Tag Archives: fortiguard

Configuring RAID

Configuring RAID

Go to System > RAID to configure a redundant array of independent disks (RAID) for the FortiMail hard disks that are used to store logs and email.

Most FortiMail models can be configured to use RAID with their hard disks. The default RAID level should give good results, but you can modify the configuration to suit your individual requirements for enhanced performance and reliability. For more information, see “Configuring RAID for FortiMail 400B/400C/5002B models” on page 299 or “Configuring RAID on FortiMail 1000D/2000A/2000B/3000C/3000D/4000A models” on page 301.

You can configure the RAID levels for the local disk partitions used for storing email files or log files (in the case of FortiMail-400/400B/400C), depending on your requirements for performance, resiliency, and cost.

RAID events can be logged and reported with alert email. These events include disk full and disk failure notices. For more information, see “About FortiMail logging” on page 665, and “Configuring alert email” on page 682.

About RAID levels

Supported RAID levels vary by FortiMail model.

FortiMail 400B, 400C, and 5002B models use software RAID controllers which support RAID levels 0 or 1. You can configure the log disk with a RAID level that is different from the email disk.

FortiMail 1000D, 2000A, 2000B, 3000C, 3000D and 4000A models use hardware RAID controllers that require that the log disk and mail disk use the same RAID level.

FortiMail 100C, 200D, and 5001A models do not support RAID.

The available RAID levels depend on the number of hard drives installed in the FortiMail unit and different FortiMail models come with different number of factory-installed hard drives. You can added more hard drives if required. For details, see “Replacing a RAID disk” on page 304.

The following tables describe RAID levels supported by each FortiMail model.

Table 30:FortiMail supported RAID levels

Number of Installed Hard Drives Available RAID Levels Default RAID Level
1 0 0
2 0, 1 1
3 0, 1 + hot spare, 5 5
4 5 + hot spare, 10 10
5 5 + hot spare, 10 + hot spares 10 + hot spares
6 10, 50 10
7 or more 10, 10 + hot spares, 50, 50 + hot spares 50 + hot spares

Hot spares

FortiMail models with a hardware RAID controller have a hot spare RAID option. This feature consists of one or more disks that are pre-installed with the other disks in the unit. The hot spare disk is idle until an active hard disk in the RAID fails. Then the RAID immediately puts the hot spare disk into service and starts to rebuild the data from the failed disk onto it. This rebuilding may take up to several hours depending on system load and amount of data stored on the RAID, but the RAID continues without interruption during the process.

The hot spare feature has one or more extra hard disks installed with the RAID. A RAID 10 configuration requires two disks per RAID 1, and has only one hot spare disk. A RAID 50 configuration requires three disks per RAID 5, and can have up to two hot spare disks.

Configuring RAID for FortiMail 400B/400C/5002B models

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To view and configure RAID levels

  1. Go to System > RAID > RAID System.

Figure 124:RAID System tab (FortiMail-400)

GUI item Description
Device Displays the name of the RAID unit. This indicates whether it is used for log message data or for mailboxes, mail queues, and other email-related data.

This is hard-coded and not configurable.

Unit Displays the internal mount point of the RAID unit. This is hard-coded and not configurable.
Level Displays the RAID level that indicates whether it is configured for optimal speed, failure tolerance, or both. For more information on RAID levels, see “About RAID levels” on page 298.
Resync Action Displays the status of the RAID device.

•      idle: The RAID is idle, with no data being written to or read from the RAID disks.

•      dirty: Data is currently buffered, waiting to be written to disk.

•      clean: No data is currently buffered, waiting to be written to the RAID unit.

•      errors: Errors were detected on the RAID unit.

•      no-errors: No errors were detected on the RAID unit.

•      dirty no-errors: Data is currently buffered, waiting to be written to the RAID unit, and there are currently no detected RAID errors. For a FortiMail unit in active use, this is the expected setting.

•      clean no-errors: No data is currently buffered, waiting to be written to the RAID unit, and there are currently no RAID errors. For a FortiMail unit with an unmounted array that is not in active use, this is the expected setting.

Resync Status If the RAID unit is not synchronized and you have clicked Click here to check array to cause it to rebuild itself, such as after a hard disk is replaced in the RAID unit, a progress bar indicates rebuild progress.

The progress bar appears only when Click here to check array has been clicked and the status of the RAID is not clean no-errors.

Speed Displays the average speed in kilobytes (KB) per second of the data transfer for the resynchronization. This is affected by the disk being in use during the resynchronization.
GUI item Description
Apply

(button)

Click to save changes.
Refresh

(button)

Click to manually initiate the tab’s display to refresh itself with current information.
ID/Port Indicates the identifier of each hard disk visible to the RAID controller.
Part of Unit Indicates the RAID unit to which the hard disk belongs, if any.

To be usable by the FortiMail unit, you must add the hard disk to a RAID unit.

Status Indicates the hardware viability of the hard disk.
Size Indicates the capacity of the hard disk, in gigabytes (GB).
Delete

(button)

Click to unmount a hard disk before swapping it.

After replacing the disk, add it to a RAID unit, then click Re-scan.

Back up data on the disk before beginning this procedure. Changing the device’s RAID level temporarily suspends all mail processing and erases all data on the hard disk. For more information on creating a backup, see “Backup and restore” on page 218.

  1. In the Level column, click the row corresponding to the RAID device whose RAID level you want to change.

The Level field changes to a drop-down menu.

  1. Select RAID level 0 or 1.
  2. Click Apply.

A warning message appears.

  1. Click Yes to confirm the change.

Configuring RAID on FortiMail 1000D/2000A/2000B/3000C/3000D/4000A models

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To configure RAID

  1. Go to System > RAID > RAID System.

Figure 125:RAID System tab (FortiMail-2000A/2000B/3000C/4000A)

GUI item Description
Model Displays the model of the hardware RAID controller.
Driver Displays the version of the RAID controller’s driver software.
Firmware Displays the version of the RAID controller’s firmware.
Set RAID level Select the RAID level, then click Change.

For more information about RAID levels, see “About RAID levels” on page 298.

Change

(button)

From Set RAID level, select the RAID style, then click this button to apply the RAID level.
Re-scan (button) Click to rebuild the RAID unit with disks that are currently a member of it, or detect newly added hard disks, and start a diagnostic check.

List of RAID units in the array

Unit Indicates the identifier of the RAID unit, such as u0.
Type Indicates the RAID level currently in use.

For more information, see “About RAID levels” on page 298. To change the RAID level, use Set RAID level.

GUI item Description
Status Indicates the status of the RAID unit.

•      OK: The RAID unit is operating normally.

•      Warning: The RAID controller is currently performing a background task (rebuilding, migrating, or initializing the RAID unit).

Caution: Do not remove hard disks while this status is displayed. Removing active hard disks can cause hardware damage.

•      Error: The RAID unit is degraded or inoperable. Causes vary, such as when too many hard disks in the unit fail and the RAID unit no longer has the minimum number of disks required to operate in your selected RAID level. To correct such a situation, replace the failed hard disks.

•      No Units: No RAID units are available.

Note: If both Error and Warning conditions exist, the status appears as Error.

Size Indicates the total disk space, in gigabytes (GB), available for the RAID unit.

Available space varies by your RAID level selection. Due to some space being consumed to store data required by RAID, available storage space will not equal the sum of the capacities of hard disks in the unit.

Ignore ECC Click turn on to ignore the Error Correcting Code (ECC). This option is off by default.

Ignoring the ECC can speed up building the RAID, but the RAID will not be as fault-tolerant.

This option is not available on FortiMail-2000B/3000C models.

List of hard disks in the array

ID/Port Indicates the identifier of each hard disk visible to the RAID controller.
Part of Unit Indicates the RAID unit to which the hard disk belongs, if any.

To be usable by the FortiMail unit, you must add the hard disk to a RAID unit.

Status Indicates the hardware viability of the hard disk.

•      OK: The hard disk is operating normally.

•      UNKNOWN: The viability of the hard disk is not known. Causes vary, such as the hard disk not being a member of a RAID unit. In such a case, the RAID controller does not monitor its current status.

Size Indicates the capacity of the hard disk, in gigabytes (GB).
Delete

(button)

Click to unmount a hard disk before swapping it.

After replacing the disk, add it to a RAID unit, then click Re-scan.

To change RAID levels

Back up data on the disk before beginning this procedure. Changing the device’s RAID level temporarily suspends all mail processing and erases all data on the hard disk. For more information on creating a backup, see “Backup and restore” on page 218.

  1. Go to System > RAID > RAID System.
  2. From Set RAID level, select a RAID level.
  3. Click Change.

The FortiMail unit changes the RAID level and reboots.

Replacing a RAID disk

When replacing a disk in the RAID array, the new disk must have the same or greater storage capacity than the existing disks in the array. If the new disk has a larger capacity than the other disks in the array, only the amount equal to the smallest hard disk will be used. For example, if the RAID has 400 GB disks, and you replace one with a 500 GB disk, to be consistent with the other disks, only 400 GB of the new disk will be used.

FortiMail units support hot swap; shutting down the FortiMail unit during hard disk replacement is not required.

To replace a disk in the array

  1. Go to System > RAID > RAID System.
  2. In the row corresponding to the hard disk that you want to replace (for example, p4), select the hard disk and click Delete.

The RAID controller removes the hard disk from the list.

  1. Protect the FortiMail unit from static electricity by using measures such as applying an antistatic wrist strap.
  2. Physically remove the hard disk that corresponds to the one you removed in the web UI from its drive bay on the FortiMail unit.

On a FortiMail-2000A or FortiMail-4000A, press in the tab, then pull the drive handle to remove the dive. On a FortiMail-2000B or FortiMail-3000C, press the button to eject the drive.

To locate the correct hard disk to remove on a FortiMail-2000A, refer to the following diagram.

Drive 1 (p0) Drive 4 (p3)
Drive 2 (p1) Drive 5 (p4)
Drive 3 (p2) Drive 6 (p5)

To locate the correct hard disk to remove on a FortiMail-2000B or 3000C, refer to the following diagram.

Drive 1 (p0) Drive 3 (p2) Drive 5 (p4)
Drive 2 (p1) Drive 4 (p3) Drive 6 (p5)

To locate the correct hard disk to remove on a FortiMail-4000A, look for the failed disk. (Disk drive locations vary by the RAID controller model.)

  1. Replace the hard disk with a new hard disk, inserting it into its drive bay on the FortiMail unit.
  2. Click Re-scan.

The RAID controller will scan for available hard disks and should locate the new hard disk. Depending on the RAID level, the FortiMail unit may either automatically add the new hard disk to the RAID unit or allocate it as a spare that will be automatically added to the array if one of the hard disks in the array fails.

The FortiMail unit rebuilds the RAID array with the new hard disk. Time required varies by the size of the array.

Connecting to FortiGuard Services

Connecting to FortiGuard services

After the FortiMail unit is physically installed and configured to operate in your network, if you have subscribed to FortiGuard Antivirus and/or FortiGuard Antispam services, connect the FortiMail unit to the Fortinet Distribution Network (FDN).

Connecting your FortiMail unit to the FDN or override server ensures that your FortiMail unit can:

  • download the most recent FortiGuard Antivirus and FortiGuard Antispam definitions and engine packages
  • query the FDN for blacklisted servers and other real-time information during FortiGuard Antispam scans, if configured

This way, you scan email using the most up-to-date protection.

The FDN is a world-wide network of Fortinet Distribution Servers (FDS). When a FortiMail unit connects to the FDN to download FortiGuard engine and definition updates, by default, it connects to the nearest FDS based on the current time zone setting. You can override the FDS to which the FortiMail unit connects.

Your FortiMail unit may be able to connect using the default settings. However, you should confirm this by verifying connectivity.

You must first register the FortiMail unit with the Fortinet Technical Support web site, https://support.fortinet.com/, to receive service from the FDN. The FortiMail unit must also have a valid Fortinet Technical Support contract which includes service subscriptions, and be able to connect to the FDN or the FDS that you will configure to override the default FDS addresses. For port numbers required for license validation and update connections, see the FortiMail Administration Guide.

Before performing the next procedure, if your FortiMail unit connects to the Internet using a proxy, use the CLI command config system fortiguard antivirus to enable the FortiMail unit to connect to the FDN through the proxy. For more information, see the FortiMail CLI Reference.

To override the default FDS server

  1. Go to Maintenance > FortiGuard > Update in the advanced mode of the web UI.
  2. In the FortiGuard Update Options area, select Use override server address,
  3. Enter the fully qualified domain name (FQDN) or IP address of the FDS.
  4. Click Apply.
  5. Click Refresh.

A dialog appears, notifying you that the process could take a few minutes.

The FortiMail unit tests the connection to the FDN and, if any, the override server. Time required varies by the speed of the FortiMail unit’s network connection, and the number of timeouts that occur before the connection attempt is successful or the FortiMail unit determines that it cannot connect. When the connection test completes, the page refreshes. Test results are displayed in the FortiGuard Distribution Network field.

  • Available: The FortiMail unit successfully connected to the FDN or override server.
  • Not available: The FortiMail unit could not connect to the FDN or override server, and will not be able to download updates from it. For CLI commands that may be able to assist you in troubleshooting, see “To verify rating query connectivity” on page 46.
  1. When successful connectivity has been verified, continue by configuring the FortiMail unit to receive engine and definition updates from the FDN or the override server using one or more of the following methods:
    • scheduled updates (see “Configuring scheduled updates” on page 47)
    • push updates (see “Configuring push updates” on page 48)
    • manually initiated updates (see “Manually requesting updates” on page 49)
  2. Click Apply to save your settings.

To verify rating query connectivity

  1. Go to Maintenance > FortiGuard > AntiSpam in the advanced mode of the web UI.
  2. Make sure the Enable Service check box is marked. If it is not, mark it and click Apply.

If the FortiMail unit can reach the DNS server, but cannot successfully resolve the domain name of the FDS, a message appears notifying you that a DNS error has occurred.

Figure 5: DNS error when resolving the FortiGuard Antispam domain name

Verify that the DNS servers contain A records to resolve service.fortiguard.net and other FDN servers. You may be able to obtain additional insight into the cause of the query failure by manually performing a DNS query from the FortiMail unit using the following CLI command:

execute nslookup name service.fortiguard.net

If the FortiMail unit cannot successfully connect, or if your FortiGuard Antispam license does not exist or is expired, a message appears notifying you that a connection error has occurred.

Figure 6: Connection error when verifying FortiGuard Antispam rating query connectivity

Verify that:

  • your FortiGuard Antispam license is valid and currently active
  • the default route (located in System > Network > Routing) is correctly configured
  • the FortiMail unit can connect to the DNS servers you configured during the Quick Start Wizard (located in System > Network > DNS), and to the FDN servers
  • firewalls between the FortiMail unit and the Internet or override server allow FDN traffic (For configuration examples specific to your operation mode, see “Gateway mode deployment” on page 50, “Transparent mode deployment” on page 78, or “Server mode deployment” on page 101.)

Obtain additional insight into the point of the connection failure by tracing the connection using the following CLI command:

execute traceroute <address_ipv4> where <address_ipv4> is the IP address of the DNS server or FDN server.

When query connectivity is successful, antispam profiles can use the FortiGuard-AntiSpam scan option.

If FortiGuard Antispam scanning is enabled, you can use the antispam log to analyze any query connectivity interruptions caused because FortiMail cannot connect to the FDN and/or its license is not valid. To enable the antispam log, go to Log and Report > Log Settings > Local Log Settings in the advanced mode of the web UI. To view the antispam log, go to Monitor > Log > AntiSpam, then mark the check box of a log file and click View.

If FortiMail cannot connect with the FDN server, the log Message field contains:

FortiGuard-Antispam: No Answer from server.

Verify that the FortiGuard Antispam license is still valid, and that network connectivity has not been disrupted for UDP port 53 traffic from the FortiMail unit to the Internet.

Configuring scheduled updates

You can configure the FortiMail unit to periodically request FortiGuard Antivirus and FortiGuard Antispam engine and definition updates from the FDN or override server.

You can use push updates or manually initiate updates as alternatives or in conjunction with scheduled updates. If protection from the latest viral threats is a high priority, you could configure both scheduled updates and push updates, using scheduled updates as a failover method to increase the likelihood that the FortiMail unit will still periodically retrieve updates if connectivity is interrupted during a push notification. While using only scheduled updates could potentially leave your network vulnerable to a new virus, it minimizes short disruptions to antivirus scans that can occur if the FortiMail unit applies push updates during peak volume times. For additional/alternative update methods, see “Configuring push updates” on page 48 and “Manually requesting updates” on page 49.

For example, you might schedule updates every night at 2 AM or weekly on Sunday, when email traffic volume is light.

Before configuring scheduled updates, first verify that the FortiMail unit can connect to the FDN or override server. For details, see “To override the default FDS server” on page 45.

To configure scheduled updates

  1. Go to Maintenance > FortiGuard > Update in the advanced mode of the web UI.
  2. Enable Scheduled Update.
  3. Select one of the following:
Every Select to request updates once per interval, then configure the number of hours and minutes between each request.
Daily Select to request updates once a day, then configure the time of day.
Weekly Select to request updates once a week, then configure the day of the week and the time of day.

Updating FortiGuard Antivirus definitions can cause a short disruption in traffic currently being scanned while the FortiMail unit applies the new signature database. To minimize disruptions, update when traffic is light, such as during the night.

  1. Click Apply.

The FortiMail unit starts the next scheduled update according to the configured update schedule. If you have enabled logging, when the FortiMail unit requests a scheduled update, the event is recorded in the event log.

Configuring push updates

You can configure the FortiMail unit to receive push updates from the FDN or override server.

When push updates are configured, the FortiMail unit first notifies the FDN of its IP address, or the IP address and port number override. (If your FortiMail unit’s IP address changes, including if it is configured with DHCP, the FortiMail unit automatically notifies the FDN of the new IP address.) As soon as new FortiGuard Antivirus and FortiGuard Antispam packages become available, the FDN sends an update availability notification to that IP address and port number. Within 60 seconds, the FortiMail unit then requests the package update as if it were a scheduled or manually initiated update.

You can use scheduled updates or manually initiate updates as alternatives or in conjunction with push updates. If protection from the latest viral threats is a high priority, you could configure both scheduled updates and push updates, using scheduled updates as a failover method to increase the likelihood that the FortiMail unit will still periodically retrieve updates if connectivity is interrupted during a push notification. Using push updates, however, can potentially cause short disruptions to antivirus scans that can occur if the FortiMail unit applies push updates during peak volume times. For additional/alternative update methods, see “Configuring scheduled updates” on page 47 and “Manually requesting updates” on page 49.

Before configuring push updates, first verify that the FortiMail unit can connect to the FDN or override server. For details, see “To override the default FDS server” on page 45.

To configure push updates

  1. Go to Maintenance > FortiGuard > Update in the advanced mode of the web UI.
  2. Enable Allow push update.
  3. If the FortiMail unit is behind a firewall or router performing NAT, enable Use override push IP and enter the external IP address and port number of the NAT device.

You must also configure the NAT device with port forwarding or a virtual IP to forward push notifications (UDP port 9443) to the FortiMail unit.

For example, if the FortiMail unit is behind a FortiGate unit, configure the FortiGate unit with a virtual IP that forwards push notifications from its external network interface to the private network IP address of the FortiMail unit. Then, on the FortiMail unit, configure Use override push IP with the IP address and port number of that virtual IP. For details on configuring virtual IPs and/or port forwarding, see the documentation for the NAT device.

Push updates require that the external IP address of the NAT device is not dynamic (such as an IP address automatically configured using DHCP). If dynamic, when the IP address changes, the override push IP will become out-of-date, causing subsequent push updates to fail.

If you do not enable Use override push IP, the FDN will send push notifications to the IP address of the FortiMail unit, which must be a public network IP address routable from the Internet.

  1. Click Apply.

The FortiMail unit notifies the FDN of its IP address or, if configured, the override push IP. When an update is available, the FDN will send push notifications to this IP address and port number.

  1. Click Refresh.

A dialog appears, notifying you that the process could take a few minutes.

The FDN tests the connection to the FortiMail unit. Time required varies by the speed of the FortiMail unit’s network connection, and the number of timeouts that occur before the connection attempt is successful or the FortiMail unit determines that it cannot connect. When the connection test completes, the page refreshes. Test results are displayed in the Push Update field.

  • Available: The FDN successfully connected to the FortiMail unit.
  • Not available: The FDN could not connect to the FortiMail unit, and will not be able to send push notifications to it. Verify that intermediary firewalls and routers do not block push notification traffic (UDP port 9443). If the FortiMail unit is behind a NAT device, verify that you have enabled and configured Use override push IP, and that the NAT device is configured to forward push notifications to the FortiMail unit.

Manually requesting updates

You can manually trigger the FortiMail unit to connect to the FDN or override server to request available updates for its FortiGuard Antivirus and FortiGuard Antispam packages.

You can manually initiate updates as an alternative or in addition to other update methods. For details, see “Configuring push updates” on page 48 and “Configuring scheduled updates” on page 47.

To manually request updates

Before manually initiating an update, first verify that the FortiMail unit can connect to the FDN or override server. For details, see “To override the default FDS server” on page 45.

  1. Go to Maintenance > FortiGuard > Update in the advanced mode of the web UI.
  2. Click Update Now.

Updating FortiGuard Antivirus definitions can cause a short disruption in traffic currently being scanned while the FortiMail unit applies the new signature database. To minimize disruptions, update when traffic is light, such as during the night.

The web UI displays a message similar to the following:

Your update request has been sent. Your database will be updated in a few minutes. Please check your update page for the status of the update.

  1. Click RETURN.
  2. After a few minutes, select the Update tab to refresh the page, or go to Monitor > System Status > Status.

If an update was available, new version numbers appear for the packages that were updated. If you have enabled logging, messages are recorded to the event log indicating whether the update was successful or not.