Verification – CLI
You can also use the CLI to see what FortiGuard servers are available to your FortiGate. Use the following CLI
command to ping the FDN for a connection:
ping guard.fortinet.net
You can also use diagnose command to find out what FortiGuard servers are available:
diagnose debug rating
From this command, you will see output similar to the following:
Locale : english
License : Contract
Expiration : Sun Jul 24 20:00:00 2011
Hostname : service.fortiguard.net
-=- Server List (Tue Nov 2 11:12:28 2010) -=-
IP Weight RTT Flags TZ Packets Curr Lost Total Lost
69.20.236.180 | 0 | 10 | -5 | 77200 | 0 | 42 | ||||
69.20.236.179 | 0 | 12 | -5 | 52514 | 0 | 34 | ||||
66.117.56.42 | 0 | 32 | -5 | 34390 | 0 | 62 | ||||
80.85.69.38 | 50 | 164 | 0 | 34430 | 0 | 11763 | ||||
208.91.112.194 | 81 | 223 | D | -8 | 42530 | 0 | 8129 | |||
216.156.209.26 | 286 | 241 | DI | -8 | 55602 | 0 | 21555 |
An extensive list of servers are available. Should you see a list of three to five available servers, the FortiGuard servers are responding to DNS replies to service.FortiGuard.net, but the INIT requests are not reaching FDS services on the servers.
The rating flags indicate the server status:
D Indicates the server was found via the DNS lookup of the hostname. If the hostname returns more than one IP address, all of them will be flagged with ‘D’ and will be used first for INIT requests before falling back to the other servers.
I Indicates the server to which the last INIT request was sent
F The server has not responded to requests and is considered to have failed.
T The server is currently being timed.
The server list is sorted first by weight and then the server with the smallest RTT is put at the top of the list, regardless of weight. When a packet is lost, it will be resent to the next server in the list.
The weight for each server increases with failed packets and decreases with successful packets. To lower the possibility of using a faraway server, the weight is not allowed to dip below a base weight, which is calculated as the difference in hours between the FortiGate and the server multiplied by 10. The further away the server is, the higher its base weight and the lower in the list it will appear.
Port assignment
FortiGates contact the FortiGuard Distribution Network (FDN) for the latest list of FDN servers by sending UDP packets with typical source ports of 1027 or 1031, and destination ports of 53 or 8888. The FDN reply packets have a destination port of 1027 or 1031.
If your ISP blocks UDP packets in this port range, the FortiGate cannot receive the FDN reply packets. As a result, the FortiGate will not receive the complete FDN server list.
If your ISP blocks the lower range of UDP ports (around 1024), you can configure your FortiGate to use higher- numbered ports, using the CLI command…
config system global
set ip-src-port-range <start port>-<end port>
end
…where the <start port> and <end port> are numbers ranging of 1024 to 25000.
For example, you could configure the FortiGate to not use ports lower than 2048 or ports higher than the following range:
config system global
set ip-src-port-range 2048-20000 end
Trial and error may be required to select the best source port range. You can also contact your ISP to determine the best range to use. Push updates might be unavailable if:
- there is a NAT device installed between the unit and the FDN
- your unit connects to the Internet using a proxy server.
FortiCloud is a hosted security management and log retention service for FortiGate products. It gives you a centralized reporting, traffic analysis, configuration and log retention without the need for additional hardware and software.