Skip to main content
Xamaaa
Xamaaa
New Member
April 29, 2022
Question

FortiGate 100E update through SquidProxy

  • April 29, 2022
  • 2 replies
  • 1621 views

I need to update a backend Fortinet FortiGate100E firewall and the only machine in the network whose ip address is authorized for internet access (from the frontend firewall) is 10.1.2.3 running SquidProxy on CentOS linux. Web Hosting Sri Lanka

I followed Fortinet's technical note on how to setup the proxy by opening the CLI and issuing

config system autoupdate tunneling set address 10.1.2.3 set port 3128 set status enable end

Now part of the traffic flows through the proxy but there are still connection attempts directly from the firewall to Fortinet servers on port 443. The updates are not working, I opened every port and protocol from the firewall interface to the SquidProxy machine and through tcpdump on the proxy I can see data flowing back and forth like this

Internet <---> SquidProxy <---> FortiGate

but from the firewall GUI I can see that it's not communicating with the update servers. I haven't been able to redirect ALL traffic from the firewall through the proxy

What other configurations am I missing?

2 replies

amouawad
Staff
amouawad
Staff
May 1, 2022

As per this article: https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGuard-updates-using-a-proxy-server/ta-p/191904 not all features are supported via proxy. So only registration, AV and IPS updates will be sent through the proxy. For Web/DNS/Spam requests these will not go through the proxy.

 

If you have a FortiManager you can use it as webfiltering service for the FortiGate, and it in turn can update it's webfiltering database through the proxy.

 

 

sw2090
SuperUser
sw2090
SuperUser
May 3, 2022

you could also download a firmware image from support portal and upload it via FGT webinterface manually instead of the auto update.

Terms & ConditionsAccessibility statement