yurisk.info

Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise

Failed to connect to Fortiguard servers

Today encountered otherwise easy to diagnose misconfiguration only that Fortinet decided to ‘hide’ this parameter deep enough so that it got on my nerves until I fixed it.
[showmyads]

NOTE : Fortiguard is subscription based service when your Fortigate unit periodically
connects to the Fortinet servers (collectively named Fortiguard servers) to get info that enables advanced
feautures like filtering by category/rating.

Problem – suddenly Fortigate of the client refused to do web/spamfiltering service while having valid contract subscription. Not a big deal as in System -> Maintenance -> Fortiguard status was “Failed to connect ” (or something of a kind dont recall it now) . On the same page there is a nice button “Test Availability” pushing which would bring error “Connection failed Check firewall routing table” .
In most of the cases it is either reachability issue or Fortigate is trying to update against wrong server.
Doing pings successfuly from the firewall to service.fortiguard.net (FQDN to use for Fortiguard servers)
left 2nd option – wrong Fortiguard server hardcoded somewhere in the configs. Doing
FG100 # show system fortiguard Gave only this
config system fortiguard
set antispam-cache disable
set webfilter-cache disable
end

And only doing FG100 # get system fortiguard Gave the answer
hostname : 66.92.33.1
srv-ovrd : disable
port : 53
client-override-status: disable

To fix this you enter:
FG100 # config system fortiguard
FG100 (fortiguard) # set
*hostname hostname or IP of the FortiGuard server
FG100 (fortiguard) # set service.fortiguard.net
FG100 (fortiguard) #next

* FortiOS 3.x uses service.fortiguard.net , FortiOS 2.80 used guard.fortinet.net for Webfiltering and
antispam.fortigate.com for Antispam filtering and it is Fortinet recommendation to do so, nevertheless
setting guard.fortinet.net in Fortios 3 works as well (after all they are CNAME’d )

And while we are on it, here are few useful debug commands for the topic:

– To see real time list of servers to which the firewall tries to connect for Fortiguard service
FG200# diagnose debug rating
Locale : english
License : Contract
Expiration : Fri Jun 17 02:00:00 2010
Hostname : guard.fortinet.net

-=- Server List (Wed Jun 19 08:12:58 2009) -=-

IP Weight Round-time TZ Packets Curr Lost Total Lost
212.95.252.121 0 85 0 521863 0 113
212.95.252.120 0 89 0 4625 0 5
82.71.226.65 0 97 0 2140 0 34
62.209.40.73 10 105 1 2060 0 0
62.209.40.72 10 103 1 2060 0 0
66.117.56.37 50 158 -5 2060 0 0
69.20.236.180 50 191 -5 2060 0 0
69.20.236.179 50 185 -5 2060 0 0
66.117.56.42 50 164 -5 2061 0 1
72.52.72.243 80 245 -8 2063 0 3
116.58.208.39 80 371 -8 2081 0 21
208.91.112.194 80 233 -8 2075 0 12
216.156.209.26 80 239 -8 2068 0 7
121.111.236.179 90 354 9 2061 0 1
121.111.236.180 90 366 9 2064 0 4

– The same for Antispam service
FG200# diagnose spamfilter fortishield servers
Locale : english
License : Contract
Expiration :Fri Jun 17 02:00:00 2010
Hostname : guard.fortinet.net

-=- Server List (Wed Jun 19 08:13:39 2009) -=-

IP Weight Round-time TZ Packets Curr Lost Total Lost
212.95.252.121 0 94 0 2063 0 0
212.95.252.120 0 96 0 2061 0 0
82.71.226.65 0 104 0 2076 0 18
62.209.40.73 10 113 1 2061 0 0
62.209.40.72 10 111 1 2061 0 0
66.117.56.37 50 159 -5 2061 0 0
69.20.236.180 50 199 -5 2061 0 0
69.20.236.179 50 193 -5 2061 0 0
66.117.56.42 50 169 -5 2063 0 2
72.52.72.243 80 273 -8 2065 0 4
116.58.208.39 80 380 -8 2085 0 24
208.91.112.194 80 271 -8 2071 0 8
216.156.209.26 80 261 -8 2064 0 2
121.111.236.179 90 362 9 2061 0 0
121.111.236.180 90 370 9 2062 0 1

– To see on the console Webfiltering doing its work:
FG200# diagnose debug application urlfilter 1

FG200 # id=93000 pid=50 main-696 in main.c received pkt:count=197, a=/tmp/.thttp.socket/21
id=22009 received a request /tmp/.thttp.socket, addr_len=21: d=www.cnn.com:80, url=/a7Admin/SelectImage.aspx?end=document.f.largeimage.value&preview=document.getElementById(‘oImg2’)&w=319&h=215, id=913659, vfid=0, type=0, client=192.168.7.238
id=93000 msg=”found it in cache”
id=93003 user=”N/A” src=192.168.7.238 sport=4796 dst=157.166.224.25 dport=80 service=http cat=36 cat_desc=”News and Media” hostname=www.cnn.com url=/a7Admin/SelectImage.aspx?end=document.f.largeimage.value&preview=document.getElementById(‘oImg2’)&w=319&h=215 status=passthrough msg=”URL belongs to an allowed category in the policy”
id=93000 pid=50 main-696 in main.c received pkt:count=255, a=/tmp/.thttp.socket/21
id=22009 received a request /tmp/.thttp.socket, addr_len=21: d=b.mail.google.com:80, url=/mail/channel/bind?VER=6&it=460207&at=xn3j2v04hx65iz3ypmmyzptrbkimsf&RID=rpc&SID=57A1C77D6AAC35B0&CI=1&AID=347&TYPE=html&zx=8i5clc-olem8j&DOMAIN=mail.google.com&t=1, id=900542, vfid=0, type=0, client=192.168.7.56
id=93003 user=”N/A” src=192.168.7.56 sport=4280 dst=74.125.39.189 dport=80 service=http cat=23 cat_desc=”Web-based Email” hostname=b.mail.google.com url=/mail/channel/bind?VER=6&it=460207&at=xn3j2v04hx65iz3ypmmyzptrbkimsf&RID=rpc&SID=57A1C77D6AAC35B0&CI=1&AID=347&TYPE=html&zx=8i5clc-olem8j&DOMAIN=mail.google.com&t=1 status=passthrough msg=”URL belongs to an allowed category in the policy”



6 Comments

  1. when issuing “diagnose debug application urlfilter 1” I dont see any output

  2. you have to enable debugging vie command “diagnose debug enable”

  3. this is what i get for hostnam in the fortiguard system config. and i didnt understand. should a change it ? because i have “rating error” and “cannot resolve fortiguard hostname” problems when using the web filter.

    hostname : service.fortiguard.net

    i have version 4.0 MR3, patch 7.
    the unit is a fotiguard 60c.

    here is the whole output of command : get system fortiguard :
    hostname : service.fortiguard.net
    srv-ovrd : disable
    port : 53
    client-override-status: disable
    service-account-id : (null)
    load-balance-servers: 1
    analysis-service : enable
    antispam-force-off : disable
    antispam-cache : enable
    antispam-cache-ttl : 1800
    antispam-cache-mpercent: 2
    antispam-license : Contract
    antispam-expiration : Sat Feb 22 16:00:00 2014
    antispam-timeout : 7
    avquery-force-off : disable
    avquery-cache : enable
    avquery-cache-ttl : 1800
    avquery-cache-mpercent: 2
    avquery-license : Unknown
    avquery-expiration : N/A
    avquery-timeout : 7
    webfilter-force-off : disable
    webfilter-cache : enable
    webfilter-cache-ttl : 3600
    webfilter-license : Contract
    webfilter-expiration: Sat Feb 22 16:00:00 2014
    webfilter-timeout : 15
    antispam-score-threshold: 80

  4. I’ve got service.fortiguard.net but, I still get the error “Connection Error. Please check the routing table of the firewall.

    I’ve checked the routing table and matched with the firewalls settings and they are similar and seems fine to me. But, I still not able to activate the IPS and Webfilter services.

    Any advice for this?

    Thanks in advance.

  5. I have just had to troubleshoot an issue with a brand new FortGate 60D that was showing “Web Filtering” and “E-mail Filtering’ as being licensed but all other features including the Registration as “Unreachable”. FortiCloud was enabled and working.

    I could ping any server on the internet by IP or name (meaning routing and DNS were all correct).
    I could browse the web from inside the FortiGate.
    I could manage the FortGate externally using SSH but not HTTPS.

    It turned out my issue was caused by the default MTU of 1500 being too high for my DSL connection.

    Following the steps in this article (there is no GUI option on the 60D so I just used the CLI) I dropped the MTU down and fixed the problem.

    http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=11745

    During my testing I downgraded the firmware and then upgraded after fixing the MTU and it reset the MTU on the WAN1 interface but not the LAN interface so it would pay to keep an eye on this if / when you upgrade the firmware in the future.

    I hope this saves someone else some time if they have the same problem.

    Regards

  6. Hi Trevor,

    Do you set the MTU for the 60D on WAN1 interface? May I know which command did you use..is it

    >config system interface
    >edit wan 1

    Thnks and Regards,

Comments are closed.

© 2016 yurisk.info

Theme by Anders NorenUp ↑