Scribd
Upload
162 views7 pages

Troubleshooting FortiGuard Issues

The document provides troubleshooting steps for issues with FortiGuard web filtering on FortiGate firewalls. It details checking that the web filtering service is enabled and the FortiGate can resolve domain names and connect to FortiGuard servers.

Uploaded by

Pedro Camacho
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
162 views7 pages

Troubleshooting FortiGuard Issues

The document provides troubleshooting steps for issues with FortiGuard web filtering on FortiGate firewalls. It details checking that the web filtering service is enabled and the FortiGate can resolve domain names and connect to FortiGuard servers.

Uploaded by

Pedro Camacho
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

11/6/23, 1:48 PM Troubleshooting Tip: FortiGuard Web Filtering prob...

- Fortinet Community

 Help 

Forums  Knowledge Base  Community Groups 

FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat
intelligence security services from FortiGuard labs to deliver top-rated protection and high
performance, including encrypted traffic.

This Board Search here

Fortinet Community  Knowledge Base  FortiGate  Troubleshooting Tip: FortiGuard Web Filtering prob...

ppatel
Staff

Created on Edited on By

‎05-14-2009 01:04 PM ‎09-19-2023 09:11 AM Anthony_E

Article Id

196965

Troubleshooting Tip: FortiGuard Web Filtering problems


Description

This article gives basic advice and steps to follow when beginning to troubleshoot and resolve some of the most common
FortiGuard issues.

Scope

FortiOS FortiGuard Web Filtering services. NAT or Transparent mode units.

Solution

Problems that may be encountered could include:


• FortiGuard Web filter is blocking everything.
• FortiGuard Web filter is blocking nothing.
• Rating errors are displayed on every website.

1st Step: Make sure the unit has a Valid Contract and Web Filter subscription

FortiGuard Web filtering is a subscription service.


If the subscription has expired FortiGuard web filtering will stop functioning and effectively give a rating error for every
website accessed.

[Link] 1/7
11/6/23, 1:48 PM Troubleshooting Tip: FortiGuard Web Filtering prob... - Fortinet Community
If this is the case, technical support has no ability to alter contract details.
Contact the Fortinet Customer Service department for issues regarding the contract status.

Test #1: Is the service enabled? Make sure that at least one firewall policy has a Web Filter and SSL/SSH Inspection
profile enabled

Run this CLI command in FortiGate CLI or Console in GUI:

diagnose debug rating


Output sample (FortiOS 5.4 and 5.6):
# diagnose debug rating
Locale : english
License : Contract

-=- Server List (Wed Oct 9 [Link] 2019) -=-

IP Weight RTT Flags TZ Packets Curr Lost Total Lost


[Link] 0 28 1 1 0 0
[Link] 0 29 1 1 0 0
Output sample (FortiOS 6.0 and 6.2):
# diagnose debug rating
Locale : english

Service : Web-filter
Status : Enable
License : Contract

Service : Antispam
Status : Disable

Service : Virus Outbreak Prevention


Status : Disable

-=- Server List (Thu Oct 10 [Link] 2019) -=-

IP Weight RTT Flags TZ Packets Curr Lost Total Lost


[Link] 0 28 1 1 0 0
[Link] 0 29 1 1 0 0
[Link] 10 0 DT 0 4 2 2

If the output shows that the service is not enabled, create a firewall policy and enable Web Filtering inspection there. Then
try the above command once again.

Flag Description:
• D The server was found through the DNS lookup of the hostname.

If the hostname returns more than one IP address, all of them are flagged with D and are used first for INIT requests
before falling back to the other servers:
• I The server to which the last INIT request was sent.
• F The server hasn't responded to requests and is considered to have failed.
• T The server is currently being timed.
• S Rating requests can be sent to the server.

The flag is set for a server only in two cases:

1. The server exists in the servers list received from the FortiManager or any other INIT server.

[Link] 2/7
11/6/23, 1:48 PM Troubleshooting Tip: FortiGuard Web Filtering prob... - Fortinet Community

2. The server list received from the FortiManager is empty so the FortiManager is the only server that the FortiGate
knows, and it should be used as the rating server

If the output is similar, please proceed to Test #2.

Test #2: Can the FortiGate get to the Internet DNS by IP?

Pick an IP address of a publicly available DNS Server and ping it from the CLI of the FortiGate:
# exec ping [Link]

Output sample:
# execute ping [Link]

PING [Link] ([Link]): 56 data bytes


64 bytes from [Link]: icmp_seq=0 ttl=50 time=17.3 ms
64 bytes from [Link]: icmp_seq=1 ttl=50 time=17.3 ms
64 bytes from [Link]: icmp_seq=2 ttl=50 time=17.3 ms
64 bytes from [Link]: icmp_seq=3 ttl=50 time=17.4 ms
64 bytes from [Link]: icmp_seq=4 ttl=50 time=17.4 ms
--- [Link] ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss


round-trip min/avg/max = 17.3/17.3/17.4 ms

If this test fails: The problem is a routing issue, possibly on Fortigate or beyond.
Troubleshooting must be done to find the source of the problem.
This is a common problem when first installing the unit in transparent mode.

Note.
Some ISPs and networks block ICMP (ping) traffic.
This should be taken into account before considering the test to have failed.

If the Test is successful, proceed to Test #3.

Test #3: Can the FortiGate resolve FQDNs?

Pick random FQDNs and try to access them using ping test. Make sure the unit can resolve host names. For example:
# exec ping [Link]

Output sample:
# exec ping [Link]
PING [Link] ([Link]): 56 data bytes
64 bytes from [Link]: icmp_seq=0 ttl=51 time=18.2 ms
64 bytes from [Link]: icmp_seq=1 ttl=51 time=18.3 ms
64 bytes from [Link]: icmp_seq=2 ttl=51 time=18.2 ms
64 bytes from [Link]: icmp_seq=3 ttl=51 time=18.2 ms
64 bytes from [Link]: icmp_seq=4 ttl=51 time=18.2 ms
--- [Link] ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 18.2/18.2/18.3 ms

[Link] 3/7
11/6/23, 1:48 PM Troubleshooting Tip: FortiGuard Web Filtering prob... - Fortinet Community
If this test fails: the problem is DNS related.
Try using a different DNS server until this test can resolve.

Note.
Some ISPs and networks block ICMP (ping) traffic.
This should be taken into account before considering the test to have failed.
The important part of this test is that the unit successfully resolves an FQDN to an IP, not that the ping suceeds.

If the Test is successful, proceed to Test #4.

Test #4: Can the FortiGate resolve a specific host name?

In the default configuration the unit needs to be able to resolve “[Link]”, “[Link]” and
“[Link]” to an IP in order to have FortiGuard web filtering function correctly. From the command line on the
FortiGate:
# exec ping [Link]
# exec ping [Link]
# exec ping [Link]

Output sample:
# exec ping [Link]
PING [Link] ([Link]): 56 data bytes
64 bytes from [Link]: icmp_seq=1 ttl=50 time=102.5 ms
64 bytes from [Link]: icmp_seq=2 ttl=50 time=104.2 ms
64 bytes from [Link]: icmp_seq=3 ttl=50 time=104.2 ms
64 bytes from [Link]: icmp_seq=4 ttl=50 time=104.2 ms
64 bytes from [Link]: icmp_seq=5 ttl=50 time=104.2 ms
--- [Link] ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 102.5/103.6/104.2 ms

Note: Above mentioned FQDNs might not be pingable, it is an expected behavior.


Key point here is to see, if these FQDNs are resolved

If the test 4 fails, contact Fortinet Technical Support.

If the Test is successful, proceed to Test #5.

Test #5: Something in front of the unit is doing port blocking.

By default, FortiGate uses port 8888 as a destination port for Web Filtering communication with FortiGuard servers, and
port range 1024-25000 as a source ports for self-originated traffic.
An alternative to port 8888 can be port 53. Source port range can be changed as well.

Some ISPs do compliance checks on port 53 and will block non-DNS standard traffic.

Some ISPs block port 8888, as it is a nonstandard port.

Some ISPs do port blocking based on the source ports that traffic originates on.

First, try to change Web Filtering port from 8888 to 53 in GUI (or from 53 to 8888, depending on the configuration).
Go to System -> FortiGuard, and under Filtering section change the port and press the Check Again button and then

[Link] 4/7
11/6/23, 1:48 PM Troubleshooting Tip: FortiGuard Web Filtering prob... - Fortinet Community
Apply to save the changes:

Starting from FortiOS 6.2.2, there is also an option to use HTTPS on ports 443, 53 or 8888 instead of UDP.
Try different combinations to see if any of them can work:

Alternatively, change the Fortiguard Web Filtering Port in CLI the following way:

# config system fortiguard


(fortiguard) set port 53

(fortiguard) end

In case changing the Web Filtering port cannot solve the problem with Web Filtering, try to change the source port range
for self-originated traffic:

config system global


(global) set ip-src-port-range 1031-4999
(global) end

# diagnose test application urlfilter 99

Double-check with the ISP to confirm there is absolutely no port blocking going on.

[Link] 5/7
11/6/23, 1:48 PM Troubleshooting Tip: FortiGuard Web Filtering prob... - Fortinet Community

With many ISPs that claim not to be doing port blocking, changing the source port of the Firewall information (ip-src-port-
range) corrects this issue.
Starting from FortiOS 6.4, by default it uses HTTPS on port 443. In order to change the port/protocol please follow the
below CLI configuration.
# config system fortiguard
set fortiguard-anycast disable

By disabling anycast settings it will be possible to view the options to select the protocol and port.

FortiGate 7.2 FortiGate V5.4 FortiGate V5.6 FortiGate V6.0 FortiGate V6.2 FortiGate V6.4 FortiGate V7.0 FortiGate V7.4

197445 4

Submit Article Idea

Contributors

 ppatel

Nishtha_Baria

Anthony_E

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive
cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media

SECURITY RESEARCH

Threat Research

FortiGuard Labs

[Link] 6/7
11/6/23, 1:48 PM Troubleshooting Tip: FortiGuard Web Filtering prob... - Fortinet Community

Threat Map

Threat Briefs

Ransomware

COMPANY

About Us

Security Fabric

Exec. Mgmt

Careers

Certifications

Events

Industry Awards

Social Responsibility

NEWS & ARTICLES

News Releases

News Articles

Trademarks

CONTACT US

Corporate

Community

Copyright 2023 Fortinet, Inc. All Rights Reserved.


Terms of Service Privacy Policy GDPR

[Link] 7/7

Common questions

Powered by AI

Not resolving specific hostnames like 'service.fortiguard.net', 'update.fortiguard.net', and 'guard.fortinet.com' impacts FortiGuard functionality as it cannot connect to necessary services for Web Filtering. To test, attempt to resolve these hostnames from FortiGate CLI. Successful resolution is critical, and failure requires checking DNS server configurations or possibly contacting technical support for further troubleshooting .

To determine if there is a DNS resolution issue on FortiGate, perform a DNS test by picking an IP of a public DNS Server and ping it from the CLI. If this test fails, it indicates a routing issue. If successful, proceed to resolve Fully Qualified Domain Names (FQDNs) by executing ping commands on various hostnames. Failure here suggests a DNS-related problem, and a different DNS server should be tried until successful FQDN resolution is achieved .

Changing from UDP to HTTPS for Web Filtering can potentially resolve connectivity issues because some ISPs block non-standard UDP ports like 8888. Switching to HTTPS on standard ports like 443 or 53 may prevent port blocking and compliance issues, ensuring better connectivity as HTTPS is more universally allowed by network configurations .

The diagnostic command 'diagnose debug rating' helps check the FortiGuard server connection status in FortiOS. The output provides key information including the list of connected servers, the responsibility of each server (e.g., D for DNS found servers, I for servers last sent an INIT request, and F for failed servers), and connection status indicators such as Response Time (RTT) and packet loss statistics .

To verify if FortiGuard Web Filtering is functioning correctly, first ensure that the unit has a valid Web Filter subscription as it is a subscription service and will not function if expired. Next, check that at least one firewall policy has a Web Filter and SSL/SSH Inspection profile enabled. Run the command 'diagnose debug rating' to see the status; if the service is not enabled, ensure it's turned on in the appropriate firewall policy .

FortiGate typically uses port 8888 for Web Filtering communication with FortiGuard servers. If blocked, an alternative is port 53. For source ports, FortiGate can use a range from 1024 to 25000 for self-originated traffic. If port issues persist, changing the source port range, for example to 1031-4999, might resolve the issue, especially if ISP's compliance checks or port blockage is involved .

Considering that ISPs or networks might block ICMP traffic is important because it can lead to false negatives during troubleshooting if ping tests fail not due to actual connectivity issues, but because ICMP is simply blocked. Therefore, a failed ping test should be verified through alternate methods, such as checking for FQDN resolution or investigating DNS settings, to avoid misdiagnosing the problem .

If FortiGuard Web Filtering is blocking either all or no traffic, first ensure that the subscription is active and the service is enabled on at least one firewall policy. Then, verify the service connection through 'diagnose debug rating'. If these are fine, check for DNS resolution issues by attempting to resolve hostnames, as problems in DNS setup can affect Web Filtering .

Fortinet's approach incorporates purpose-built security processors and threat intelligence services from FortiGuard labs. This enables their Next Generation Firewall, such as FortiGate, to offer top-rated protection and high performance even with encrypted traffic. By leveraging dedicated security hardware and intelligent service layers, Fortinet ensures comprehensive threat management without significant performance degradation, setting it apart from competitors .

If FortiGuard Web Filtering still fails after implementing recommended changes, try changing the source port range for self-originated traffic. Additionally, consult with the ISP to confirm if any port blocking is occurring beyond what is configurable locally. Finally, as a last resort, contacting Fortinet Technical Support can provide assistance with more advanced diagnostic tools and solutions .

You might also like