Description

This article describes the configuration when both FortiGate-VM and FortiManager-VM have no internet access (air-gap).

FGT-VM (no internet access)----FMG-VM (no internet access).

Scope

For FortiGate and FortiManager-VM and hardware devices v7.2 Firmware.

Solution

The configuration needed on FortiGate-VM and FMG-FortiManager is as below:

1. Upload the FortiManager entitlement file on FortiManager-VM (Contact the customer service team to get the Entitlement file).

2. Configure the below settings on FortiManager to allow FortiGate to query and FortiManager to remain offline.

• Enable FortiGate Updates and Web filtering on Port where FortiGate is connected under System Settings-> Network-> Port where FortiGate is connected -> Service Access.

Setting son interface level

• Disable communication with the FortiGuard server using the toggle Button under FortiGuard -> Settings-> Enable Communication with FortiGuard Server and Enable Antivirus and IPS Service for relevant FortiOS versions.

Choose the FGT version

Important note:

Disable access to the public FortiGuard Distribution Servers (FDS) using the CLI command below to avoid periodic license checks, which may lead to the FortiManager showing as unregistered:

FortiManager CLI:

config fmupdate publicnetwork
    set status disable
end

•  Enable Webfilter Service and Email Filter Service as per the screenshot below:

3. Download all available AV/IPS DB from support.fortinet.com under Support -> Service Updates.

Select the appropriate firmware

Select the applicable platform

4. Upload the downloaded signature DB under FortiGuard -> Package Management-> Receive Status -> Import.

Upload available signature DB and click OK

5.  After the import is successful DB will be visible under FortiGuard-> Package Management-> Receive Status.

After DB upload

Import complete

Before DB upload

6.  Export Webfilter query, Antispam Query, and GeoIP query DB from a FortiManager with a working Internet connection under FortiGuard-> Query Server Management -> Receive Status -> Export.

Select the query DB required and click on Export

7. Upload these downloaded DB to offline FortiManager under FortiGuard -> Query Server Management-> Receive Status -> Import.

Upload the Query DB and click on OK 

8.  Once the import is successful Query DB will be visible as shown in the screenshots:

Import Complete

After successful Query DB upload

After successful Query DB upload

Before Query DB is Uploaded 

9. Upload the FortiGate-VM license file under FortiGuard-> Settings-> Upload Options for FortiGate/FortiMail -> Service License.

Load VM license file and click OK

10. Upload the FortiGate-VM Entitlement license file (Contact customer service for Entitlement file) under FortiGuard-> Settings-> Upload Options for FortiGate/FortiMail -> Service License.

Get the file from Customer service team and click on OK after upload

11. Configure Central management on FortiGate and Authorize device.

Enable Central management and configure server list as FMG IP

Related article:

Technical Tip: Configure FortiManager as a local FDN server for FortiGates