Technical Tip: How to allow FortiGate’s FortiGuard traffic on the upstream firewalls in the network
Description
This article shows how to allow the FortiGate’s FortiGuard traffic on the upstream firewalls when the FortiGate has 'fortiguard-anycast' enabled.
Solution
This article shows how to allow the FortiGate’s FortiGuard traffic on the upstream firewalls when the FortiGate has 'fortiguard-anycast' enabled.
Solution
In FortiOS v6.2.2 and later, you can enable fortiguard-anycast on Fortigate to optimize the routing performance to FortiGuard servers
# config system fortiguardset protocol httpsset port 443set fortiguard-anycast enableset fortiguard-anycast-source fortinetend
With the fortiguard-anycast enable, the Fortigate communicate with the IP's resolved by the below FQDN for the respective feature.The AV/IPS FQDN:globalupdate.fortinet.netThe WF FQDN:globalguardservice.fortinet.netBasically, it is necessary to create the firewall policy in the FortiGate upstream Firewalls allowing the above two FQDN's so that the FortiGate can communicate with the FortiGuard servers.