Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
iskandar_lie
Staff
Staff

Created on ‎03-06-2023 08:43 AM

Article Id 248239

Technical Tip: Example FortiGate configuration to retrieve the update and rating response from FortiManager as Local FDS

Description This article shows an example configuration for FortiGate that allows it to retrieve the update and rating response for DNS/Webfilter from FortiManager as Local FDS.
Scope Any supported version of FortiOS.
Solution

Scenario: 

1) A FortiGate is set up to retrieve the update and rating response from Fortimanager.

2) FortiManager is set up to receive the rating and update request at its main IP address (not covered in this KB).  

 

FortiManager IP address: 192.168.15.1 

 

# config system central-management
set mode normal
set type fortimanager
set schedule-config-restore enable
set schedule-script-restore enable
set allow-push-configuration enable
set allow-push-firmware enable
set allow-remote-firmware-upgrade enable
set allow-monitor enable
set fmg "192.168.15.1"
set fmg-source-ip 0.0.0.0
set fmg-source-ip6 ::
set local-cert ''
unset ca-cert
set vdom "root"

config server-list
edit 1
set server-type update rating
set addr-type ipv4
set server-address 192.168.15.1
next
end
set fmg-update-port 8890  
set include-default-servers enable <-- can be disabled if FortiGuard is not needed as a backup update server
set enc-algorithm high
set interface-select-method auto
end

 

There are two possible protocol and port combinations that commonly work well together:

- protocol: 'http', port '80'

- protocol: 'udp', port '8888'

 

# config system fortiguard
set fortiguard-anycast disable <-- needs to be disabled
set protocol udp
set port 8888
end

 

After setting up the above configuration, the FortiGate main dashboard will show a lookup on the FortiManager address (192.168.15.1):

 

iskandar_lie_0-1678118425197.png

 

The following is under System -> FortiGuard in the GUI:

 

iskandar_lie_1-1678118454884.png

 

iskandar_lie_2-1678118464987.png

 

The following debug shows that FortiGate is building the connection to the FortiManager for update purposes:

 

FGT2 # config global

FGT2 (global) # diagnose debug application update -1
Debug messages will be on for 30 minutes.

FGT2 (global) # diagnose debug enable

FGT2 (global) # execute update-now

FGT2 (global) # upd_daemon[1789]-Received update now request
upd_daemon[1603]-Found cached action=00000002
do_update[608]-Starting now UPDATE (final try)
upd_comm_connect_fds[455]-Trying FMG 192.168.15.1:8890
tcp_connect_fds[231]-Binding to interface 11
[113] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)

 

Related document: 

https://community.fortinet.com/t5/FortiManager/Technical-Tip-Configure-FortiManager-as-a-local-FDN-s...
892
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.