16/01/2020 Verifying and troubleshooting AV & IPS updates status and versions

Verifying and troubleshooting AV & IPS updates status and versions Print Article

Products
FortiGate v3.0
FortiGate v4.0
FortiGate v4.0 MR1

Description

Displaying certain CLI commands allows the user to see the current AV and IPS status from the FortiGate.

Those commands can be requested by Fortinet support in troubleshooting scenarios and will allow support to clearly
define whether a problem could be linked to a specific AV or IPS package running on the device.

These commands also allow the user to check whether the FortiGate is running the latest AV and IPS packages.

Solution

To check the autoupdate status and FDS settings, connect to the CLI and run the following command:

FGT # diagnose autoupdate status

FDN availability: available at Mon May 26 20:16:43 2008

Push update: disable
Scheduled update: enable
Update every: 1 hours at 16 minutes after the hour
Virus definitions update: enable
IPS definitions update: enable
Server override: disable
Push address override: disable
Web proxy tunneling: disable

The above display is explained in the following table.

Field name Description

FDN availability: Specify availability status and last access time (access time
corresponds to the scheduled update settings).
Possible values are: available/unavailable.
Push update: Specify whether push update method is enabled or disabled.
Possible values are: enable/disable.
Scheduled update: Specify whether scheduled update is enabled or disabled.
Possible values are: enable/disable.
Update every: If scheduled update is enabled, specify the time defined to launch
the update.
Virus definitions update: Specify whether the virus definitions update is enabled or disabled.
Possible values are: enable/disable.
IPS definitions updates: Specify whether the IPS definitions update is enabled or disabled.
Possible values are: enable/disable.
Server override: Specify whether the use of another FDS server is enabled or
disabled.
Possible values are: enable/disable.
If enabled a new line is displayed showing the FDS IP address
defined in the configuration.
Example:
Server override: enable
Server: 10.0.0.1

https://kb.fortinet.com/kb/viewContent.do?externalId=FD30528 1/4
16/01/2020 Verifying and troubleshooting AV & IPS updates status and versions

Field name Description

Push address override: If push update is enabled, specify whether the FortiGate override
address feature is enabled or disabled.
Possible values are: enable/disable.
If enabled, a new line is displayed showing the FDS IP address
and the TCP port (a.b.c.d:port) defined in the configuration.
Example:
Push address override: enable
Address: 10.0.0.2:9443
Web proxy tunneling: Specify whether FortiGate device is using a proxy to retrieve AV
and IPS definitions updates.
Possible values are: enable/disable.
If enabled, additional lines are displayed showing the proxy
settings.
Example:

Web proxy tunneling: enable

Proxy address: 10.0.0.3
Proxy port: 8890
Username: foo
Password: foo

Use the following subcommand to modify the way the FortiGate interacts with FDS and to parameter FDS
communication:

FGT # config system autoupdate

clientoverride configure client override for the FD

override configure override FDS server
push-update configure push updates
schedule configure update schedule
tunneling configure web proxy tunneling for the FDN

Use the following command to check the actual versions of packages (databases and engines) currently running on
the FortiGate:

FGT# diag autoupdate versions

AV Engine
---------
Version: 3.00011
Contract Expiry Date: Sun Jan 3 00:00:00 2010
Last Updated using manual update on Thu Jan 29 15:09:00 2009
Last Update Attempt: n/a
Result: Updates Installed

Virus Definitions
---------
Version: 9.00795
Contract Expiry Date: Sun Jan 3 00:00:00 2010
Last Updated using manual update on Mon Dec 8 15:09:00 2008
Last Update Attempt: n/a
Result: Updates Installed

Extended set
---------
Version: 0.00000
Contract Expiry Date: Sun Jan 3 00:00:00 2010
Last Updated using manual update on Wed Jan 1 00:00:00 2003
Last Update Attempt: n/a
Result: Updates Installed

Attack Definitions
---------
Version: 2.00593
Contract Expiry Date: Sun Jan 3 00:00:00 2010
Last Updated using manual update on Thu Feb 5 20:34:00 2009
Last Update Attempt: n/a

https://kb.fortinet.com/kb/viewContent.do?externalId=FD30528 2/4
16/01/2020 Verifying and troubleshooting AV & IPS updates status and versions
Result: Updates Installed

IPS Attack Engine

---------
Version: 1.00125
Contract Expiry Date: Sun Jan 3 00:00:00 2010
Last Updated using manual update on Thu Jun 11 15:01:00 2009
Last Update Attempt: n/a
Result: Updates Installed

AS Rule Set
---------
Version: 1.00000
Contract Expiry Date: Sun Jan 3 00:00:00 2010
Last Updated using manual update on Thu Feb 5 23:01:00 2009
Last Update Attempt: n/a
Result: Updates Installed

AS Engine
---------
Version: 1.00000
Build: 0004
Contract Expiry Date: Sun Jan 3 00:00:00 2010
Last Updated using manual update on Thu Feb 5 23:01:00 2009
Last Update Attempt: n/a
Result: Updates Installed

FDS Address
---------
x.y.z.t:443

Manually Updating an AV/IPS package

From the above output we can read :

AV Engine
---------
Version: 3.00011 <<< This is for example the AV Database version loaded on the FortiGate
Contract Expiry Date: Sun Jan 3 00:00:00 2010

Check on http://www.fortiguardcenter.com/ for the latest package version (this information is available at the
bottom right of the main page).

If needed, you can trigger an update for either AV or IPS databases: this can be performed both on the GUI in
System -->: Maintenance --> FortiGuard --> Av and IPS --> ''Update Now'' option, this checks for both the latest
AV and IPS packages on the FDS server.

Or from the CLI with the following options:

FGT # exec update?

update-ase update AS engine/rules (available in v4.0)
update-av update AV engine/definitions
update-ips update IPS engine/definitions
update-now update now AV and IPS

Basic Troubleshooting of AV/IPS updates

If you encounter any issues, please collect the following output and send it to Fortinet Support:

FGT# diag autoupdate versions

FGT# diag autoupdate status

FGT# diag debug enable
FGT# diag debug application update 255
FGT# diag sniff packet internal 'port 443 or port 8889' 4

...trigger an update, then stop the sniffer and the debug :

(type CTRL+C to stop the sniffer)

FGT# diag debug disable

Refer to the related articles for more information about using the sniffer check.

https://kb.fortinet.com/kb/viewContent.do?externalId=FD30528 3/4
16/01/2020 Verifying and troubleshooting AV & IPS updates status and versions

Related Articles
Troubleshooting Tool: Using the FortiOS built-in packet sniffer
Troubleshooting Tip: Packet capture (CLI sniffer) best practice
Troubleshooting Tip : How to use the FortiGate sniffer and debug flow in presence of NP2 ports
Troubleshooting Tip: Diagnosing FortiGuard problems of Antivirus, Intrusion Prevention, Web Filtering, Spam Filtering

Last Modified Date: 05-31-2014 Document ID: FD30528

https://kb.fortinet.com/kb/viewContent.do?externalId=FD30528 4/4