Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Chandra_FTNT
Staff
Staff

Created on ‎06-22-2017 07:28 AM

Article Id 193540

Technical Note: Redirecting signature updates

Description
This article shows how to redirect updates such as signature updates and license syncs to a different WAN interface using the web-proxy feature on the FortiGate.

Requirement: Two WAN interfaces are configured on the FortiGate but license synchronization and signature updates should be directed to only a specific WAN interface which is in low priority.

License and signature updates take WAN interface accordingly to route priority.

Solution
To workaround this using Web-proxy on FortiGate using dummy interface (or any LAN interface IP) can create Proxy tunneling and create web-proxy policy to point to specific interface always to get signature and license updates.

Note: For failback to primary WAN for signature update another explicit proxy policy is required to failover to next available WAN for signature and license updates.  Webfilter and Antispam updates are excluded in this updates.

Configuration GUI

Port1 and Port7 are WAN, traffic wants to route to Port7.  Here Port1 has higher priority than Port7 so by default all FortiGate self-generated traffic routes on Port1.

Configure a dummy interface with dummy IP for explicit proxy enabled, any used LAN interface can be used:
config system interface
    edit "port8"
        set vdom "root"
        set ip 1.1.1.2 255.255.255.0
        set type physical
        set explicit-web-proxy enable
        set role lan
        set snmp-index 8
    next
end

Port7 is the secondary WAN to which traffic is to be directed:
config system interface
    edit "port7"
        set vdom "root"
        set ip 10.1.1.1 255.255.255.0
        set type physical
        set role wan
        set snmp-index 7
    next
end

Configure Proxy tunneling for the IP:
config system autoupdate tunneling
    set status enable
    set address "10.1.1.1"
    set port 8080
end

Create policy from web-proxy to any WAN you want to route to.  In this example Port7 is a secondary WAN.
config firewall explicit-proxy-policy
    edit 3
        set uuid d05baa6e-4b63-51e7-dcdd-7aa3f3181bdd
        set proxy web
        set dstintf "port7"
        set srcaddr "all"
        set dstaddr "all"
        set service "webproxy"
        set action accept
        set schedule "always"
    next
end

Results of traffic being sent to Port7:
ion-kvm25 # upd_daemon[1094]-Received update now request
do_setup[217]-Starting SETUP
upd_act_setup[191]-Trying FDS 208.91.112.68-443
tcp_connect_fds[175]-Proxy tunneling enabled to 10.1.1.1:8080
ssl_connect_fds[484]-Failed SSL connecting (1,0,error:14090086:lib(20):func(144)                                                                                                             :reason(134))
upd_comm_connect_fds[591]-Failed SSL connect
upd_act_setup[195]-Failed connecting to 208.91.112.68-443
do_setup[261]-Failed setup
__upd_act_update[279]-Trying FDS 208.91.112.68-443 with AcceptDelta=0
tcp_connect_fds[175]-Proxy tunneling enabled to 10.1.1.1:8080

Related Articles

Technical Note: FortiGuard updates using a proxy server

2197
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.