FortiMail Troubleshooting: Server Connection Issues


The Troubleshooting recipes are here to assist you in diagnosing and remedying any problems you experience when using your FortiMail unit.

This recipe guides you through the process of troubleshooting connection issues.


Problem #1: FDN Server Connection Problems

The FortiMail unit cannot connect to the FDN servers to use FortiGuard AntiVirtus and/or FotiGuard Antispam services.

The Solution

FortiGuard Antivirus and FortiGuard Antispam subscription services use multiple types of connections with the FortiGuard Distribution Network (FDN). For details on verifying FDN connection, see “Verifying connectivity with FortiGuard services” on page 218.

For all FortiGuard connection types, you must satisfy the following requirements

  1. Register your FortiMail unit with the Fortinet Technical Support web site,
  2. Obtain a trial or purchased service contract for FortiGuard Antispam and/or FortiGuard Antivirus and apply it to your FortiMail unit.

    If you have multiple FortiMail units, including those operating in high availability (HA), you must obtain separate contracts for each FortiMail unit.

  3. Configure your FortiMail unit to connect with a DNS server that can resolve the domain names of FortiGuard servers. For more information, see “Configuring DNS” in the FortiMail Administrator Guide.
  4. Verify that you have satisifed DNS and routing requirments by typing the following commands in the CLI:
    execute nslookup name
    execute nslookup name
    execute traceroute <address_ipv4>
    (where address_ip4 is one of the FortiGuard servers)

If you have satisfied these requirements, verify that you have satisfied the requirements specific tot he type of connection that is failing. Consult the following table:

Scheduled Updates
  1. Configure the system time of the FortiMail unit, including its time zone.
  2. Make sure intermediary firewall devices allow the FortiMail unit to use HTTPS on TCP port 443 to connect to the FDN.
  3. Use the CLI command set system autoupdate tunneling to enable the FortiMail unit to connect to the FDN through the proxy.
  4. Override the FortiGuard server to which the FortiMail unit is connecting and connect to a non-default server for your time zone.
Push Updates
  1. Satisfy all the requirments for scheduled updates listed above.
  2. If there is a NAT device installed between the FortiMail unit and the FDN, configure it to forward push traffic (UDP port 9443) to the FortiMail unit. You will also need to configure “Use override push IP”. For more information, see “Configuring push updates” in the FortiMail Administrator Guide.
Ratting Queries Intermediary firewall devices must allow the FortiMail unit to use UDP port 53 to connect to the FDN.