Description
This article describes the configuration of the Web filtering service using one FortiManager behind a Web Proxy for internet access. It will also look at the correct configuration for an optimal Web filtering service rating functionality.
FortiManager can act as a standalone FDS server and it is independent of the device management. It will provide FortiGuard services:
- FGD services -> Webfiltering + AntiSpam.
- FDS services -> IPS + AntiVirus.
- Service license.
Packages, databases, and FortiGate service licenses will be downloaded from public FDS servers.
Scope
FortiManager.
Solution
CLI configuration:
Step 1. Configuration of the FortiManager
- The FortiManager needs a minimum of 16GB of RAM for correct Web filtering service functionality.
- Once RAM provisioning is correct, using the CLI, increased memory usage allowed for Webfiltering service.
config fmupdate web-spam fgd-setting
set wf-cache 4000
set wf-preload enable
end
- Using the CLI, enable the FortiManager to provide Web filtering services.
config fmupdate service
set query-webfilter enable
end
Note that this will automatically initiate the Web filtering database download from FortiGuard, this may take a few hours.
- Using the CLI, enable the Web filtering
Service on the corresponding Interface used (in this example 'port1' is used).
config system interface
edit "port1"
set serviceaccess webfilter-antispam fgtupdates
end
The Web filtering service will be fully operational when the complete Web filtering database is downloaded from FortiGuard.
- Using the CLI, modify the Web filtering.
database polling interval checks for changes in settings every 20 minutes.
conf fmupdate web-spam poll-frequency
set time 0:20
end
- Enable FortiManager to connect to the FortiGuard FDS network via a WEB Proxy, for example, 10.10.10.10:8080.
Configuration before v7.4.0.
config fmupdate av-ips web-proxy
set ip 10.10.10.10
set port 8080
set status enable
end
config fmupdate web-spam web-proxy
set ip 10.10.10.10
set port 8080
set status enable
end
It is important to set up the Web Proxy IP and Port on both av-ips and web-spam service settings.
Configuration after v7.4.0:
config system web-proxy
set status enable
set mode proxy
set address 10.10.10.10
set port 8080
end
Step 2. Configuration of the FortiGate:
On the FortiGate define the FortiManager acting as FDS Server using the CLI.
config system central-management
set type fortimanager
set serial-number "fmg-serial-number"
set fmg "fmg-ip-address"
config server-list
edit 1
set server-type update rating --> Enable update and rating requests*.
set server-address fmg-ip-address
next
end
set include-default-servers disable <----- Enable or disable as needed.
end
* More information about the server-type:
update: Antivirus, IPS, and AV-query update server.
rating: Web filter and anti-spam rating server.
Diagram:
FortiGate --- FortiManager --- HTTP PROXY --- INTERNET.
Verification of configuration and troubleshooting:
Use this command in FortiManager to check correct communication:
diagnose fmupdate view-linkd-log fds
diagnose fmupdate view-linkd-log fgd
Use CTRL-C to stop the output and exit the command.
Use this command in FortiManager to check the correct FortiGate license information:
diagnose fmupdate dbcontract <FGT_SN>
Use these commands in FortiManager to restart the services:
diagnose fmupdate service-restart fds
diagnose fmupdate service-restart fgd
Use these commands in FortiManager to force the service update:
diagnose fmupdate updatenow fds
diagnose fmupdate updatenow fgd
If the current server is not reachable, the command will force the check with the next server.
Use these commands in FortiManager to see the list of available servers:
diagnose fmupdate view-serverlist fds
diagnose fmupdate view-serverlist fgd
(*) next to the index ID highlights the currently used server.
If the Web filtering database is corrupted, it is possible to delete it. It will be downloaded again, but service will be disrupted:
diagnose fmupdate fgd-del-db wf
But before deleting the database:
- Disable the WF/AS client service on the FortiManager interface(s).
- Stop the WF/AS server service in the GUI using System Settings -> FortiGuard Center.
On the FortiGate, it is possible to clear the Web filtering cache and restart the daemon urlfilter:
diagnose test application urlfilter 2 <----- Clear.
diagnose test application urlfilter 99 <----- Restart.