Technical Tip: Configure FortiManager as a local FDN server for FortiGates
Description
This article describes how to configure FortiManager to act as a local FortiGuard server for FortiGates.
Scope
FortiManager, FortiGate.
The terminology used in this document:
FDS= AV/IPS service.
FGD= FortiGate Web-/Email filter.
FDN= FortiGuard Distribution Network.
Solution
FortiGates receive the updates for FortiGuard packages from the FortiManager acting as a local FortiGuard server.
The secondary FortiManager does not have internet connectivity configured to connect to a FortiManager acting as a local FDN server.
The FortiGuard Distribution Network (FDN) provides FortiGuard services for the FortiManager system, its managed units, and FortiClient agents.
Note: For a network without Internet access, an Entitlement file is needed. How to obtain and add it is explained in the following article:
The FDN is a worldwide network of FortiGuard Distribution Servers (FDS), which update the FortiGuard services on the FortiManager system regularly so that the FortiManager system is protected against the latest threats and can provide those updates to its local FDS service in a proxy manner.
The FortiGuard services available on the FortiManager system include:
- Antivirus, IPS engines, and signatures.
- Web filtering and email filtering, rating databases, and lookups.
- Vulnerability scan and management support for FortiAnalyzer.
FortiManager configuration.
The FortiManager system acts as a local FDS and synchronizes its FortiGuard service update packages with the FDN, then provides these FortiGuard updates and looks up replies to the private network’s FortiGates.
The local FDS provides a faster connection, reducing internet connection load and the time required to apply frequent updates, such as antivirus signatures, to many devices. Enable the built-in FDS:
Enable push updates for urgent updates or critical FortiGuard AV/IPS signatures.
To enable push through NAT, type a push IP address override, replacing the default IP address with the forwarding IP address, such as the NAT device’s external or virtual IP address. This causes the FDN to send push packets to the override IP address, rather than the FortiManager system’s private IP address. The NAT device can then forward the connection to the FortiManager system’s private IP address.
In the previous figure, NAT is configured, but the default is IP address '0.0.0.0' and port '9443'.
If web-proxy is enabled, it must be configured as shown in the above screenshot.
Additionally, under System Settings -> Network, verify that service access for FortiGate Updates (FDS) or Web Filtering (FGD) is enabled on the FortiManager management interface.
The IP address that has to be configured needs to be on the same subnet.
These IP addresses should be used in the FortiGate side override server configuration.
Configuration on FortiGate.
Configuration from the FortiGate CLI:
config system central-management
set type fortimanager
set fmg "10.5.54.111"
config server-list
edit 1
set server-type update
set server-address 10.5.54.1
next
edit 2
set server-type rating
set server-address 10.5.54.2
next
end
set fmg-update-port 443
set include-default-servers disable <- If the FortiManager is pushing updates to FortiGates.
end
When fmg-update-port is set to 443, the update process will use port 443 to connect to the override update server, which is the local FortiGuard server in the FortiManager.
If this is not set, the update process will use port 8890, and the server address setting has to be the FortiManager access IP address.
Override FortiGuard services come from the server list that is the local FortiGuard server in the FortiManager, and use the traditional, non-OCSP TLS handshake.
If the override servers in the FortiManager are not available, the default FortiGuard servers are connected, and the anycast OCSP TLS handshake is used.
If the system autoupdate tunneling settings are set to enable config system auto-update tunneling, the proxy will also be used for connections toward the local FortiManager FDN server. To have direct FDN requests to the local FortiManager FDN server, the system autoupdate tunneling settings must be set to disable.
Configure a FortiManager without Internet connectivity to access a secondary local FortiManager as FDS.
To use a second FortiManager as the FDS, refer to the screenshot below and configure the secondary FortiManager FDN server IP address with FMG_IP_AS_FDS. If required, enable Server Override Address for FortiClient:
Operating FortiManager as an FDS in a closed network.
The FortiManager can be operated as a local FDS server when it is in a closed network with no internet connectivity.
Without a connection to a FortiGuard server, update packages and licenses must be manually downloaded from support and then uploaded to FortiManager.
The FortiManager configuration in the GUI under FortiGuard -> Settings looks like this:
Upload Options for FortiGate/FortiMail manually.
Packages and Database: It is possible to upload Antivirus/IPS packages, web filter databases, and email filter databases that are already downloaded from the Customer Service & Support portal on the management computer.
The packages that will be downloaded from FortiGate are based on the profiles/services enabled on the firewall.
Service License: Choose to import the FortiGate or FortiSOAR license. Browse for the file on the management computer, or drag and drop the file into the dialog box.
A license file can be obtained from customer service support by requesting the account entitlement for the device(s).
Upload packages with CLI commands:
- Disable communications with the FortiGuard server and enable a closed network with the following CLI commands:
config fmupdate publicnetwork
set status disable
end
- Upload an update package or license:
- Load the package or license file to an FTP, SCP, or TFTP server.
- Run the following CLI command:
execute fmupdate {ftp | scp | tftp} import <av-ips | fct-av | url | spam | file-query | license-fgt | license-fct | custom-url | domp> <remote_file> <ip> <port> <remote_path> <user> <password
CLI Options:
Some of the services can be started only under the CLI. See the fds-setting.
Troubleshooting tips for FortiManager connectivity with FortiGuard and with FortiGate.
Use the following commands to help with troubleshooting.
Check if the system is connected to the FDS server:
diagnose fmupdate view-serverlist fds
Fortiguard Server Comm : Enabled
Server Override Mode : Loose
FDS server list :
Index Address Port TimeZone Distance Source
------------------------------------------------------------------------------------------------------
*0 149.5.232.66 443 1 0 FDNI
1 208.184.237.67 443 0 1 FDNI
2 173.243.138.69 443 0 1 FDNI
3 209.222.136.6 443 -5 6 FDNI
4 12.34.97.16 443 -5 6 FDNI
5 208.184.237.68 443 9 8 FDNI
6 173.243.138.67 443 9 8 FDNI
7 208.184.237.66 443 -8 9 FDNI
8 173.243.138.66 443 -8 9 FDNI
9 fds1.fortinet.com 443 1 0 DEFAULT
Retrieve debug info from the FDS server:
diagnose debug application fdssvrd 255
diagnose debug enable
IMA02LX075 # <----- Worker process exits.
------ fdssvrd exit ------
Fail to create https service socket <----- Worker process started.
Reload config ...
Server from FDNI: 12.34.97.16
Server from FDNI: 149.5.232.66
Server from FDNI: 173.243.138.66
Server from FDNI: 173.243.138.67
Server from FDNI: 173.243.138.69
Server from FDNI: 208.184.237.66
Server from FDNI: 208.184.237.67
Server from FDNI: 208.184.237.68
Server from FDNI: 209.222.136.6
Server from FDNI: 173.243.138.108
Server from FDNI: 173.243.138.98
Server from FDNI: 173.243.138.99
Server from FDNI: 208.184.237.75
…
…
[FMG-->FDS] Request: Protocol=3.0|Command=Poll|Firmware=FMG-VM64-FW-7.00-0180|SerialNumber=FMG-VM0A13000127|Persistent=false|AcceptDelta=0|DataItem=00000000FCNI00000-00000.00000-0000000000*00000000FDNI00000-00000.00000-0000000000
FCP_CONN:: receiving package: num_objects=3 total_size=1480
FCP_CONN:: received object: id=00000000FCPR00000 ver=00000.00000-2202091104 size=176
[FDS-->FMG] Response: Protocol=3.0|Response=200|Firmware=FPT033-FW-6.8-0169|SerialNumber=FPT-FDS-DELL0407|Server=FDSG|Persistent=false|ResponseItem=00000000FCNI00000:200*00000000FDNI00000:200
FCP_CONN:: received object: id=00000000FCNI00000 ver=00000.00000-2001201850 size=88
FCP_CONN:: received object: id=00000000FDNI00000 ver=00000.00000-2112210241 size=832
TLSv1.2 write warning alert: close notify
Check update with fds 149.5.232.66 SUCCESS
Check ping to fds1.fortinet.com:443
Restart the FDS services:
diagnose fmupdate service-restart fds
In case of using port 443, the FortiManager will use the default self-signed 'server.crt', which the FortiGate might not accept and give an error: Server Certificate failed verification. Error: 18 (self-signed certificate).
To fix the issue, set the Fortinet_Local as an HTTPS certificate on FortiManager or use custom certificates.
If the issues persist, send the following to Fortinet TAC Support in a ticket:
- All of the output of the previous commands.
- The config backup of the FortiManager.
- The 'execute tac report' CLI output.
Troubleshooting commands to check if the FortiGate is receiving FortiGuard updates:
diagnose debug application update -1
diagnose debug console timestamp enable
diagnose debug enable
execute update-now
FortiManager can also be configured as a local FDN Server for FortiProxy.
Related documents:
- Technical Tip: Verifying FortiGuard connectivity on FortiManager
- Technical Tip: Setting up FortiManager behind Web Proxy to act as standalone FortiGuard FDS server for FortiGates
- Technical Tip: How to configure FortiAnalyzer/FortiManager to use FortiManager as an FortiGuard server and how to import the contract information without FortiGuard server (in internal network without an Internet access)
- Technical Tip: Configuration to use FortiManager as local FDS server on FortiGate
- Fmupdate services
- Interface
- System Autoupdate Tunneling