Skip to main content
mbernatek
Staff
mbernatek
Staff
May 26, 2015

Technical Tip: FortiGuard updates using a proxy server

  • May 26, 2015
  • 0 replies
  • 86046 views

Description

 

This article describes how to configure the FortiGate unit to use a proxy server to connect to the FortiGuard Distribution Network (FDN).
 
Scope
 
FortiGate.


Solution

 

Notes: 
  • The proxy tunneling feature in FortiGate is primarily used for registration, antivirus, IPS updates, and license validation in virtual versions, with Web Filtering and Spam Filtering utilizing UDP traffic on ports 53 or 8888, which cannot be routed through a proxy.
  • Even in recent FortiOS versions supporting Web Filtering over port 443, this connection method remains unsupported via the proxy server, indicating limitations in proxy-based traffic handling for these services.
  • The following points should be noted before using this solution:
    • The FortiGate unit connects to the proxy server using the HTTP CONNECT method, as described in RFC 2616.
    • The proxy MUST NOT do HTTPS inspection of the FortiGate’s communication.
    • The FortiGate unit sends an HTTP CONNECT request to the proxy server (optionally with authentication information) specifying the IP address and port required to connect to the FDN.
    • FortiGate must be configured with DNS servers resolving the addresses of FDN servers. Registration and AV/IPS updates will not work without proper DNS resolution of FDN servers by FortiGate itself.
    • The proxy server establishes the connection to the FDN and passes information between the FortiGate unit and the FDN.

The syntax to properly set the auto-update tunneling is as follows:

 
config system autoupdate tunneling
    set address <proxy_address>
    set password <password>
    set port <proxy_port>
    set status {enable | disable}
    set username <username>
end
 
Example:
The configuration of the proxy server with IP address 10.1.1.1, listening on port 3128/TCP, and without authentication:
 
config system autoupdate tunneling
    set address 10.1.1.1
    set port 3128
    set status enable
end

 

  • Starting from FortiOS v7.6.4, to configure FortiOS to use a proxy server for connecting to the FortiGuard Distribution Network (FDN) navigate to the FortiGuard settings in the configuration menu.
  • This allows the device to route its FortiGuard updates and services through a specified proxy server, which is useful in environments with strict network controls or proxy requirements.
  • To set this up, it is necessary to specify the proxy server address, port, and any required authentication credentials in the FortiGuard configuration section, ensuring that the device can securely and efficiently access the FDN for updates and threat intelligence.

 

config system fortiguard
    set proxy-server-ip <proxy_address>
    set proxy-server-port <proxy_port>
    set proxy-username <username>
    set proxy-password <password>
end

 

Note:
Virtual FortiGate running FortiOS v5.4.0 or below: Against the physical FortiGate device, for the Virtual FortiGate, the validity of the VM license must be verified. Configure the proxy tunneling before applying the VM license, because the configuration of the proxy is not possible with an applied and not verified VM license (this note is not valid for v5.4.1).
 
Additional notes:
  • In a closed network without a direct internet connection for Web/Spam Filtering, an alternate solution is to use FortiManager as the FortiGuard Server. FortiManager, in turn, supports a proxy for both updates and rating. The FortiGates will get their updates/ratings via the FortiManager.
  • If the FortiGuard updates are not successful with autoupdate tunneling enabled, be sure to check the following in the CLI:
 

config system central-management
show full | grep type

 

If the 'type' is set to 'none', ensure that 'include-default-servers' is set to 'enable'' Otherwise, if it is set to 'disable', the FortiGate will not reach out to the default FortiGuard servers, and the connection will fail.  Alternatively, it is possible to set the 'type' to 'FortiGuard', which will remove the 'include-default-servers' feature as it will be enforced automatically.

 

Note:  

When Proxy tunneling is enabled on the FortiGate, traffic destined to the following domains may still be observed bypassing the tunnel and exiting directly via the Internet:

 

globaldevquery.fortinet.net

globalproductapi.fortinet.net

globalfctupdate.fortinet.net

 

This behavior is expected. These domains are not part of the Fortinet Distribution Network (FDN) and are used for the following purposes:

Device information queries

GUI icon  retrieval

FortiCloud and FortiClient update services

 

Since these services are designed to operate outside the proxy tunnel, their traffic is not subject to proxy tunneling policies. This does not indicate a configuration issue or tunnel malfunction.

 

Related documents:

Troubleshooting Tip: Diagnosing FortiGuard problems of Antivirus, Intrusion Prevention, Web Filtering, Spam Filtering

Technical Tip: How FortiGate updates to FortiGuard server via proxy tunnelling

Technical Tip: How to setup FortiGate to get updates from FortiManager

Configuring devices to use the built-in FDS

Terms & ConditionsAccessibility statement