Chandra_FTNT
Staff
Created on
06-22-2017
07:28 AM
Edited on
01-28-2025
12:25 AM
By
Jean-Philippe_P
Article Id
193540
Description
This article describes how to redirect updates such as signature updates and license syncs to a different WAN interface using the web-proxy feature on the FortiGate.
Requirement: Two WAN interfaces are configured on the FortiGate but license synchronization and signature updates should be directed to only a specific WAN interface which is of low priority.
License and signature updates take the WAN interface accordingly to route priority.
Requirement: Two WAN interfaces are configured on the FortiGate but license synchronization and signature updates should be directed to only a specific WAN interface which is of low priority.
License and signature updates take the WAN interface accordingly to route priority.
Scope
FortiGate.
Solution
To workaround this using Web-proxy on FortiGate using a dummy interface (or any LAN interface IP) can create Proxy tunneling and create web-proxy policy to point to a specific interface always to get signature and license updates.
Note: For failback to the primary WAN for signature update, another explicit proxy policy is required to failover to the next available WAN for signature and license updates. Webfilter and Antispam updates are excluded in this update.
Configuration GUI.
Port1 and Port7 are WAN, traffic wants to route to Port7. Here Port1 has higher priority than Port7 so by default all FortiGate self-generated traffic routes on Port1.
Configure a dummy interface with a dummy IP for explicit proxy enabled, any used LAN interface can be used:
Note: For failback to the primary WAN for signature update, another explicit proxy policy is required to failover to the next available WAN for signature and license updates. Webfilter and Antispam updates are excluded in this update.
Configuration GUI.
Port1 and Port7 are WAN, traffic wants to route to Port7. Here Port1 has higher priority than Port7 so by default all FortiGate self-generated traffic routes on Port1.
Configure a dummy interface with a dummy IP for explicit proxy enabled, any used LAN interface can be used:
config system interface
edit "port8"
set vdom "root"
set ip 1.1.1.2 255.255.255.0
set type physical
set explicit-web-proxy enable
set role lan
set snmp-index 8
next
end
set ip 1.1.1.2 255.255.255.0
set type physical
set explicit-web-proxy enable
set role lan
set snmp-index 8
next
end
Port7 is the secondary WAN to which traffic is to be directed:
config system interface
edit "port7"
set vdom "root"
set ip 10.1.1.1 255.255.255.0
set type physical
set role wan
set snmp-index 7
next
end
set vdom "root"
set ip 10.1.1.1 255.255.255.0
set type physical
set role wan
set snmp-index 7
next
end
Configure Proxy tunneling for the IP:
config system autoupdate tunneling
set status enable
set address "10.1.1.1"
set port 8080
end
set address "10.1.1.1"
set port 8080
end
config firewall explicit-proxy-policy
edit 3
set uuid d05baa6e-4b63-51e7-dcdd-7aa3f3181bdd
set proxy web
set dstintf "port7"
set srcaddr "all"
set dstaddr "all"
set service "webproxy"
set action accept
set schedule "always"
next
end
set uuid d05baa6e-4b63-51e7-dcdd-7aa3f3181bdd
set proxy web
set dstintf "port7"
set srcaddr "all"
set dstaddr "all"
set service "webproxy"
set action accept
set schedule "always"
next
end
Results of traffic being sent to Port7:
ion-kvm25 # upd_daemon[1094]-Received update now request
do_setup[217]-Starting SETUP
upd_act_setup[191]-Trying FDS 208.91.112.68-443
tcp_connect_fds[175]-Proxy tunneling enabled to 10.1.1.1:8080
ssl_connect_fds[484]-Failed SSL connecting (1,0,error:14090086:lib(20):func(144) :reason(134))
upd_comm_connect_fds[591]-Failed SSL connect
upd_act_setup[195]-Failed connecting to 208.91.112.68-443
do_setup[261]-Failed setup
__upd_act_update[279]-Trying FDS 208.91.112.68-443 with AcceptDelta=0
tcp_connect_fds[175]-Proxy tunneling enabled to 10.1.1.1:8080
upd_act_setup[191]-Trying FDS 208.91.112.68-443
tcp_connect_fds[175]-Proxy tunneling enabled to 10.1.1.1:8080
ssl_connect_fds[484]-Failed SSL connecting (1,0,error:14090086:lib(20):func(144) :reason(134))
upd_comm_connect_fds[591]-Failed SSL connect
upd_act_setup[195]-Failed connecting to 208.91.112.68-443
do_setup[261]-Failed setup
__upd_act_update[279]-Trying FDS 208.91.112.68-443 with AcceptDelta=0
tcp_connect_fds[175]-Proxy tunneling enabled to 10.1.1.1:8080
Related article: