FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
frottier
Staff
Staff
Description
This article will focus on the configuration on the Webfiltering service using one FortiManager behind a Web Proxy for internet access.  It will also look at the correct configuration for an optimal Webfiltering service rating functionality.

FortiManager can act as a standalone FDS server and it is independent of the device management.  It will provide FortiGuard services:
  • FGD services -> Webfiltering + AntiSpam
  • FDS services -> IPS + AntiVirus
  • Service license

Packages, databases and FortiGate service licenses will be downloaded from public FDS servers.

Scope
Firmware v5.2.3, v5.2.4.

Solution
Configuration CLI

Step 1. Configuration of the FortiManager

1) The
FortiManager needs a minimum of 10GB of RAM for correct Webfiltering service functionality.

2) Once RAM provisioning is correct, using the CLI, increase memory usage allowed for Webfiltering service.
config fmupdate web-spam fgd-setting
    set wf-cache 4000
    set wf-preload enable
end

3) Using the CLI, enable the
FortiManager to provide Webfiltering services.
config fmupdate service
    set query-webfilter enable
end

Note that this will initiate automatically the
Webfiltering database download from FortiGuard, this may take few hours.

4) Using the CLI, enable the
Webfiltering service on the corresponding Interface used (in this example "port1" is used).
config system interface
    edit "port1"
    set serviceaccess webfilter-antispam fgtupdates
end

The
Webfiltering service will be fully operational when the complete Webfiltering database will be downloaded from FortiGuard.

5) Using the CLI, modify the
Webfiltering database polling interval checks for changes settings to every 20 minutes.
conf fmupdate web-spam poll-frequency
set time 0:20
end

6) Enable
FortiManager to connect to FortiGuard FDS network via a WEB Proxy, for example 10.10.10.10:8080.
config fmupdate av-ips web-proxy
    set ip 10.10.10.10
    set port 8080
    set status enable
end

config fmupdate web-spam web-proxy
    set ip 10.10.10.10
    set port 8080
    set status enable
end

It is important to setup the Web Proxy IP and Port on both av-ips and web-spam service settings.


Step 2. Configuration of the FortiGate

On the FortiGate define the
FortiManager acting as FDS Server using the CLI.
config system central-management
    set type fortimanager
    set serial-number "fmg-serial-number"
    set fmg "fmg-ip-address"
        config server-list
            edit 1
                set server-type update rating   --> enable the Webfiltering rating request
                set server-address fmg-ip-address
            next
        end
    set include-default-servers disable         --> enable or disable as needed
end

Diagram

FortiGate --- FortiManager --- HTTP PROXY --- INTERNET

Verification of configuration and troubleshooting

Use this command in
FortiManager to check correct communication:
diagnose fmupdate view-linkd-log fds
Use CTRL-C to stop the output and exit the command.

Use this command in
FortiManager to check correct FortiGate license information:
diagnose fmupdate fgd-dbcontract

Use these commands in
FortiManager to restart the services
diagnose fmupdate fds-updatenow
diagnose fmupdate fgd-updatenow

If the
Webfiltering database is corrupted, it is possible to delete it.  It will be downloaded again but service will be disrupted:
diagnose fmupdate fgd-del-db wf

But before deleting the database:
  •  Disable the WF/AS client service on the FortiManager interface(s).
  •  Stop the WF/AS server service in the GUI using  > System Settings > FortiGuard Center

On the FortiGate it is possible to clear the
Webfiltering cache and restart the daemon urlfilter:  
diagnose test application urlfilter 2       ---> Clear
diagnose test application urlfilter 99      ---> Restart

Contributors