When working with FortiGate firewalls, you might encounter a situation where FortiGuard Web Filtering services become unreachable after a reboot. This can prevent users from accessing web-filtered resources, leading to connectivity and security concerns. This guide walks you through debugging and resolving the issue effectively.
Step 1: Enable Debugging
First, reset the current debug filters and enable debugging for the update process:
diagnose debug reset
diagnose debug application update -1
diagnose debug enableStep 2: Force an Update of FortiGuard Services
To manually trigger an update of FortiGuard services, execute:
exec update-nowIf FortiGuard servers remain unreachable, further diagnosis is required.
Step 3: Check FortiGuard Server Status
Run the following command to check the FortiGuard rating servers:
diagnose debug ratingExample output showing an issue:
Locale : english
Service : Web-filter
Status : Enable
License : Contract
Num. of servers : 1
Protocol : https
Port : 443
Anycast : Enable
Default servers : Included
-=- Server List -=-
IP Weight RTT Flags TZ FortiGuard-requests Curr Lost Total Lost Updated Time
2620:101:9000:140:173:243:140:16 0 0 DIF 0 20461 20460 20460In this case, there is only a single IPv6 address listed, which is abnormal. This suggests an issue with server resolution or connectivity.
Step 4: Additional Debugging Steps
If the issue persists, use the following commands to gather more information:
diagnose debug console timestamp enable
diagnose sys topCheck if the urlfilter process is running and consuming resources. If the process is unresponsive, restart it as follows:
diagnose test application urlfilter 99To check DNS resolution and FortiGuard connectivity:
diagnose test application dnsproxy 6If FortiGuard servers are still not reachable, verify if the firewall can reach the internet:
execute ping service.fortiguard.netIf pings fail, check routing and DNS settings on the firewall.
Step 5: Restart the URL Filter Daemon
To resolve this, restart the URL filter daemon:
diagnose test application urlfilter 99This forces the FortiGuard URL filter process to restart and re-establish server connections.
Step 6: Verify Server List
After restarting the daemon, check the FortiGuard rating servers again:
diagnose debug ratingExample output showing correct server connections:
Locale : english
Service : Web-filter
Status : Enable
License : Contract
Num. of servers : 3
Protocol : https
Port : 443
Anycast : Enable
Default servers : Included
-=- Server List -=-
IP Weight RTT Flags TZ FortiGuard-requests Curr Lost Total Lost Updated Time
173.243.141.16 0 220 D 0 688 0 0
173.243.140.16 0 345 DI 0 399 0 0
2620:101:9000:140:173:243:140:16 0 0 D F 0 4859 853 853Now, the system has successfully registered IPv4 FortiGuard servers, which is the expected behavior.
Step 7: Final Update Check
Finally, run the update command again to ensure all services are working properly:
exec update-now