Fortiguard is a subscription based service from Fortinet, where your Fortigate queries their servers in real-time for various services:
- Periodic checking of Fortigate subscription/license validity for Web Filtering/AppControl/AntiVirus/AntiSpam/DNS Filtering.
- Real-time querying for visited by users web sites rating.
- Periodic signatures updates for IPS/AppControl/AntiVirus.
Most critical of them is Web Filter rating query - if your Fortigate cannot get answer what category the web site belongs to, access to this web site will be blocked by default. It means that if for any reason Fortigate cannot reach Fortiguard servers and it has security rules with Web Filtering by Category configured - those rules will BLOCK users access to ANY website, not just malicious ones.
First, as emergency but not advisable measure, you can click in Security Profiles -> Web Filter -> <Profile Used in Security Rules on Allow websites when a rating error occurs. This will ALLOW access to any website if a Fortigate cannot get rating from the FortiGuard. Also you can remove Web Filter Profile from Security Rules, but it is even worse security-wise.
So how do you debug such a situation?
First, check status of license/subscription and FortiGuard connection status in System -> FortiGuard - the Web Filtering status should be in green. This checks subscription license status, but not always detects connection to the FortiGuard status. If you see it red, it is most probably a license/subscription issue to be checked with Fortinet TAC, as subscription checks are done once in a while and are cached. To check actual connectivity to the FortiGuard servers - on the same page, under Filtering subsection, there is Test Connectivity button to push. It should return status as Up/green. Also pay attention to the widget on the same page in the right bottom corner FortiGuard Filter Rating Servers, it shows real time stats and IP addresses of the servers the Fortigate is trying to reach. If timings are unusually high and in red, there could be network connectivity problem, we will look at next.
First step in checking connectivity to FortiGuard servers is successful DNS resolving by Fortigate of the following hostnames:
- service.fortiguard.net
- update.fortiguard.net
- guard.fortinet.net
Even better check is to run ping exe ping to all the hostnames above to see if the Fortigate can resolve AND can reach them. The most important of them being service.fortiguard.net.
If the resolving is OK, next step is this:
diagnose debug rating
This will show a list of FortiGuard servers this Fortigate is trying to reach for Web Filtering rating and their status.
The output will look like:
Locale : englishService : Web-filterStatus : EnableLicense : ContractService : AntispamStatus : DisableService : Virus Outbreak PreventionStatus : DisableNum. of servers : 6Protocol : httpsPort : 443Anycast : DisableDefault servers : Included-=- Server List (Sun Feb 21 09:20:14 2021) -=-IP Weight RTT Flags TZ Packets Curr Lost Total Lost Updated Time149.5.232.18 10 84 1 1060088 0 815 Sun Feb 21 09:19:19 202112.34.97.18 70 566 -5 34828 0 6 Sun Feb 21 09:19:19 202165.210.95.234 70 572 -5 34165 0 418 Sun Feb 21 09:19:19 2021210.7.96.18 70 1439 9 30847 0 1 Sun Feb 21 09:19:20 202196.45.33.68 100 801 -8 33731 0 8 Sun Feb 21 09:19:19 2021173.243.138.210 100 821 DI -8 33874 0 22 Sun Feb 21 09:19:19 2021Here:
Status - shows if Web Filtering as a service is enabled.
Protocol - via what protocol this Fortigate is trying to reach FortiGuard servers (more on this below).
Anycast - whether this Fortigate is trying to reach Anycast servers of FortiGuard (more on this below).
Server List - actual list of FortiGuard servers that this Fortigate was/is trying to reach. Here most important is status legend:
- F: failed, bad - Fortigate tried few times to reach this server to no avail. Note that it is bad only if ALL servers in the list have this status. It is OK if only few of the servers are unreachable.
- D: this server was successfully resolved from FQDN to its IP address, but it does not indicate its reachability yet.
- I: server to which Fortigate tries to initiate connection, most frequently goes with D,it does not indicate if a server is working or not yet.
- T: server was found, it answered, and is now being "timed", i.e. its answer time/RTT is being measured.
- TZ: Time Zone, while not a status indicator, Fortigate tries and prefers servers with the least time zone difference in hope of geographic proximity. Therefore, it is quite important to set correctly the time zone for your Fortigate.
Fortigate communicates for its functions with just one server at a time - the one on top of the list. The rest of the servers are being constantly monitored and their RTT, and packet loss measured. If the top-list server fails, it will be replaced with the next best one and so on. We do not have capability to influence this server list manually.
So if all servers in the list have F(ailed), what do we do next?. This may mean either all Fortiguard servers at the Fortinet side are down (less likely), or that this Fortigate has the problem of reaching them at the network level.
Fortigate can use several ports to talk to Fortiguard servers (or Fortiguard Distribution Network as they call it) - 53, 8888, 443, the default being 8888. The port 53 is a well known DNS protocol/port, only that Fortigate uses proprietary UDP/53 obfuscated/encrypted protocol to query the servers, and for this reason some IPS/anti-DDoS/etc protections on the way from Fortigate to FortiGuard may mark such traffic as malicious and drop it. You can check if it is the case by going to System -> FortiGuard -> Filtering and change (if set so) from port 53 to port 8888. On newer FortiOS versions (6.4 and up) they moved this to CLI only: config sys fortiguard then set port 53|8888|443. So, as first debug measure it is recommended to try all possible ports and see if status of connection to the FortiGuard servers changes. Note about protocol I mentioned before - in 6.4 and newer they added option to force the communication to FortiGuard servers to be a valid HTTPS traffic, which is most likely to pass the Internet successfully. For this you have to enable it (in addition to setting port to 443) via CLI: config sys fortiguard, then set protocol https end.
Important note if you have VDOMs enabled - all communication to the Fortiguard network is initiated from management/root VDOM only! The frequent human error I've seen - someone by mistake changes management domain to the VDOM that has no/limited access to the Internet and as a consequence, it cannot reach FortiGuard network. Very common, indeed. To verify who is the management VDOM:
config sys global# show full | grep vdom set management-vdom "root" <-- THIS IS THE VDOM THAT WILL COMMUNICATE WITH FORTIGUARDAnycast servers - starting with FortiOS 6.4 the default setting to reach FortiGuard is anycast. The intention was good - to improve reachability of FortiGuard servers, but unfortunately the implementation did not live up to the expectations. More often than not it actually creates a problem in reaching the Fortinet servers. It may improve in the future, but for now my advice is to disable anycast and switch back to unicast servers. You do so in CLI:
config system fortiguardset fortiguard-anycast disableset protocol udpset port 8888set sdns-server-ip 208.91.112.220 <-- IMPORTANT TO ADD THIS OR ANY OTHER FDN SERVER TO PREVENT DOWNTIME!endThis configuration above will cause Fortigate to disable anycast, then reach the specified server (here 208.91.112.220), download from it the full list of available unicast servers and use them.
Sum up of steps to fix FortiGuard failed connection situation:
- Check that FortiGuard license on the Fortigate is in green.
- Make sure Fortigate can DNS resolve update.fortinet.net, service.fortinet.net
- Make sure Fortigate can ping service.fortinet.net
- Try changing communication with FortiGuard port between 53, 8888, 443
- Make sure (if VDOMs are enabled) that management VDOM has access to the Internet
- Disable anycast and enable unicast for FortiGuard services.
Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.
FAQs
How do I troubleshoot FortiGuard connectivity? ›
To test if FortiGuard is reachable, go to System > FortiGuard. Under Filtering, check Filtering Services Availability. If you don't see a green check mark, select Check Again. If you are still don't see a green check mark, change the FortiGuard Filtering Port to the alternate port (8888).
How do I connect to FortiGuard servers? ›You must first register the FortiWeb appliance with the Fortinet Technical Support web site, https://support.fortinet.com/, to receive service from the FDN. The FortiWeb appliance must also have a valid Fortinet Technical Support contract which includes service subscriptions, and be able to connect to the FDN.
Why can't FortiGate connect to FortiGuard servers? ›FortiGate. The issue is due to the 'cloud-communication' and 'include-default-servers' were disabled in previous firmware version, and it must be enabled in order to let fortigate communicate with fortiguard located at internet cloud.
Why is FortiGuard blocking my website? ›Websites will be blocked if the Fortigate doesn' t receive a proper rating from the Fortiguard servers. A workaround would be to enable " Allow Websites When a Rating Error Occurs" in the Webfilter profile until you can figure out what the connectivity issue with Fortiguard is.
How do I bypass Fortinet blocked sites? ›Click here to visit ExpressVPN and sign up
Get the ExpressVPN Chrome or FireFox extension. Open the extension and choose USA from the map. Go to any website previously blocked by FortiGuard. Enjoy full access to all web content.
- Go to System > FortiGuard.
- In the Override FortiGuard Servers table, click Create New. ...
- Select the server address type: IPv4, IPv6, or FQDN.
- Enter the server address of the selected type in the Address field.
- Select the type of server: AntiVirus & IPS Updates, Filtering, or Both.
1) Access the system using a web browser. 2) In the navigation tree, go to System -> Dashboard -> Status, and select the Revisions link for the System Information Widget. 3) Select Restore Factory Default or Revert.
How do I check my Fortinet firewall settings? ›- show system admin setting. ...
- show system backup all-settings. ...
- show system dns. ...
- show system global. ...
- show system interface. ...
- show system ntp. ...
- show system route.
Primary DNS server IP address, default is FortiGuard server at 208.81. 112.53. Secondary DNS server IP address, default is FortiGuard server at 208.81. 112.52.
How do I force FortiGuard to update? ›Go to System > FortiGuard. Under AntiVirus & IPS Updates, enable Scheduled Updates, and configure an update schedule. You can force the unit to connect to the AV/IPS server by selecting Update AV & IPS Definitions. Once the schedule has been enabled, select Apply.
Why is FortiGuard on my computer? ›
Fortiguard is a program that network administrators install on computers connected to a company's or educational institution's network to prevent users from accessing certain types of websites.
How do I know if my FortiGate firewall is blocking a website? ›Go to Security Profiles > Web Filter and go to the Static URL Filter section, then enable Content Filter to display its options. Select Create New to display the content filter options. For Pattern Type, select Regular Expression and enter your desired terms in the Pattern field (in this example, we use fortinet).
What is FortiGuard in FortiGate firewall? ›FortiGuard Security Services is a suite of market-leading, AI-enabled security capabilities providing application Content, Web, Device, and User security that continuously assesses the risks and automatically adjusts the Fortinet Security Fabric and ecosystem.
How do I troubleshoot FortiGate VPN? ›- Check that the policy for SSL VPN traffic is configured correctly. - Check the correct port number in the URL is used. Ensure FortiGate is reachable from the computer. -Check the browser has TLS 1.1, TLS 1.2, and TLS 1.3 enabled.
How do I stop my browser from blocking a website? ›...
Change settings for a specific site
- On your computer, open Chrome.
- Go to a site.
- To the left of the web address, click the icon you want: Lock. Info. Dangerous.
- Click Site settings.
- Change a permission setting.
Hello Guys,Using the Control PanelStep 1Click on the start menu and go to the control panel. Step 2Click "Programs and Features" to launch the programs and features window. Step 3Scroll down the window, click "Fortinet Antivirus," and then click the uninstall button.
Why does my browser keep blocking websites? ›Websites get blocked when they detect an IP address that isn't supposed to access the restricted content. Your IP (Internet Protocol) address identifies your device on the internet and reveals your physical location. That's what lets websites find your IP and block (or allow) your device.
How do I disable fortinet on startup? ›1) Right-click on the FortiClient icon on the taskbar and select Shutdown FortiClient. 2) go to command prompt and enter: net stop fortishield [ENTER] 3) RUN -> msconfig and go to services tab. Uncheck the service FortiClient Service Scheduler and [APPLY] - Do not restart the PC now.
How do I bypass firewall restrictions? ›Use a VPN to Encrypt Your Traffic
VPNs, on the other hand, allow you to get past school firewalls by encrypting your traffic. Proxies get around the restrictions by giving you the banned website via a whitelisted one, but a VPN protects you by not allowing the firewall to see your browsing in the first place.
To block the third-party VPNs, set the category 'Proxy' and the signatures, 'IKE' and 'ISAKMP' to Block in application control. That should block most, if not all the VPNs are not found.
Is it possible to bypass Fortinet? ›
Yes it is possible because in hacking everything is possible . But at a time is not possible to bypass the fortinet security . Because it is a “multinational cyber security” company they provides security to top companies it is also has a advanced security.
What happens when FortiGuard expires? ›What happens if the FortiGuard contract is expired: If the license is not renewed FortiGuard webfilter, FortiGuard category based web filtering will stop working. However, if there is Static URL filtering applied, that will be still working as per the configured entries.
How do I manually restart FortiGate? ›Go to System Settings > Dashboard. In the Unit Operation widget, click the Restart button. Enter a message for the event log, then click OK to restart the system.
How do I restart Fortinet firewall? ›- Go to System Settings > Dashboard.
- In the Unit Operation widget, click the Restart button.
- Enter a message for the event log, then click OK to restart the system.
By default, your FortiGate has an administrator account set up with the username admin and no password.
How do I connect my Fortinet firewall? ›You connect to the FortiGate-VM GUI via a web browser by entering the IP address assigned to the port 1 interface (see Configuring port 1) in the browser location field. You must enable HTTP and/or HTTPS access and administrative access on the interface to ensure that you can connect to the GUI.
What is the default IP address for managing the Fortinet firewall? ›The device should respond on the default IP address 192.168. 1.99, then we can open the web-based manager with a browser using the following URL: https://192.168.1.99 . The default user ( admin ) does not require password (see the following screenshot):
How do you allow IP address in Fortinet? ›Log in to your Fortinet account. Navigate to Security Profiles > Web Filter. Create a new web filter or select one to edit. Expand Static URL Filter, enable URL Filter, and select Create.
How do I update my Fortinet firewall? ›To upgrade your firmware using the web UI
Go to System > System Information. Under System Information, in the Firmware Version information, click Update. Do one of the following to select the firmware image file: Enter the path and file name of the file.
- Open the old FortiClient.
- Go to Fabric Telemetry.
- Click "disconnect"
- Closeout of the FortiClient application.
- Open FortiClientUninstaller from applications folder.
- When prompted, click "uninstall" This will uninstall the applications and all configurations set up at the time of install.
How do I access blocked websites? ›
- Method 1: Use a proxy.
- Method 2: Use the Google cache.
- Method 3: Try a URL shortener.
- Method 4: Try the IP address.
- Method 5: Unblock websites in Chrome and Safari.
- Method 6: Switch between HTTP and HTTPS.
- Method 7: Use Tor Browser.
- Method 8: Use a VPN.
FortiClient web security plug-in helps block malicious, objectionable and phishing websites ensuring a safe browsing experience. Fortinet's FortiClient Endpoint plug-in helps enforce Web Security feature for safe browsing on Chrome devices.
How do I know if my firewall is blocking VPN? ›If you're VPN is blocked, you typically won't be able to access the web at all. If a site is blocking VPN traffic, they'll usually display an error message when you try to access it.
How do I know if my website is blocking my IP address? ›How Do I Know If My IP Is Being Blocked? To confirm you are blocked from accessing your server, you should try to log in to your web server, as usual, to see what kind of connection error message you're getting. This error will often provide a specific reason that your IP has been blocked.
How do I make sure my firewall isn't blocking VPN? ›- Choosing a secure and reliable VPN. ...
- Switching to another server or VPN. ...
- Using obfuscated servers. ...
- Changing the tunneling protocol, encryption, or port. ...
- Getting a dedicated/static IP address. ...
- Switching to mobile data. ...
- Changing the DNS settings. ...
- Setting up a manual VPN connection.
FortiGuard services can be purchased and registered to your FortiGate unit. The FortiGate must be connected to the Internet in order to automatically connect to the FortiGuard Distribution Network (FDN) to validate the license and download FDN updates. The FortiGuard subscription update services include: Antivirus (AV)
Is FortiGuard a firewall? ›Basically, FortiGuard is the constantly self-updating security part of your Fortinet firewall. It's what makes it a firewall. And, each option includes a range of security services designed to tackle the most advanced threats at any given time.
What is the difference between Fortinet and FortiGate firewall? ›FortiNet FortiGate is a firewall option with high integrability. It offers a variety of deployment options and next-gen firewall capabilities, including integration with IaaS cloud platforms and public cloud environments. FortiExtender is the wireless WAN offering from Fortinet.
How do I debug a VPN problem? ›- Test Your Internet Connection.
- Restart the VPN Software.
- Clear your Device of Old VPN Software.
- Make Use of the VPN's Help Function.
- Make Sure Your VPN is Up To Date.
- Change the VPN Server.
- Connect Using a Different VPN Protocol.
- Check Your Firewall.
- Change your VPN server. ...
- Reboot the device (and the router). ...
- Temporarily disable firewalls/antivirus/anti-spyware. ...
- Connect using a different protocol. ...
- Reinstall & reboot. ...
- Switch networks. ...
- Disable Battery Saving/Low Power Mode. ...
- Reset your Wi-Fi network (on Wi-Fi).
Why FortiClient VPN is not connecting? ›
Solution. - The issue is usually due to network connection. - Check whether the PC is able to access the internet and reach VPN server on necessary port. - Check whether correct remote Gateway and port is configured in FortiClient settings.
What to do when it says Cannot connect to server? ›- Restart Your Computer. ...
- Follow the Error Messages. ...
- Identify Where the Shared Drive is Hosted. ...
- Permissions. ...
- Look For What Might Be Different. ...
- Partner With Electric.
The network configuration has changed (ie. The internal server IP has changed, the dynamic internet IP has changed, port 8082 is blocked, etc.). There is a firewall blocking the connection (ie. Windows Firewall on either the server or the client, 3rd party firewall software, the firewall on the router).
Why can't Safari open a website? ›Check Safari settings
The webpage might not be compatible with one or more browser settings, which you can turn on or off as needed. From the menu bar in Safari, choose Safari > Settings (or Preferences). Then click Websites, Privacy, or Security to access these settings: Websites settings.
Clear Your Browser Cache
In some cases, you might run into the “This site can't be reached” error due to problems with your cached files. To solve that issue, you'll need to clear your browser cache. Clearing cached images and files in Chrome. Click on Clear Data,and that's it.
- Click on Show Options.
- Enter the IP Address into the Computer Name text field.
- Next, enter the username credentials you have been authorized to use to log into the computer.
- You can choose to check the Allow me to save credentials.
Select the Start button, then type settings. Select Settings > Network & internet. The status of your network connection will appear at the top.
How do you fix unable to connect to server server may be offline or you may not be connected to the Internet steam? ›...
Fix 4. Delete cache and cookies via the Steam client
- Open Steam.
- Go to Steam > Settings and select Web Browser on the left.
- On the right side, click Delete web browser cache and Delete all browser cookies.
- Restart Steam.
Windows 10 error message "Can't find server" or "Couldn't locate machine" in FileBrowser. This error message means that no device on the network has responded to the name that you have entered. If you want to get connected as quickly as possible, use an IP address instead of a network name.
How do I disable Fortinet in Chrome? ›- Click on the start menu and go to the control panel. ...
- Click "Programs and Features" to launch the programs and features window.
- Scroll down the window, click "Fortinet Antivirus," and then click the uninstall button.