Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortC
New Contributor II

Created on ‎08-17-2023 11:48 PM

ffdb config-error-log appear after fortigate 201F and 101F upgrade from v7.0.12 to v7.2.5

Hello Everyone,

 

Wanna check if it is only a DB not up-to-date issue and is it a common known issue since the same issue found in all of my FortiGates upgrade scenario. 

 

-Upgrade from v7.0.12 to v7.2.5

-201F standalone

-201F HA A-P cluster

-101F HA A-P cluster

-All of the forigates were using 1 month trial license and still vaild.

-FortiAnalyzer was configured but not connected before and after upgrade.

-Only mgmt port connected and have access to Internet behind simple source NAT from next hop gateway (a cisco router).

 

After around 2 hours wait, all the "xx signature is missing" messages were gone.

 

Messages of config-error-log found right after upgrade first boot

# diagnose debug config-error-log read
ffdb_app_map_process-3326: wrong word 3798
ffdb_app_map_process-3326: wrong word 196
ffdb_app_map_process-3326: wrong word 208
ffdb_app_map_process-3326: wrong word 190
ffdb_app_map_process-3326: wrong word 46
ffdb_app_map_process-3326: wrong word 132
ffdb_app_map_process-3326: wrong word 191
ffdb_map_flash_read: ret=-5, Error: version error
ffdb_map version mismatch, the Internet Service Database will automatically update
init_do_ffdb_map: ret=-9, Error: weight wrong error

 

From System Events, below Critical log found.

Message Fortigate dnsbot signature is missing.

Message Fortigate avai signature is missing.

Message Fortigate mmdb signature is missing.

Log Description FortiGate database signature invalid

 

Fortigaurd connection is good:

# execute ping service.fortiguard.net
PING guard.fortinet.net (173.243.138.194): 56 data bytes
64 bytes from 173.243.138.194: icmp_seq=0 ttl=42 time=208.9 ms
....

--- guard.fortinet.net ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 208.0/208.2/208.9 ms

 

# execute ping update.fortiguard.net
PING fds1.fortinet.com (173.243.138.66): 56 data bytes
64 bytes from 173.243.138.66: icmp_seq=0 ttl=42 time=219.8 ms
....

--- fds1.fortinet.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 207.8/211.9/219.8 ms

 

Troubleshooting command used:

diagnose autoupdate signature check-all  << it is hidden from "?" and TAB cmd help

diagnose autoupdate versions

diagnose autoupdate versions | grep Internet -A 6

 

diagnose debug enable

diagnose debug application update -1

execute update-now

diagnose debug disable

 

 

Referenced articles:

https://docs.fortinet.com/document/fortigate/7.2.0/new-features/657131/verifying-and-accepting-signe...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Botnet-Domain-Database-shows-version-0-000...

https://blog.boll.ch/fortios-not-updating-signature-databases/

 

1496
0 Kudos
4 REPLIES 4
Anthony_E
Community Manager
Community Manager

Created on ‎08-20-2023 09:39 PM

Hello FortC,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
1431
0 Kudos
Anthony_E
Community Manager
Community Manager

Created on ‎08-24-2023 01:19 AM

Hello FortC,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Regards,

Anthony-Fortinet Community Team.
1381
0 Kudos
Markus_M
Staff
Staff

Created on ‎08-25-2023 01:03 AM

Hi FortC,

 

I may not be able to help much, but the

diagnose debug config-error-log read

gives out that after a boot there were parts of the config that could not be read and would be dropped.

execute update-now

I expect this to resolve that issue as it updates the ISDB as well.

As of such - the reboot was done because of an upgrade (which often means some sort of migration) or some maintenance only?

 

Best regards,

 

Markus

 

1353
srajeswaran
Staff
Staff

Created on ‎08-29-2023 04:21 AM

You are matching the known issues 774460.

Ref: https://docs.fortinet.com/document/fortigate/7.2.0/fortios-release-notes/289806

774460

config-error-log debugs shows Internet Service Database related errors when upgrading from 7.0 to 7.2, which causes confusion when the Internet Service Database was updated successfully.

 

This is not an issue, it is an expected behavior when OS upgrade happens from 7.0 to 7.2 due to the db differences. The errors/logs will start as soon as the device boots up with new OS (7.2), but the system will perform an automatic update-now soon and the errors will be gone after that.

There is no solution/fix required for this and you can safely ignore these.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

1317
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.