Skip to main content
nanashi
nanashi
Explorer II
May 1, 2023
Solved

Why can FortiGate communicate with FortiGuard ?

  • May 1, 2023
  • 4 replies
  • 2453 views

Hi,

 

On FortiGate, an IPsec Tunnel is configured to the AWS site-to-site VPN, which is the only configuration to communicate to the outside.

 

However, I have found some internet-service-name configs(ISDB) unintentionally rewrote like FortiGuard synchronized updates.

 

I wonder why this FortiGate can communicate with FortiGuard under the condition that IPsec Tunnel to the AWS site-to-site VPN is the only way and.

 

The configuration is like this:
---
config firewall policy
edit 1
set srcintf "LAN"
set dstintf "AWS_Tunnel"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
---

 

I would really appreciate if anyone gives an advice.

 

Thank you,

    Best answer by srajeswaran

    Are you asking how Fortigate communicate with Fortiguard even though you don't have a policy to allow that?

     

    if that's the question, then the fortiguard communication is a system generated/originated traffic and it don't require a firewall policy, it just needs the active route.  The firewall policy is for traffic passing through the firewall not for the traffic originated or destined to the device.

    Feel free to correct me if I misunderstood your question.

    4 replies

    Claud
    Claud
    Visitor III
    May 1, 2023

    the reason why this FortiGate can communicate with FortiGuard under the condition that IPsec Tunnel to the AWS site-to-site VPN is the only way is because of the firewall policy configuration that allows traffic from the LAN network to be transmitted over the VPN tunnel.

    srajeswaran
    Staff
    srajeswaranAnswer
    Staff
    May 1, 2023

    Are you asking how Fortigate communicate with Fortiguard even though you don't have a policy to allow that?

     

    if that's the question, then the fortiguard communication is a system generated/originated traffic and it don't require a firewall policy, it just needs the active route.  The firewall policy is for traffic passing through the firewall not for the traffic originated or destined to the device.

    Feel free to correct me if I misunderstood your question.

      nanashi
      nanashiAuthor
      Explorer II
      May 1, 2023

      Suraj,

       

      Your reply has cleared all my questions.

       

      Thank you for your reply!!

      nanashi
      nanashiAuthor
      Explorer II
      May 1, 2023

      Thanks for the reply.


      But, according to the configuration, the transmission over the IPsec VPN tunnel is limited to AWS site-to-site VPN, not FortiGuard.

       

      Thank you,

      nanashi
      nanashiAuthor
      Explorer II
      May 1, 2023

      Suraj,

       

      Your reply has cleared all my questions.

       

      Thank you for your reply!

      Terms & ConditionsAccessibility statement