FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 191904



This article explains how to configure the FortiGate unit to use a proxy server to connect to the FortiGuard Distribution Network (FDN).



Note that proxy tunneling itself is supported only for registration, AV, and IPS updates.  For the virtual FortiGate version, it is also used for license validation. For Web Filtering/Spam Filtering, UDP protocol is used on ports 53 or 8888. The UDP protocol traffic cannot be directed over a proxy server. Even for the newer versions of FortiOS where Web Filtering is supported over port 443, the connection is not supported via this proxy server.

The following points should be noted before using this solution:
  • The FortiGate unit connects to the proxy server using the HTTP CONNECT method, as described in RFC 2616.
  • The proxy MUST NOT do HTTPS inspection of the FortiGate’s communication.
  • The FortiGate unit sends an HTTP CONNECT request to the proxy server (optionally with authentication information) specifying the IP address and port required to connect to the FDN.
  • FortiGate must be configured with DNS servers resolving addresses of FDN servers. Registration and AV/IPS updates will not work without proper DNS resolution of FDN servers by FortiGate itself.
  • The proxy server establishes the connection to the FDN and passes information between the FortiGate unit and the FDN.

The syntax to properly set the auto-update tunneling is as follows:
config system autoupdate tunneling
    set address <proxy_address>
    set password <password>
    set port <proxy_port>
    set status {enable | disable}
    set username

The configuration of the proxy server with IP address, listening on port 3128/TCP and without authentication:
config system autoupdate tunneling
    set address
    set port 3128
    set status enable
Note: Virtual FortiGate running FortiOS <= 5.4.0: Against the physical FortiGate device for the Virtual FortiGate the validity of the VM license must be verified. Configure the proxy tunneling before applying the VM license, because the configuration of proxy is not possible with an applied and NOT verified VM license (This note is not valid for v5.4.1).
Additional Note: In a closed network without a direct internet connection for Web/Spam Filtering, an alternate solution is to use FortiManager as the FortiGuard Server. FortiManager in turn supports proxy for both updates and rating. The FortiGates will get their updates/ratings via the FortiManager.


Related Articles:


Troubleshooting Tip: Diagnosing FortiGuard problems of Antivirus, Intrusion Prevention, Web Filterin...

Technical Note: How FortiGate updates to FortiGuard server via proxy tunnelling

Technical Tip: How to setup FortiGate to get updates from FortiManager

Configuring devices to use the built-in FDS