FortiGuard
The FortiGuard Distribution Network (FDN) of servers provides updates to antivirus, antispam, and IPS definitions to your FortiGate. FortiGuard Subscription Services provides comprehensive Unified Threat Management (UTM) security solutions to enable protection against content and network level threats.
The FortiGuard team can be found around the globe, monitoring virus, spyware and vulnerability activities. As vulnerabilities are found, signatures are created and pushed to the subscribed FortiGates. The Global Threat Research Team enables Fortinet to deliver a combination of multi-layered security intelligence and provide true zero-day protection from new and emerging threats. The FortiGuard Network has data centers around the world located in secure, high availability locations that automatically deliver updates to the Fortinet security platforms to protect the network with the latest information.
FortiGuard provides a number of services to monitor world-wide activity and provide the best possible security, including:
- Intrusion Prevention System (IPS) – IPS uses a customizable database of more than 4000 known threats to stop attacks that evade conventional firewall defenses. It also provides behavior-based heuristics, enabling the system to recognize threats when no signature has yet been developed. It also provides more than 1000 application identity signatures for complete application control.
- Application Control– Application Control allows you to identify and control applications on networks and endpoints regardless of port, protocol, and IP address used. It gives you unmatched visibility and control over application traffic, even traffic from unknown applications and sources. Application Control is a free FortiGuard service and the database for Application Control signatures is separate from the IPS database (Botnet Application signatures are still part of the IPS signature database since these are more closely related with security issues and less about application detection). Application Control signature database information is displayed under the System > FortiGuard page in the FortiCare section.
- AntiVirus – The FortiGuard AntiVirus Service provides fully automated updates to ensure protection against the latest content level threats. It employs advanced virus, spyware, and heuristic detection engines to prevent both new and evolving threats from gaining access to your network and protects against vulnerabilities.
- Web Filtering – Web Filtering provides Web URL filtering to block access to harmful, inappropriate, and dangerous web sites that may contain phishing/pharming attacks, malware such as spyware, or objectionable content that can expose your organization to legal liability. Based on automatic research tools and targeted research analysis, real-time updates enable you to apply highly-granular policies that filter web access based on six major categories and nearly 80 micro-categories, over 45 million rated web sites, and more than two billion web pages – all continuously updated.
- Email Filtering – The FortiGuard Antispam Service uses both a sender IP reputation database and a spam signature database, along with sophisticated spam filtering tools on Fortinet appliances and agents, to detect and block a wide range of spam messages. Updates to the IP reputation and spam signature databases are provided continuously via the FDN.
- Messaging Services – Messaging Services allow a secure email server to be automatically enabled on your FortiGate to send alert email or send email authentication tokens. With the SMS gateway, you can enter phone numbers where the FortiGate will send the SMS messages. Note that depending on your carrier, there may be a slight time delay on receiving messages.
- DNS and DDNS – The FortiGuard DNS and DDNS services provide an efficient method of DNS lookups once subscribed to the FortiGuard network. This is the default option. The FortiGate connects automatically to the FortiGuard DNS server. If you do not register, you need to configure an alternate DNS server. Configure the DDNS server settings using the CLI command:
config system fortiguard set ddns-server-ip set ddns-server-port
end
Support contract and FortiGuard subscription services
The FDN support Contract is available under System > FortiGuard.
The License Information area displays the status of your FortiGate’s support contract.
You can also manually update the AntiVirus and IPS engines.
Verifying your connection to FortiGuard
If you are not getting FortiGuard web filtering or antispam services, there are a few things to verify that communication to the FDN is working. Before any troubleshooting, ensure that the FortiGate has been registered and subscribed to the FortiGuard services.
Verification – GUI:
The simplest method to check that the FortiGate is communicating with the FDN, is to check the License Information dashboard widget. Any subscribed services should have a green check mark beside them indicating that connections are successful. Any other icon indicates a problem with the connection, or you are not subscribed to the FortiGuard services.
You can also view the FortiGuard connection status by going to System > FortiGuard.
Verification – CLI:
You can also use the CLI to see what FortiGuard servers are available to your FortiGate. Use the following CLI command to ping the FDN for a connection: execute ping guard.fortinet.net
You can also use the following diagnose command to find out what FortiGuard servers are available:
diagnose debug rating
From this command, you will see output similar to the following:
Locale : english
License : Contract Expiration : Sun Jul 24 20:00:00 2011 Hostname : service.fortiguard.net -=- Server List (Tue Nov 2 11:12:28 2010) -=- |
|
IP Weight RTT Flags TZ Packets | Curr Lost Total Lost |
69.20.236.180 0 10 -5 77200 | 0 42 |
69.20.236.179 0 12 -5 52514 | 0 34 |
66.117.56.42 0 32 -5 34390 | 0 62 |
80.85.69.38 50 164 0 34430 | 0 11763 |
208.91.112.194 81 223 D -8 42530 | 0 8129 |
216.156.209.26 286 241 DI -8 55602 | 0 21555 |
An extensive list of servers are available. Should you see a list of three to five available servers, the FortiGuard servers are responding to DNS replies to service FortiGuard.net, but the INIT requests are not reaching FDS services on the servers.
The rating flags indicate the server status:
D | Indicates the server was found via the DNS lookup of the hostname. If the hostname returns more than one IP address, all of them will be flagged with ‘D’ and will be used first for INIT requests before falling back to the other servers. |
I | Indicates the server to which the last INIT request was sent. |
F | The server has not responded to requests and is considered to have failed. |
T | The server is currently being timed. |
The server list is sorted first by weight and then the server with the smallest RTT is put at the top of the list, regardless of weight. When a packet is lost, it will be resent to the next server in the list.
The weight for each server increases with failed packets and decreases with successful packets. To lower the possibility of using a distant server, the weight is not allowed to dip below a base weight, which is calculated as the difference in hours between the FortiGate and the server, multiplied by 10. The further away the server, the higher its base weight and the lower in the list it will appear.
Port assignment
The FortiGate contacts FDN for the latest list of FDN servers by sending UDP packets with typical source ports of 1027 or 1031, and destination port 8888. The FDN reply packets have a destination port of 1027 or 1031.
If your ISP blocks UDP packets in this port range, the FortiGate cannot receive the FDN reply packets. As a result, the FortiGate will not receive the complete FDN server list.
If your ISP blocks the lower range of UDP ports (around 1024), you can configure your FortiGate to use highernumbered ports, using the CLI command:
config system global set ip-src-port-range <start port>-<end port>
end
where the <start port> and <end port> are numbers ranging of 1024 to 25000.
For example, you could configure the FortiGate to not use ports lower than 2048 or ports higher than the following range:
config system global set ip-src-port-range 2048-20000
end
Trial and error may be required to select the best source port range. You can also contact your ISP to determine the best range to use. Push updates might be unavailable if:
l there is a NAT device installed between the unit and the FDN, and/or l your unit connects to the Internet using a proxy server.
Configuring Antivirus and IPS options
Go to System > FortiGuard, and scroll down to the AntiVirus & IPS Updates section to configure the antivirus and IPS options for connecting and downloading definition files.
Accept push updates | Select to allow updates to be sent automatically to your FortiGate. New definitions will be added as soon as they are released by FortiGuard. |
Use override push | Appears only if Accept push updates is enabled.
Enable to configure an override server if you cannot connect to the FDN or if your organization provides updates using their own FortiGuard server. Once enabled, enter the following: l Enter the IP address and port of the NAT device in front of your FortiGate. FDS will connect to this device when attempting to reach the FortiGate. l The NAT device must be configured to forward the FDS traffic to the FortiGate on UDP port 9443. |
Scheduled Updates | Enable for updates to be sent to your FortiGate at a specific time. For example, to minimize traffic lag times, you can schedule the update to occur on weekends or after work hours.
Note that a schedule of once a week means any urgent updates will not be pushed until the scheduled time. However, if there is an urgent update required, select the Update Now button. |
Improve IPS quality | Enable to help Fortinet maintain and improve IPS signatures. The information sent to the FortiGuard servers when an attack occurs can be used to keep the database current as variants of attacks evolve. |
Use extended IPS signature package | Regular IPS database protects against the latest common and in-the-wild attacks. Extended IPS database includes protection from legacy attacks. |
Update AV & IPS Definitions | Select to manually initiate an FDN update. |
Manual updates
To manually update the signature definitions file, you need to first go to the Fortinet Support web site. Once logged in, select Download > FortiGuard Service Updates. The browser will present you the most current IPS and AntiVirus signature definitions which you can download.
Once downloaded to your computer, log into the FortiGate to load the definition file.
To load the definition file onto the FortiGate:
- Go to System > FortiGuard.
- In the License Information table, select the Upgrade Database link in either the Application Control Signature, IPS, or AntiVirus
- In the pop-up window, select Upload and locate the downloaded file and select Open.
The upload may take a few minutes to complete.
Automatic updates
The FortiGate can be configured to request updates from FDN on a scheduled basis, or via push notification.
Scheduling updates
Scheduling updates ensures that the virus and IPS definitions are downloaded to your FortiGate on a regular basis, ensuring that you do not forget to check for the definition files yourself.
Updating definitions can cause a very short disruption in traffic currently being scanned while the FortiGate unit applies the new signature database, Ideally, schedule updates during off-peak hours, such as evenings or weekends, when network usage is minimal, to ensure that the network activity will not suffer from the added traffic of downloading the definition files.
To enable scheduled updates – GUI:
- Go to System > FortiGuard and scroll down to AntiVirus & IPS Updates.
- Enable Scheduled Updates.
- Select the frequency of updates.
- Select Apply.
To enable scheduled updates – CLI:
config system autoupdate schedule set status enable
set frequency {every | daily | weekly} set time <hh:mm> set day <day_of_week>
end
Push updates
Push updates enable you to get immediate updates when new viruses or intrusions have been discovered and new signatures created. This ensures that the latest signature will be sent to the FortiGate as soon as possible.
When a push notification occurs, the FortiGuard server sends a notice to the FortiGate that there is a new signature definition file available. The FortiGate then initiates a download of the definition file, similar to the scheduled update.
To ensure maximum security for your network, you should have a scheduled update as well as enable the push update, in case an urgent signature is created, and your cycle of the updates only occurs weekly.
To enable push updates – GUI:
- Go to System > FortiGuard and scroll down to AntiVirus & IPS Updates.
- Enable Accept push updates.
- Select Apply.
To enable push updates – CLI:
config system autoupdate push-update set status enable
end
Push IP override
If the FortiGate is behind another NAT device (or another FortiGate), to ensure it receives the push update notifications, you need to use an override IP address for the notifications. To do this, you create a virtual IP to map to the external port of the NAT device.
Generally speaking, if there are two FortiGate devices, the following steps need to be completed on the FortiGate NAT device to ensure the FortiGate on the internal network receives the updates:
- Add a port forwarding virtual IP to the FortiGate NAT device that connects to the Internet by going to Policy & Objects > Virtual IPs.
- Add a security policy to the FortiGate NAT device that connects to the Internet that includes the port forwarding virtual IP. l Configure the FortiGate on the internal network with an override push IP and port.
On the FortiGate internal device, the virtual IP is entered as the Use push override IP address.
To enable push update override- GUI:
- Go to System > FortiGuard and scroll down to AntiVirus & IPS Updates.
- Enable Accept push updates.
- Enable Use override push.
- Enter the virtual IP address configured on the NAT device.
- Select Apply.
To enable push updates – CLI:
config system autoupdate push-update set status enable set override enable set address <vip_address> end
Sending malware statistics to FortiGuard
To support following malware trends and making zero-day discoveries, FortiGate units send encrypted statistics to
FortiGuard about IPS, Application Control, and AntiVirus events detected by the FortiGuard services running on your FortiGate. FortiGuard uses the statistics collected to achieve a balance between performance and security effectiveness by moving inactive signatures to an extended signature database.
The statistics include some non-personal information that identifies your FortiGate and its country. The information is never shared with external parties. You can choose to disable the sharing of this information by entering the following CLI command:
config system global set fds-statistics disable
end
Configuring web filtering and email filtering options
Go to System > FortiGuard, and scroll down to Filtering to set the size of the caches and ports.
Web Filter Cache | Set the Time To Live (TTL) value. This is the number of seconds the FortiGate will store a blocked IP or URL locally, saving time and network access traffic, checking the FortiGuard server. Once the TTL has expired, the FortiGate will contact an FDN server to verify a web address. The TTL must be between 300 and 86400 seconds. |
Anti-Spam Cache | Set the TTL value (see above). |
FortiGuard Filtering Port | Select the port assignments for contacting the FortiGuard servers. |
Filtering Service Availability | Indicates the status of the filtering service. Select Check Again if the filtering service is not available. |
Request re-evaluation of a URL’s category | Select to re-evaluate a URL’s category rating on the FortiGuard Web Filter service. |
Email filtering
The FortiGuard data centers monitor and update email databases of known spam sources. With FortiGuard Anti-Spam filtering enabled, the FortiGate verifies incoming email sender addresses and IPs against the database, and takes the necessary actions as defined within the antivirus profiles.
Spam source IP addresses can also be cached locally on the FortiGate, providing a quicker response time, while easing load on the FortiGuard servers, aiding in a quicker response time for less common email address requests.
By default, the anti-spam cache is enabled. The cache includes a TTL value, which is the amount of time an email address will stay in the cache before expiring. You can change this value to shorten or extend the time between 5 and 1,440 minutes.
To modify the antispam cache TTL – GUI:
- Go to System > FortiGuard.
- Under Filtering, enable Anti-Spam Cache.
- Enter the TTL value in minutes.
- Select Apply.
To modify the Anti-Spam filter TTL – CLI:
config system fortiguard set antispam-cache-ttl <integer>
end
Further antispam filtering options can be configured to block, allow, or quarantine specific email addresses. These configurations are available through the Security Profiles > Anti-Spam menu.
Online security tools
The FortiGuard online center provides a number of online security tools, including but not limited to:
- URL lookup — By entering a website address, you can see if it has been rated and what category and classification it is filed as. If you find your website or a site you commonly go to has been wrongly categorized, you can use this page to request that the site be re-evaluated: https://fortiguard.com/webfilter
- Threat Encyclopedia — Browse the Fortiguard Labs extensive encyclopedia of threats. Search for viruses, botnet
C&C, IPS, endpoint vulnerabilities, and mobile malware: https://www.fortiguard.com/encyclopedia l Application Control — Browse the Fortiguard Labs extensive encyclopedia of applications: https://fortiguard.com/appcontrol
Hello Mike, one of my fortigates is using the fortiguard servers in a completely different location and having a really high DNS latency. We are using DDNS in that fortigate so there’s no option of not using the fortiguard service as DNS, but I would like to know if this is due to any configuration error with the Fortigate location or if it can be solved. FYI: The system is running 6.2.10.