Description
This article explains how to configure the FortiGate unit to use a proxy server to connect to the FortiGuard Distribution Network (FDN).
Scope
FortiGate.
Solution
Note that proxy tunneling itself is supported only for registration, Antivirus, and IPS updates. For the virtual FortiGate version, it is also used for license validation. For Web Filtering/Spam Filtering, UDP protocol is used on ports 53 or 8888. The UDP protocol traffic cannot be directed over a proxy server. Even for the newer versions of FortiOS where Web Filtering is supported over port 443, the connection is not supported via this proxy server.
The following points should be noted before using this solution:
- The FortiGate unit connects to the proxy server using the HTTP CONNECT method, as described in RFC 2616.
- The proxy MUST NOT do HTTPS inspection of the FortiGate’s communication.
- The FortiGate unit sends an HTTP CONNECT request to the proxy server (optionally with authentication information) specifying the IP address and port required to connect to the FDN.
- FortiGate must be configured with DNS servers resolving addresses of FDN servers. Registration and AV/IPS updates will not work without proper DNS resolution of FDN servers by FortiGate itself.
- The proxy server establishes the connection to the FDN and passes information between the FortiGate unit and the FDN.
The syntax to properly set the auto-update tunneling is as follows:
config system autoupdate tunneling
set address <proxy_address>
set password <password>
set port <proxy_port>
set status {enable | disable}
set username
end
Example:
The configuration of the proxy server with IP address 10.1.1.1, listening on port 3128/TCP and without authentication:
config system autoupdate tunneling
set address 10.1.1.1
set port 3128
set status enable
end
Note: Virtual FortiGate running FortiOS <= 5.4.0: Against the physical FortiGate device for the Virtual FortiGate the validity of the VM license must be verified. Configure the proxy tunneling before applying the VM license, because the configuration of proxy is not possible with an applied and NOT verified VM license (This note is not valid for v5.4.1).
Additional Notes:
- In a closed network without a direct internet connection for Web/Spam Filtering, an alternate solution is to use FortiManager as the FortiGuard Server. FortiManager in turn supports proxy for both updates and rating. The FortiGates will get their updates/ratings via the FortiManager.
- If the FortiGuard updates are not successful with autoupdate tunneling enabled, be sure to check the following in the CLI:
config system central-management
show full | grep type
If the 'type' is set to 'none', ensure that 'include-default-servers' is set to 'enable'' Otherwise, if it is set to 'disable', the FortiGate will not reach out to the default FortiGuard servers and the connection will fail. Alternatively, it is possible to set the 'type' to 'FortiGuard' which will remove the 'include-default-servers' feature as it will be enforced automatically.
Related Articles:
Troubleshooting Tip: Diagnosing FortiGuard problems of Antivirus, Intrusion Prevention, Web Filterin...
Technical Note: How FortiGate updates to FortiGuard server via proxy tunnelling
Technical Tip: How to setup FortiGate to get updates from FortiManager
Configuring devices to use the built-in FDS
