache as well as the size of the URLs in the cache. Administrators have no control over URL size, but you can adjust the size of the cache.

By default FortiGate units set aside 2 percent of total memory for the URL cache. From the FortiOS v3.0 CLI you can use the following command to adjust percent of total memory used by the cache to between 1 and 15 percent.

config webfilter fortiguard
    set cache-mem-percent <percent_integer>
end

where <percent_integer> can be 1 to 15 percent. The default value is 2 percent.

In a typical enterprise environment with cache-mem-percent set to the default value, a FortiGate-3000 unit or FortiGate-3600 unit URL cache can contain up to 100,000 URLs. In an environment such as this, the cache hit rate is typically around 45-50%.

The number of URLs that can be cached and the hit rate is expected to increase significantly in future FortiOS v3.0 maintenance releases.

1.10. How do I troubleshoot performance issues when FortiGuard Web Filtering is enabled?
Description I'm having performance problems with HTTP traffic when enabling FortiGuard Web Filtering. What can I check?
Components
  • FortiGuard Web Filtering or Antispam
  • FortiOS v3.0
Introduction FortiGuard Web Filtering is enabled, and HTTP traffic is really slow. FortiGate Antispam performance can also be affected.
Troubleshooting

Enter this command from the CLI:

diag debug rating

If this returns a small number of servers (usually two), then it is likely that your ISP or an upstream security device is blocking UDP packets with low ephemeral destination ports (typically 1024-1035) to avoid a potential exploit against Microsoft Windows systems.

Some of these ports are required to receive FDN server lists updates.

Solution #1

Have your ISP and/or upstream security device unblock UDP ports 1025 to 1035. Also ensure they are not blocking other TCP or UDP ports used by FortiGuard Web Filtering or Antispam. For a complete listing of ports, see FDN Services and Ports.

Solution #2

If your ISP blocks the lower range of UDP ports (around 1024), you can configure your FortiGate unit to use higher-numbered ports, using the CLI command:

config system global
set ip-src-port-range <start port>-<end port>
end

where the <start port> and <end port> are numbers in the range of 1024 to 4999.

For example, you could configure your FortiGate unit to not use ports lower than 2048 or ports higher than 3999:

config system global
set ip-src-port-range 2048-3999
end

Why does this happen?

FortiGate units contact the FDN to get the latest list of FDN servers by sending UDP packets with typical source ports of 1027 or 1031, and destination ports of 53 or 8888. The FDN reply packets have a destination port of 1027 or 1031.

If your ISP blocks UDP packets in this port range, the FortiGate unit cannot receive the FDN reply packets. As a result, the FortiGate unit will not receive the complete FDN server list.

Using the second solution described in this article, you can select a different source port range for the FortiGate unit to use. Trial and error may be required to select the best source port range. You can also contact your ISP to determine the best range to use.

See also

1.11. FortiOS v2.80 FortiGuard Web Filtering Technical Note
The attached FortiGuard technical note describes how to use and configure FortiGuard web filtering on your FortiGate unit running FortiOS v2.80.
1.12. Things to check when connections to FortiGuard don't work

Use these FortiGuard troubleshooting tips if updates are not occurring on your FortiGate unit.

  1. Verify that FortiGuard is enabled and available.

    • In FortiOS 2.8, go to WebFilter > Category Block.
    • In FortiOS 3.0, go to System > Maintenance > Fortiguard Center.

    The service should be enabled. The status can be either Unknown or Available. If it is Unknown, select Check status. It should then become Available.

  2. Verify that there is no upstream firewall blocking the traffic, or DNS caching.

    UDP port 53 or 8888 must be allowed. This is a common problem when the FGT is running in Transparent mode. For a complete list of ports that FDN uses, see FDN Services and Ports.

  3. Verify that you can ping guard.fortinet.net from the CLI.

    If you can't, then verify that the DNS entries in the FortiGate unit are correct.

  4. If DNS resolution is not working, use the IP address instead of the FQDN.

    Change the settings using the CLI:

    config webfilter catblock
    set status enable
    set ftgd_hostname x.x.x.x
    end

    In FortiOS 3.0 MR6 and MR7:

    config system fortiguard
    set srv-ovrd enable
    config srv-ovrd-list
    edit 1
    set ip x.x.x.x
    end end

    To find out which servers are actually being used, use the following diagnose commands:

    diagnose debug rating

    diagnose spamfilter fortishield servers

    Use the IP address of the FortiGuard server you are trying to connect to in the ftgd_hostname field.

For more information, see How do I troubleshoot performance issues when FortiGuard Web Filtering is enabled?.

1.13. FortiGuard AntiSpam Frequently Asked Questions
FAQ about blocking and tagging of spam email using FortiGuard AntiSpam.
1.14. Legitimate email blocked or tagged by spam filtering if DNS lookups fail
Description

If you do not change your FortiGate unit default DNS configuration, FortiGate-initiated DNS queries can fail.

DNS queries that fail can cause address resolution problems and can also cause the FortiGate unit and FortiGuard AntiSpam to identify legitimate email as spam.

Components
  • All FortiGate models
  • FortiOS version 3.0
Steps or Commands

Problem

FortiOS 3.0 on all FortiGate units includes a default DNS configuration. Most users should change this default configuration to avoid DNS lookup failures.

The default FortiGate DNS configuration assists with resolving FortiGuard Service addresses and for other DNS requirements during the installation of your FortiGate unit.

The default DNS servers are 65.39.139.53 and 65.39.139.63. In all releases of FortiOS 3.0, you can view the default DNS configuration on the FortiGate Web-based manager by going to System > Network > Options.

Symptom

There is a common issue when continuing to use default DNS servers. FortiGuard AntiSpam and spam filtering features such as HELO DNS lookup and Return e-mail DNS check use DNS queries. If DNS queries used by these features fail while analyzing an email message, the email fails a reverse DNS check, even when it should pass. As a result, the FortiGate unit identifies the email as spam when it is not spam. Email identified as spam may be tagged or discarded by the FortiGate unit.

Solution

Change the FortiGate unit DNS configuration.

Go System > Network > Options and enter new primary and secondary DNS server IP addresses. Use the IP addresses of the DNS servers on your local network or the DNS servers recommended by your service provider.

1.15. FortiGuard updates fail on download
Description FortiGuard updates (push or scheduled) are not always successfully downloaded.
Components
  • All FortiGate units with FortiGuard Anti-Virus and IPS updates.
Steps or Commands

You may notice in the event log, entries indicating that the FortiGuard updates were not successful.

The reason of the failure is there is not enough free memory to perform the updates at that very moment, especially if there is heavy traffic, or users are download big files.

To avoid these situations, you can do the following:

1.16. FortiGuard Analysis and Management Service Administration Guide

FortiGuard Analysis and Management Service is a subscription-based service that provides remote management and logging and reporting capabilities for all FortiGate units. The FortiGuard Analysis and Management Service is available for FortiGate units running FortiOS 3.0 MR6 or higher.

The subscription-based service is available from the FortiGuard Analysis and Management Service portal web site, which provides a central location for configuring logging, reporting and remote management. From the FortiGuard Analysis and Management Service portal web site you can also view subscription contract information, such as daily quota and the expiry date of the service.

1.17. Fortiguard Web filtering - rate site by URL and IP address
Description Fortiguard web filter category lookups performed by a FortiGate show the incorrect category for a web site, but when examining www.fortiguardcenter.com, the rating is appropriate.
Explanation

This is expected behavior when the protection profile option "Rate sites by URL and IP address" is selected. That is, when using this option, the IP address rating takes precedence. The rating mismatch can occur for many reasons; most commonly:

  • the given web site is hosted using the same IP address as other domains (e.g., virtual hosting)
  • a web site changes hosts, and IP address changes along with it
  • the domain is hosted in a load-balanced fashion, at different sites that host multiple domains

From the FortiGate Administration Guide:

"When enabled, this option sends both the URL and the IP address of the requested site for checking, providing additional security against attempts to bypass the FortiGuard system. However, because IP rating is not updated as quickly as URL rating, some false ratings may occur. This option is disabled by default."

The Fortiguard Center site, accepts requests to re-rate a given IP address, but the problem may arise that another domain hosted at any of the IP addresses listed will now be mis-categorized. With this in mind, Fortinet Americas TAC recommends disabling this option and using local ratings and categories instead.

This option requires that a list of local ratings and local categories be compiled and that any protection profile managing web filtering for internal users have this option enabled.

阅读更多
个人分类: 防火墙
想对作者说点什么? 我来说一句

飞塔防火墙配置

2013年10月16日 112KB 下载

没有更多推荐了,返回首页

加入CSDN,享受更精准的内容推荐,与500万程序员共同成长!
关闭
关闭