Skip to main content
ddiez
ddiez
Explorer III
June 27, 2024
Question

How to perform special internet access for FortiGuard services

  • June 27, 2024
  • 4 replies
  • 3323 views

Hi there,

 

I configured two FortiGate that are running on smaller locations. This FGT have internet access and DHCP enabled. All of the traffic of the clients of the location network is routed straight through IPsec-VPN to the bigger FortiGate in the main office. On this bigger FGT every traffic runs through policies etc. So on the small FGT there is only an allow in/out policy and a default route pointing to the S2S VPN tunnel. Inside the tunnel there is also the 0.0.0.0/0.0.0.0 defined.

 

Now I wonder how I can assure that the FGT can perform their connections fo FortiGuard services, performing signature and ISDB updates etc. as well as checking for firmware at Fortinet directly from the FGT itself without going the whole way through the tunnel towarding the main office.

 

Actually I configred at least the both external internet DNS servers that are configured on the both FGT in the routing table as static route pointing to the gateway from the provider. A static route for the ISDB service "Fortinet-FortiGuard" is also directing to the corresponding WAN gateway interface. In the policy traffic logs I cannot see any packets going throw or being blocked for this FortiGuard traffic at all.

 

Regards,

Daniel

 

Is there any option for this scenario?

 

4 replies

ddeguzman
Staff
ddeguzman
Staff
June 28, 2024

Dear ddiez,

 

You may try referring with the required services and ports on this article. 
https://docs.fortinet.com/document/fortigate/7.2.0/fortios-ports/622145/anycast-and-unicast-services

https://docs.fortinet.com/document/fortigate/7.2.0/fortios-ports/160067/outgoing-ports

I assume "Fortinet-FortiGuard" static route to your local gateway should be sufficient but you can cross check the document for further reference.

Thank you.

Regards,
Denice

    jbernabe
    Staff
    jbernabe
    Staff
    June 28, 2024

    Dear ddiez,


    To verify if your fortigate is not traversing towards IPSec tunnel when reaching the fortiguard servers.

    Try to do a ping and traceroute from your fortigate towards fortiguard servers.
    # ping service.fortiguard.net
    # exec traceroute service.fortiguard.net
    Fortiguard servers must be reachable for ping test.
    For traceroute hops should be traversing to your WAN gateway interface and not in your IPSec Tunnel.

    If the traceroute hops were not traversing to your WAN gateway interface, you may consider editing your routing table and filter only the traffic that will traverse to IPSec tunnel and to your WAN gateway.

    You may try also to use policy route to manipulate your traffic routes towards exited interface.
    https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-firewall-Policy-Routes/ta-p/189996

    Regards,
    Jef

      hbac
      Staff
      hbac
      Staff
      June 28, 2024

      Hi @ddiez,

       

      So you have 2 default routes? One to local WAN and one to the tunnel? If so, you can configure policy routes to route FortiGuard traffic to wan and anything else to the tunnel. 

       

      Regards,  

        ddiez
        ddiezAuthor
        Explorer III
        July 1, 2024

        I already put in a static route for the ISDB "Fortinet-FortiGuard" pointing to the WAN, but this seem not to be the correct (or only one) that is needed to get the connection working, still have this message: "Unable to connect to FortiGuard servers" ... Maybe I have to add further Fortinet-services as static route. But hard to find out wheter - maybe - "Fortinet-FortiCloud" may help for this or even other predefined internet services.

        ddeguzman
        Staff
        ddeguzman
        Staff
        July 1, 2024

        Hi ddiez,

         

        Can you try disabling anycast and follow the document below if it helps fixing the "Unable to connect to FortiGuard servers" error?
        https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGuard-is-not-reachable-via-Anycast-default/ta-p/190041?externalId=FD50536

         

        Regards,
        Denice

        Yurisk
        SuperUser
        Yurisk
        SuperUser
        July 2, 2024

        May be worth splitting your FGT into 2 VDOMs - leave the current configuration as the root VDOM (will be auto-assigned on enabling multi-vdom mode and restart) and then add another VDOM with inter-VDOM link as ADministrative VDOM to reach Internet via the root VDOM. Then you will be able to set up SD-WAN on root VDOM and have 2 default gateways - via IPSec tunnel and WAN, managing which traffic goes to which via regular and proven SD-WAN rules. 

        On a second thought - quite a large change for small benefit :) . Did you try setting source interface to be WAN for the Fortiguard service ? https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-control-change-the-FortiGate-source-IP-for/ta-p/194903 

        Terms & ConditionsCookie settingsAccessibility statement