Note: This post was written for FortiOS version 2.8 and 3.x so some commands have changed, for updated debug steps please read Failed to connect to Fortiguard servers verification and debug updated
Today I encountered otherwise easy to diagnose misconfiguration only that Fortinet decided to 'hide' this parameter deep enough.
NOTE : Fortiguard is subscription based service when your Fortigate unit periodicallyconnects to the Fortinet servers (collectively named Fortiguard servers) to get info that enables advancedfeatures like URL filtering by category/rating, also Fortigate downloads all updates (IPS, AppControl, Antivirus signatures) from them .
Problem - suddenly Fortigate of the client refused to do web/spam filtering while having valid contract subscription. The reason was obvious as in System -> Maintenance -> Fortiguard the status was "Failed to connect " (or something of a kind don't recall it exactly) . On the same page there is a nice button "Test Availability" pushing which would bring error "Connection failed Check firewall routing table" .
In most of the cases it is either reachability to the FortiGuard servers issue or Fortigate is trying to update against wrong server.
Doing pings successfully from the firewall exe ping service.fortiguard.net (FQDN to use for Fortiguard servers) left me with the 2nd option - wrong Fortiguard server hardcoded somewhere in the configs. Doing
FG100 #show system fortiguard Gave only this
config system fortiguard set antispam-cache disable set webfilter-cache disable end And only running #get system fortiguard Gave the needed answer:
hostname : 66.92.33.1 srv-ovrd : disable port : 53 client-override-status: disable To fix this I entered:
FG100 #config system fortiguard
FG100 (fortiguard) #set
hostname hostname or IP of the FortiGuard server
FG100 (fortiguard) #set service.fortiguard.net
FG100 (fortiguard) #next
FortiOS 3.x and later uses service.fortiguard.net , FortiOS 2.80 used guard.fortinet.net for Webfiltering andantispam.fortigate.com for Antispam filtering and it is Fortinet recommendation to do so, neverthelesssetting guard.fortinet.net in Fortios 3 works as well (after all they are CNAME'd )
And while we are on it, here are few useful debug commands for the topic:
- To see real time list of servers to which the firewall tries to connect for Fortiguard service
FG200#diagnose debug rating
Locale : english License : Contract Expiration : Fri Jun 17 02:00:00 2010 Hostname : guard.fortinet.net -=- Server List (Wed Jun 19 08:12:58 2009) -=- IP Weight Round-time TZ Packets Curr Lost Total Lost 212.95.252.121 0 85 0 521863 0 113 212.95.252.120 0 89 0 4625 0 5 82.71.226.65 0 97 0 2140 0 34 62.209.40.73 10 105 1 2060 0 0 62.209.40.72 10 103 1 2060 0 0 66.117.56.37 50 158 -5 2060 0 0 69.20.236.180 50 191 -5 2060 0 0 69.20.236.179 50 185 -5 2060 0 0 66.117.56.42 50 164 -5 2061 0 1 72.52.72.243 80 245 -8 2063 0 3 116.58.208.39 80 371 -8 2081 0 21 208.91.112.194 80 233 -8 2075 0 12 216.156.209.26 80 239 -8 2068 0 7 121.111.236.179 90 354 9 2061 0 1 121.111.236.180 90 366 9 2064 0 4The same for Antispam service
FG200#diagnose spamfilter fortishield servers
Locale : englishLicense : ContractExpiration :Fri Jun 17 02:00:00 2010Hostname : guard.fortinet.net-=- Server List (Wed Jun 19 08:13:39 2009) -=-IP Weight Round-time TZ Packets Curr Lost Total Lost212.95.252.121 0 94 0 2063 0 0212.95.252.120 0 96 0 2061 0 082.71.226.65 0 104 0 2076 0 1862.209.40.73 10 113 1 2061 0 062.209.40.72 10 111 1 2061 0 066.117.56.37 50 159 -5 2061 0 069.20.236.180 50 199 -5 2061 0 069.20.236.179 50 193 -5 2061 0 066.117.56.42 50 169 -5 2063 0 272.52.72.243 80 273 -8 2065 0 4116.58.208.39 80 380 -8 2085 0 24208.91.112.194 80 271 -8 2071 0 8216.156.209.26 80 261 -8 2064 0 2121.111.236.179 90 362 9 2061 0 0121.111.236.180 90 370 9 2062 0 1To see on the console the Web filtering doing its work:
FG200#diagnose debug application urlfilter 1
FG200#diagnose debug enable
FG200 # id=93000 pid=50 main-696 in main.c received pkt:count=197, a=/tmp/.thttp.socket/21 id=22009 received a request /tmp/.thttp.socket, addr_len=21: d=www.cnn.com:80, url=/a7Admin/SelectImage.aspx?end=document.f.largeimage.value&preview=document.getElementById('oImg2')&w=319&h=215, id=913659, vfid=0, type=0, client=192.168.7.238 id=93000 msg="found it in cache" id=93003 user="N/A" src=192.168.7.238 sport=4796 dst=157.166.224.25 dport=80 service=http cat=36 cat_desc="News and Media" hostname=www.cnn.com url=/a7Admin/SelectImage.aspx?end=document.f.largeimage.value&preview=document.getElementById('oImg2')&w=319&h=215 status=passthrough msg="URL belongs to an allowed category in the policy" id=93000 pid=50 main-696 in main.c received pkt:count=255, a=/tmp/.thttp.socket/21 id=22009 received a request /tmp/.thttp.socket, addr_len=21: d=b.mail.google.com:80, url=/mail/channel/bind?VER=6&it=460207&at=xn3j2v04hx65iz3ypmmyzptrbkimsf&RID=rpc&SID=57A1C77D6AAC35B0&CI=1&AID=347&TYPE=html&zx=8i5clc-olem8j&DOMAIN=mail.google.com&t=1, id=900542, vfid=0, type=0, client=192.168.7.56 id=93003 user="N/A" src=192.168.7.56 sport=4280 dst=74.125.39.189 dport=80 service=http cat=23 cat_desc="Web-based Email" hostname=b.mail.google.com url=/mail/channel/bind?VER=6&it=460207&at=xn3j2v04hx65iz3ypmmyzptrbkimsf&RID=rpc&SID=57A1C77D6AAC35B0&CI=1&AID=347&TYPE=html&zx=8i5clc-olem8j&DOMAIN=mail.google.com&t=1 status=passthrough msg="URL belongs to an allowed category in the policy"Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.
