How to set up your FortiWeb > Connecting to FortiGuard services
Most exploits and virus exposures occur within the first 2months ofaknown vulnerability. Most botnets consist of thousands of zombie computers whose IP addresses are continuously changing. To keep your defenses effective against the evolving threat landscape, Fortinet recommends FortiGuard services. Newvulnerabilities and botnets are discovered and new signatures are built by Fortinet researchers every day.
Without these updates, your FortiWeb cannot detect the newest threats.
After you have subscribed to FortiGuard services, configure your FortiWeb appliance to connect to the Internet so that it can reach the world-wide FortinetDistribution Network (FDN) in order to:
- verify its FortiGuard service licenses
- download up-to-date signatures, IP lists, and engine packages
FortiWeb appliances often can connect using default settings. However, due to differences in routing and firewalling, you should confirm this by verifying connectivity.
To determine your FortiGuard license status
1. If your FortiWeb appliance must connect to the Internet through an explicit (non-transparent) webproxy, configure the proxy connection (see Accessing FortiGuard via a web proxy).
The appliance will attempt to validate its license when it boots. If the appliance could not connect because proxy settings were not configured, or due to any other connectivity issue that you have since resolved, you can reboot the appliance to re-attempt license validation.
2. Go to System> Status> Status.
To access this part of the web UI, your administrator's account access profile must have Read permission to items in the System Configuration category. For details, see Permissions.
3. In the FortiGuard Information widget, look at the FortiWeb Security Service row, FortiWeb Antivirus Service row, and FortiWeb IP Reputation Service row.
FortiGuard Information widget
- Valid — At the last attempt, the FortiWeb appliance was able to successfully contact the FDN and validate its FortiGuard license. Continue with Scheduling automatic signature updates.
- Expired — At the last attempt, the license was either expired or FortiWeb was unable to determine license status due to network connection errors with the FDN.
Your FortiWeb appliance cannot detect the latest vulnerabilities and compliance violations unless it is licensed and has network connectivity to download current definitions from the FortiGuard service. |
If the connection did not succeed:
- On FortiWeb, verify the following settings:
- time zone & time
- DNS settings
- network interface up/down status & IP
- static routes
- On your computer, use
nslookup
to verify that FortiGuard domain names are resolving (license authentication queries are sent toupdate.fortiguard.net
).
C:\Users\cschwartz>nslookup update.fortiguard.net
Server: google-public-dns-a.google.com
Address: 8.8.8.8
Non-authoritative answer:
Name: fds1.fortinet.com
Addresses: 209.66.81.150
209.66.81.151
208.91.112.66
Aliases: update.fortiguard.net
- On FortiWeb, use
execute ping
andexecute traceroute
to verify that connectivity from FortiWeb to the Internet and FortiGuard is possible. Check the configuration of any NAT or firewall devices that exist between the FortiWeb appliance and the FDN or FDS server override.
FortiWeb # exec traceroute update.fortiguard.net
traceroute to update.fortiguard.net (209.66.81.150), 32 hops max, 84 byte packets
1 192.0.2.2 0 ms 0 ms 0 ms
2 209.87.254.221 <static-209-87-254-221.storm.ca> 4 ms 2 ms 3 ms
3 209.87.239.161 <core-2-g0-3.storm.ca> 2 ms 3 ms 3 ms
4 67.69.228.161 3 ms 4 ms 3 ms
5 64.230.164.17 <core2-ottawa23_POS13-1-0.net.bell.ca> 3 ms 5 ms 3 ms
6 64.230.99.250 <tcore4-ottawa23_0-4-2-0.net.bell.ca> 16 ms 17 ms 15 ms
7 64.230.79.222 <tcore3-montreal01_pos0-14-0-0.net.bell.ca> 14 ms 14 ms 15 ms
8 64.230.187.238 <newcore2-newyork83_so6-0-0_0> 63 ms 15 ms 14 ms
9 64.230.187.42 <bxX5-newyork83_POS9-0-0.net.bell.ca> 21 ms 64.230.187.93 <BX5-NEWYORK83_POS12-0-0_core.net.bell.ca> 17 ms 16 ms
10 67.69.246.78 <Abovenet_NY.net.bell.ca> 28 ms 28 ms 28 ms
11 64.125.21.86 <xe-1-3-0.cr2.lga5.us.above.net> 29 ms 29 ms 30 ms
12 64.125.27.33 <xe-0-2-0.cr2.ord2.us.above.net> 31 ms 31 ms 33 ms
13 64.125.25.6 <xe-4-1-0.cr2.sjc2.us.above.net> 82 ms 82 ms 100 ms
14 64.125.26.202 <xe-1-1-0.er2.sjc2.us.above.net> 80 ms 79 ms 82 ms
15 209.66.64.93 <209.66.64.93.t01015-01.above.net> 80 ms 80 ms 79 ms
16 209.66.81.150 <209.66.81.150.available.above.net> 83 ms 82 ms 81 ms
To verify FortiGuard update connectivity
1. If your FortiWeb appliance must connect to the Internet (and therefore FDN) through an explicit (non-transparent) webproxy, configure the proxy connection (see Accessing FortiGuard via a web proxy).
2. Go to System> Config> FortiGuard.
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Maintenance category. For details, see Permissions.
3. If you want your FortiWeb appliance to connect to a specific FDS other than the default for its time zone, enable Use override server address, and enter the IP address and port number of an FDS in the format <FDS_ipv4>:<port_int>
, such as 10.0.0.1:443
.
4. Click Apply.
5. Click Update Now.
The FortiWeb appliance tests the connection to the FDN and, if any, the server you specified to override the default FDN server. Time required varies by the speed of the FortiWeb appliance’s network connection, and by the number of timeouts that occur before the connection attempt is successful or the FortiWeb appliance determines that it cannot connect. If you have enabled logging in:
- Log & Report> LogConfig> OtherLogSettings
- Log & Report> LogConfig> GlobalLogSettings
test results are indicated in Log & Report> LogAccess> Event
If the connection test did not succeed due to license issues, you would instead see this log message:
For more troubleshooting information, enter the following commands:
diagnose debug enable
diagnose debug application fds 8
These commands display cause additional information in your CLI console. For example:
FortiWeb # [update]: Poll timeout.
FortiWeb # *ATTENTION*: license registration status changed to 'VALID',please logout and re-login
For example, poll (license and update request) timeouts can be caused by incorrectly configured static routes and DNS settings, links with high packet loss, and other basic connectivity issues. Unless you override the behavior with a specific FDS address (enable and configure Use override server address), FortiWeb appliances connect to the FDN by connecting to the server nearest to the FortiWeb appliance by its configured time zone. Timeouts can therefore also be caused by incorrect time zone.
See also
- Blacklisting source IPs with poor reputation
- Antivirus Scan
- Recognizing data types
- Logging
- Configuring log destinations
- Viewing log messages
- IPv6 support
Choosing the virus signature database & decompression buffer
Most viruses are actively spreading initially, but as hosts are patched and more networks filter them out, their occurrence becomes more rare.
Fortinet’s FortiGuard Global Security Research Team continuously monitor detections of new and older viruses. When a specific virus has not been detected for one year, it is considered to be dormant. It is possible that a new outbreak could revive it, but that is increasingly unlikely as time passes due to replacement of vulnerable hardware and patching of vulnerable software. Therefore dormant viruses’s signatures are removed from the “Regular” database, but preserved in the “Extended” signature database.
If your FortiWeb’s performance is more critical than the risk of these dormant viruses, you can choose to omit signatures for obsolete viruses by selecting the “Regular” database on System> Config> FortiGuard.
Selecting the virus database and buffer size on System> Config> FortiGuard
See also
Accessing FortiGuard via a web proxy
Using the CLI, you can configure the FortiWeb appliance to connect through an explicit (non-transparent) web proxy server to the FortiGuard Distribution Network (FDN) for signature updates.
For example, you might enter the following commands:
config system autoupdate tunneling
set status enable
set address 192.168.1.10
set port 8080
set username FortiWeb
set password myPassword1
end
For details, see the FortiWeb CLI Reference.
The FortiWeb appliance connects to the proxy using the HTTP CONNECT
method, as described in RFC2616.
How often does Fortinet provide FortiGuard updates for FortiWeb?
Security is only as good as your most recent update. Without up-to-date signatures and blacklists, your network would be vulnerable to new attacks. However, if the updates were released before adequate testing and not accurate, FortiWeb scans would result in false positives or false negatives. For maximum benefit and minimum risk, updates must balance the two needs: to be both accurate and current.
Fortinet releases FortiGuard updates according to the best frequency for each technology.
- Antivirus — Multiple times per day. Updates are fast to test and low risk, while viruses can spread quickly and the newest ones are most common.
- IP reputation — Once per day (approximately). Some time is required to make certain of an IP address’s reputation, but waiting too long would increase the probability of blacklisting innocent DHCP/PPPoE clients that re-use an IP address previously leased by an attacker.
- Attack, data type, suspicious URL, and data leak signatures — Once every 1-2 weeks (approximately). Signatures must be tuned to be flexible enough to match heuristic permutations of attacks without triggering false positives in similar but innocent HTTP requests/responses. Signatures must then be thoroughly tested to analyze any performance impacts and mismatches that are an inherent risk in feature-complete regular expression engines. Many exploits and data leaks also continue to be relevant 2years or more, much longer than most viruses. This increases the value and makes it worthwhile to optimize, tuning each signature to be both flexible and high-performance.
- Geography-to-IP mappings — Once every month (approximately). These change rarely. Additionally, FortiWeb cannot poll for these updates and automatically apply them. You must manually upload the updates (see Updating data analytics definitions).
See also
- Validating parameters (“input rules”)
- Preventing tampering with hidden inputs
- Limiting file uploads
- Auto-learning
- Predefined suspicious request URLs
- Blacklisting source IPs with poor reputation
- Updating data analytics definitions
Scheduling automatic signature updates
Your FortiWeb appliance uses signatures, IP lists, and data type definitions for many features, including to detect attacks such as:
FortiWeb also can use virus definitions to block trojan uploads, and can use IP reputation definitions to allow search engines but block botnets and anonymizing proxies preferred by hackers. FortiGuard services ensure that your FortiWeb is using the most advanced attack protections. Timely updates are crucial to defending your network.
You can configure the FortiWeb appliance to periodically poll for FortiGuard service updates from the FDN, and automatically download and apply updates if they exist.
For example, you might schedule update requests every night at 2AM local time, when traffic volume is light.
Alternatively, you can manually upload update packages, or initiate an update request. For details, see Manually initiating update requests and . You can manually initiate updates as alternatives or in conjunction with scheduled updates. For additional/alternative update methods, see Manually initiating update requests. |
To configure automatic updates
1. Verify that the FortiWeb appliance has a valid license and can connect to the FDN, or (ifdestination NAT is used, for example) the IP address that you are using to override the default IPs for FDN servers. For details, see To determine your FortiGuard license status and To verify FortiGuard update connectivity.
2. Go to System> Config> FortiGuard.
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Maintenance category. For details, see Permissions.
The page informs you if you are not registered or if registration has expired. If your registration is active, continue scheduling updates; otherwise, click Register or Renew.
3. Enable Scheduled Update.
4. Select one of the following options:
- Every — Select to request to update once every 1 to 23 hours, then select the number of hours between each update request.
- Daily — Select to update once every day, then select the hour. The update attempt occurs at a randomly determined time within the selected hour.
- Weekly — Select to request to update once a week, then select the day of the week, the hour, and the minute of the day to check for updates.
If you select 00 minutes, the update request occurs at a randomly determined time within the selected hour.
5. Click Apply.
The FortiWeb appliance next requests an update according to the schedule.
At the scheduled time, FortiWeb starts the update. Under Current update status, the following information is displayed:
- The name of the update package that is currently downloading, the start time of the download operation, and the percentage complete.
- A Refresh button, which allows you to update the package download status information.
- If FortiWeb is downloading an anti-virus package, a Stop button.
This option is useful if, for example, the download is slow and you want to stop it and try again later. It can also be useful if you want to stop the scheduled update and instead update your anti-virus package using a file you have manually downloaded from the Fortinet Technical Support web site (.)
Results of the update activity appear in FortiWeb Security Service in the FortiGuard Information widget. If you have enabled logging in:
- Log & Report> LogConfig> OtherLogSettings
- Log & Report> LogConfig> GlobalLogSettings
when the FortiWeb appliance requests an update, the event is recorded in Log & Report> LogAccess> Event, such as these log message:
FortiWeb virus signature is already up-to-date
FortiWeb IP reputation signature update succeeded
If the FortiWeb appliance cannot successfully connect, it records a log with a message that varies by the cause of the error, such as:
FortiWeb is unauthorized
.
Once the attack signature update is complete, FortiWeb immediately begins to use them. No reboot is required.
See also
- How often does Fortinet provide FortiGuard updates for FortiWeb?
- Validating parameters (“input rules”)
- Preventing tampering with hidden inputs
- Limiting file uploads
- Auto-learning
- Predefined suspicious request URLs
- Blacklisting source IPs with poor reputation
Manually initiating update requests
If an important update has been released but there is too much time remaining until your appliance’s next scheduled update poll, you can manually trigger the FortiWeb appliance to connect to the FDN or FDS server override to request available updates for its FortiGuard service packages.
You can manually initiate updates as an alternative or in addition to other update methods. For details, see Scheduling automatic signature updates and . |
To manually request updates
1. Before manually initiating an update, first verify that the FortiWeb appliance has a valid license and can connect to the FDN or override server. For details, see To determine your FortiGuard license status and To verify FortiGuard update connectivity.
2. Go to System> Config> FortiGuard.
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Maintenance category. For details, see Permissions.
3. Click Update Now.
The web UI displays a message similar to the following:
Your update request has been sent. Your database will be updated in a few minutes. Please check your update page for the status of the update.
After the update starts, under Current update status, the following information is displayed:
The name of the update package that is currently downloading, the start time of the download operation, and the percentage complete.
A Refresh button, which allows you to update the package download status information.
If FortiWeb is downloading an anti-virus package, a Stop button.
This option is useful if, for example, the download is slow and you want to stop it and try again later. It can also be useful if you want to stop the scheduled update and instead update your anti-virus package using a file you have manually downloaded from the Fortinet Technical Support web site (.)
Results of the update activity appear in FortiWeb Security Service in the FortiGuard Information widget. If you have enabled logging in:
- Log & Report> LogConfig> OtherLogSettings
- Log & Report> LogConfig> GlobalLogSettings
when the FortiWeb appliance requests an update, the event is recorded in Log & Report> LogAccess> Event, such as these log message:
FortiWeb virus signature is already up-to-date
FortiWeb IP reputation signature update succeeded
If the FortiWeb appliance cannot successfully connect, it will record a log with a message that varies by the cause of the error, such as:
Once the attack signature update is complete, FortiWeb will immediately begin to use them. No reboot is required.
Uploading signature & geography-to-IP updates
You can manually update the geography-to-IP mappings and the attack, virus, and botnet signatures that your FortiWeb appliance uses to detect attacks. Updating these ensures that your FortiWeb appliance can detect recently discovered variations of these attacks, and that it knows about the current statuses of all IP addresses on the public Internet.
After restoring the firmware of the FortiWeb appliance, you should install the most currently available packages through FortiGuard. Restoring firmware installs the packages that were current at the time the firmware image file was made: they may no longer be up-to-date.
Alternatively, you can schedule automatic updates, or manually trigger the appliance to immediately request an update. For details, see Scheduling automatic signature updates and Manually initiating update requests. This does not, however, update geography-to-IP mappings, which still must be uploaded manually. |
To manually upload signatures
1. Download the file from the Fortinet Technical Support web site:
https://support.fortinet.com/
2. Log in to the web UI of the FortiWeb appliance as the admin
administrator, or an administrator account whose access profile contains Read and Write permissions in the Maintenance category.
3. Go to System> Config> FortiGuard.
4. In the row next to the service whose signatures you want to upload, click the Update link.
A dialog appears that allows you to upload the file.
5. Click the Browse button (its name varies by browser) and select the signatures file, then click OK.
Your browser uploads the file. Time required varies by the size of the file and the speed of your network connection. Once the attack signature update is complete, FortiWeb will immediately begin to use them. No reboot is required.
See also
- Restoring firmware (“clean install”)
Open topic with navigation