Fortigate update over MPLS

Forum|Forum|15 years ago
April 4, 2011
20 replies
9786 views

HI, I am a french customer, and i am going to install a new equipement (fortigate 110c). I' ve got some problem with this one. to understand my problem i need to explain how the fortigate is connected. I have a juniper directly connected to mpls network with private ip 10.x.x.10 behind this one i have the fortigate 11c connected to the juniper on the wan 1 interface with the Private ip : 10.x.x.9 i have some private network which use a nat rules for going to internet for example i am nating the network 192.168.x.x to ip public 195.x.x.x over the connection WAN 1 A static rules has been entered in the router configuration for going by default to the network 10.x.x.10 (it' s a default gateway) so for my private networks i don' t have any porblem the nat work perfectly and have internet connection. my problem is about the update of the fortigate. As i sayed the wan interface of the fortigate is connected to the juniper and mpls network with an Private ip address and so the fortigate try to have update by using the ip 10.x.x.10 but as we know it' s impossible to route a private ip on internet and so the fortigate can' t make his update..... how i can say to the fortigate to use a public ip for going to search his update like i do with my private network (with nat function). thanks for your help

ede_pfau

SuperUser

Bien venue aux forums! The FGT cannot NAT it' s own WAN IP address. Either the device in front has to do that (but I assume that the Juniper is just a switch), or you can give the FGT a secondary IP address on it' s WAN port (System>Network>Interface). This address has to be public and routeable. Then, in System>Maintenance>FortiGuard, check " Allow Push Update" , check " Use override push IP" and enter the secondary IP address. Port 9443/tcp must be available for this. If that doesn' t work we' ll have to specify the FGT' s source IP for updates using the CLI. This depends on your FortiOS version, so please mention it.

A

Anonymous_UserAuthor

Contributor

Thanks for your reply ! I' have tried to put a second ip address on the wan1 interface, when i click on apply button it' s seems to be ok, and i returned to edit interface for verify,

the second ip address has disappeared. i have put an address like this one 195.X.X.2/255.255.255.255 whitch is public ip and not a network address. however i' ve made the configuration in System>Maintenance>FortiGuard for forced the update with the ip : 195.X.X.2/255.255.255.255 but i seems to not working. For information my fortios is FG110C-4.00-build315 thanks Ede

ede_pfau

SuperUser

First things first: the secondary IP must work for this setup. I have the same build running as you, 4.2.5. When I click " Secondary IP" , the screen greys out except for a small window in which I can enter the IP, e.g. " 110.220.3.4/32" (= one single address). Then I have to scroll down and click OK. Then I' m back on the edit page and now I have a new table listing the secondary IP. I then click OK to leave this page. You can test the IP by pinging it from your LAN. Try to get that done, and report back.

A

Anonymous_UserAuthor

Contributor

OK ! it' s ok for my second ip interface after rebooting the fortigate. And i' ve made the configuration in System>Maintenance>FortiGuard for forced the update with the ip : 195.X.X.2/255.255.255.255 but it doesn' t work. i have done the same configuration in cli command and still not working. #config system autoupdate push-update config system autoupdate push-update set address 195.X.X.2 set override enable set status enable end an idea ? thanks again for your reply

ede_pfau

SuperUser

Well then we have to dig a little deeper.

config system autoupdate clientoverride  set status {enable | disable}  set address <address_ipv4>  end

" Use this command to receive updates on a different interface than the interface connected to the FortiGuard Distribution Network (FDN). This command changes the source IP address of update requests to the FortiGuard server, causing it to send the update to the modified source address." And while you' re at it,

config system autoupdate push-update      set address <address_ipv4>      set override enable      set port 9443      set status enable  end

where you configure the push updates.

A

Anonymous_UserAuthor

Contributor

GG !!! It works ! the FGT make his update now !!!! I just want to say thank you Ede. !

A

Anonymous_UserAuthor

Contributor

hello last question about update. all seems to be ok, but there is a mistake with the forticlient endpoint update. the fortigate can' t reach the fortiguard server of fortinet and so can' t get the last forticlient. what should i do ? i can give on the endpoint portal an other url for download it but the installer ask for number licence witch wasn' t asked when you download it directly from the endpoind portal (when the update works fine). and for me it' s not good if i have to give the number licence of the forticlient for each client. thanks

ede_pfau

SuperUser

well, does the FGT update its signatures or does it not? You posted both statements. If the FGT updates the signatures then it will also update the Fclient. In 4.1.x look at " Endpoint NAC" >Config where you can see the FortiGuard availability status and where you can manually trigger an update. In 4.2.x it' s in Endpoint>NAC>FortiClient.

A

Anonymous_UserAuthor

Contributor

the FGT update its signatures but doesn' t update the forticlient !! see my screenshot .