FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Chandra_FTNT
Staff
Staff
Article Id 193540

Description

 
This article describes how to redirect updates such as signature updates and license syncs to a different WAN interface using the web-proxy feature on the FortiGate.

Requirement: Two WAN interfaces are configured on the FortiGate but license synchronization and signature updates should be directed to only a specific WAN interface which is of low priority.

License and signature updates take the WAN interface accordingly to route priority.
 
Scope
 
FortiGate.


Solution

 

To workaround this using Web-proxy on FortiGate using a dummy interface (or any LAN interface IP) can create Proxy tunneling and create web-proxy policy to point to a specific interface always to get signature and license updates.

Note: For failback to the primary WAN for signature update, another explicit proxy policy is required to failover to the next available WAN for signature and license updates. Webfilter and Antispam updates are excluded in this update.

Configuration GUI.

Port1 and Port7 are WAN, traffic wants to route to Port7. Here Port1 has higher priority than Port7 so by default all FortiGate self-generated traffic routes on Port1.

Configure a dummy interface with a dummy IP for explicit proxy enabled, any used LAN interface can be used:
 
config system interface
    edit "port8"
        set vdom "root"
        set ip 1.1.1.2 255.255.255.0
        set type physical
        set explicit-web-proxy enable
        set role lan
        set snmp-index 8
    next
end
 
Port7 is the secondary WAN to which traffic is to be directed:
 
config system interface
    edit "port7"
        set vdom "root"
        set ip 10.1.1.1 255.255.255.0
        set type physical
        set role wan
        set snmp-index 7
    next
end

Configure Proxy tunneling for the IP:
 
config system autoupdate tunneling
    set status enable
    set address "10.1.1.1"
    set port 8080
end
 
 
Create policy from web-proxy to any desired WAN to route to. In this example, Port7 is a secondary WAN.
 
config firewall explicit-proxy-policy
    edit 3
        set uuid d05baa6e-4b63-51e7-dcdd-7aa3f3181bdd
        set proxy web
        set dstintf "port7"
        set srcaddr "all"
        set dstaddr "all"
        set service "webproxy"
        set action accept
        set schedule "always"
    next
end
 
Results of traffic being sent to Port7:
 
ion-kvm25 # upd_daemon[1094]-Received update now request
do_setup[217]-Starting SETUP
upd_act_setup[191]-Trying FDS 208.91.112.68-443
tcp_connect_fds[175]-Proxy tunneling enabled to 10.1.1.1:8080
ssl_connect_fds[484]-Failed SSL connecting (1,0,error:14090086:lib(20):func(144)                                                                                                             :reason(134))
upd_comm_connect_fds[591]-Failed SSL connect
upd_act_setup[195]-Failed connecting to 208.91.112.68-443
do_setup[261]-Failed setup
__upd_act_update[279]-Trying FDS 208.91.112.68-443 with AcceptDelta=0
tcp_connect_fds[175]-Proxy tunneling enabled to 10.1.1.1:8080

 

Related article:

Technical Tip: FortiGuard updates using a proxy server