Failed to connect to Fortiguard servers


Today I encountered otherwise easy to diagnose misconfiguration only that Fortinet decided to 'hide' this parameter deep enough.

NOTE : Fortiguard is subscription based service when your Fortigate unit periodically connects to the Fortinet servers (collectively named Fortiguard servers) to get info that enables advanced feautures like filtering by category/rating.

Problem - suddenly Fortigate of the client refused to do web/spam filtering while having valid contract subscription. The reason was obvious as in System -> Maintenance -> Fortiguard the status was "Failed to connect " (or something of a kind don't recall it exactly) . On the same page there is a nice button "Test Availability" pushing which would bring error "Connection failed Check firewall routing table" .
In most of the cases it is either reachability to the FortiGuard servers issue or Fortigate is trying to update against wrong server.
Doing pings successfully from the firewall exe ping service.fortiguard.net (FQDN to use for Fortiguard servers) left me with the 2nd option - wrong Fortiguard server hardcoded somewhere in the configs. Doing
FG100 #show system fortiguard Gave only this

        config system fortiguard
            set antispam-cache disable
            set webfilter-cache disable
        end  

And only running #get system fortiguard Gave the needed answer:

        hostname            : 66.92.33.1
        srv-ovrd            : disable
        port                : 53
        client-override-status: disable  

To fix this I entered:
FG100 #config system fortiguard
FG100 (fortiguard) #set
hostname hostname or IP of the FortiGuard server
FG100 (fortiguard) #set service.fortiguard.net
FG100 (fortiguard) #next

FortiOS 3.x and later uses service.fortiguard.net , FortiOS 2.80 used guard.fortinet.net for Webfiltering and antispam.fortigate.com for Antispam filtering and it is Fortinet recommendation to do so, nevertheless setting guard.fortinet.net in Fortios 3 works as well (after all they are CNAME'd )

And while we are on it, here are few useful debug commands for the topic:
- To see real time list of servers to which the firewall tries to connect for Fortiguard service
FG200#diagnose debug rating

        Locale       : english
        License      : Contract
        Expiration   : Fri Jun 17 02:00:00 2010
        Hostname     : guard.fortinet.net

        -=- Server List (Wed Jun 19 08:12:58 2009) -=-

        IP                  Weight Round-time  TZ    Packets  Curr Lost Total Lost
        212.95.252.121           0         85   0     521863          0        113
        212.95.252.120           0         89   0       4625          0          5
        82.71.226.65             0         97   0       2140          0         34
        62.209.40.73            10        105   1       2060          0          0
        62.209.40.72            10        103   1       2060          0          0
        66.117.56.37            50        158  -5       2060          0          0
        69.20.236.180           50        191  -5       2060          0          0
        69.20.236.179           50        185  -5       2060          0          0
        66.117.56.42            50        164  -5       2061          0          1
        72.52.72.243            80        245  -8       2063          0          3
        116.58.208.39           80        371  -8       2081          0         21
        208.91.112.194          80        233  -8       2075          0         12
        216.156.209.26          80        239  -8       2068          0          7
        121.111.236.179         90        354   9       2061          0          1
        121.111.236.180         90        366   9       2064          0          4
  • The same for Antispam service
    FG200#diagnose spamfilter fortishield servers

    Locale       : english
    License      : Contract
    Expiration   :Fri Jun 17 02:00:00 2010
    Hostname     : guard.fortinet.net
    
    -=- Server List (Wed Jun 19 08:13:39 2009) -=-
    
    IP                  Weight Round-time  TZ    Packets  Curr Lost Total Lost
    212.95.252.121           0         94   0       2063          0          0
    212.95.252.120           0         96   0       2061          0          0
    82.71.226.65             0        104   0       2076          0         18
    62.209.40.73            10        113   1       2061          0          0
    62.209.40.72            10        111   1       2061          0          0
    66.117.56.37            50        159  -5       2061          0          0
    69.20.236.180           50        199  -5       2061          0          0
    69.20.236.179           50        193  -5       2061          0          0
    66.117.56.42            50        169  -5       2063          0          2
    72.52.72.243            80        273  -8       2065          0          4
    116.58.208.39           80        380  -8       2085          0         24
    208.91.112.194          80        271  -8       2071          0          8
    216.156.209.26          80        261  -8       2064          0          2
    121.111.236.179         90        362   9       2061          0          0
    121.111.236.180         90        370   9       2062          0          1
    
  • To see on the console the Web filtering doing its work:
    FG200#diagnose debug application urlfilter 1
    FG200#diagnose debug enable

        FG200 # id=93000 pid=50 main-696 in main.c received pkt:count=197, a=/tmp/.thttp.socket/21 id=22009 received a request /tmp/.thttp.socket, addr_len=21: d=www.cnn.com:80, url=/a7Admin/SelectImage.aspx?end=document.f.largeimage.value&preview=document.getElementById('oImg2')&w=319&h=215, id=913659, vfid=0, type=0, client=192.168.7.238
        id=93000 msg="found it in cache"
        id=93003 user="N/A" src=192.168.7.238 sport=4796 dst=157.166.224.25 dport=80 service=http cat=36 cat_desc="News and Media" hostname=www.cnn.com url=/a7Admin/SelectImage.aspx?end=document.f.largeimage.value&preview=document.getElementById('oImg2')&w=319&h=215 status=passthrough msg="URL belongs to an allowed category in the policy"
        id=93000 pid=50 main-696 in main.c received pkt:count=255, a=/tmp/.thttp.socket/21
        id=22009 received a request /tmp/.thttp.socket, addr_len=21: d=b.mail.google.com:80, url=/mail/channel/bind?VER=6&it=460207&at=xn3j2v04hx65iz3ypmmyzptrbkimsf&RID=rpc&SID=57A1C77D6AAC35B0&CI=1&AID=347&TYPE=html&zx=8i5clc-olem8j&DOMAIN=mail.google.com&t=1, id=900542, vfid=0, type=0, client=192.168.7.56
        id=93003 user="N/A" src=192.168.7.56 sport=4280 dst=74.125.39.189 dport=80 service=http cat=23 cat_desc="Web-based Email" hostname=b.mail.google.com url=/mail/channel/bind?VER=6&it=460207&at=xn3j2v04hx65iz3ypmmyzptrbkimsf&RID=rpc&SID=57A1C77D6AAC35B0&CI=1&AID=347&TYPE=html&zx=8i5clc-olem8j&DOMAIN=mail.google.com&t=1 status=passthrough msg="URL belongs to an allowed category in the policy"