| Solution |
Note:
In this scenario, the FortiGate does not have internet access, but the standalone FortiManager does have internet access and both the FortiManager and FortiGate are running v7.4.5.
FortiManager Configuration:
- In the FortiManager GUI, verify that the 'Enable Communication with FortiGuard Server' feature is enabled by going to FortiGuard -> Settings:
Note:
The 'Enable Communication with FortiGuard Server' feature is enabled by default but it is better to verify that if the feature is disabled, the FortiManager will not reach out to the public FortiGuard Distribution Service servers.
Verification can also be verified via the FortiManager CLI using the below commands:
Atlantis-kvm108 # config fmupdate publicnetwork
(publicnetwork)# get
status : enable
Note:
If the feature is disabled, use the below FortiManager CLI commands to enable communication with the FortiGuard Distribution Service servers:
config fmupdate publicnetwork
set status enable
end
- In the FortiManager GUI, enable the AntiVirus and IPS Service if desired for the current FortiGate firmware version by going to FortiGuard -> Settings -> In the 'Enable AntiVirus and IPS Service' section, select '7.4' in the 'FortiGate' section:
- Navigate to System Settings -> Network, select the internal interface that the FortiGate connects to and select 'Edit':
- On the 'Edit Network Interface' page, enable 'FortiGate Updates' and 'Web Filtering' in the 'Service Access' section, and leave the 'Bind to IP Address' fields at their default value of '0.0.0.0/0.0.0.0', then select 'OK' to save the configuration:
FortiGate Configuration:
- In the FortiGate GUI, to configure the FortiManager to act as the FortiGuard Distribution Service server, navigate to; System -> FortiGuard, at the bottom of the page, expand the 'Override FortiGuard Servers' section, and select 'Create New'.
- On the 'Create New Override FortiGuard Server' page, configure the following then select 'OK':
- Address Type: IPv4/IPv6/FQDN (Default is 'IPv4').
- Address: x.x.x.x (This will be the address of the FortiManager which in this scenario is 10.139.139.5).
Type: AntiVirus and IPS Updates/Filtering/Both (Default is 'Both').
- After selecting 'OK' on the 'Create New Override FortiGuard Server' page, it will redirect back to the 'FortiGuard Distribution Network' page and select 'Apply' at the bottom of the page to save the configuration:
- To configure the FortiManager to act as the FortiGuard Distribution Service server via the FortiGate CLI, use the below commands:
config system central-management
set type fortimanager
config server-list
edit 1
set server-type update rating
set type ipv4 <----- Ipv4 is the default. Other options are ipv6 and fqdn.
set server-address 10.139.139.5 <----- In this scenario, the FortiManager IP is 10.139.139.5.
next
end
set include-default-servers disable
end
Note:
Setting the 'include-default-servers' feature to disable will disable the inclusion of public FortiGuard servers in the override server list so the FortiGate will only point to the FortiManager for FortiGuard updates.
- To test the configuration, run the below CLI commands to first initiate a FortiGuard Distribution Server update then verify the FortiGate's 'FDS address':
execute update-now
diag autoupdate versions
- If the configuration is working correctly, at the bottom of the 'diag autoupdate versions' command output, the last lines should display the FortiManager IP (10.139.139.5:8890) and port used for the updates as seen below:
Atlantis-kvm105 # diag autoupdate versions
====Output Truncated to only show the last few lines of the output====
Security Rating Data Package
---------
Version: 5.00044
Contract Expiry Date: Wed Feb 17 2027
Last Updated using scheduled update on Tue Dec 24 12:06:12 2024
Last Update Attempt: Tue Dec 24 13:06:08 2024
Result: No Updates
FDS Address <-----
---------
10.139.139.5:8890 <-----
|
