|
Consider this scenario:
- A WAN interface has 2 IP addresses, where the primary one has no internet connection access or is not intended to be used for global access.
- The secondary IP address is intended to have global internet access or to be used for FortiGuard communication.
config system interface
edit "wan"
set vdom "root"
set ip 145.x.x.x 255.255.255.252
set allowaccess ping https http fgfm
set type physical
set role wan
set snmp-index 1
set secondary-IP enable
config secondaryip
edit 1
set ip 31.x.x.x 255.255.255.248
set allowaccess ping https
next
end
next
In order to communicate with global FortiGuard, it is necessary to have internet access and a DNS system.
These commands can be performed as initial checkups if both are properly configured.
execute ping service.fortiguard.net
execute ping update.fortiguard.net
execute ping guard.fortinet.net
execute ping securewf.fortiguard.net [ for HTTPS service ]
execute ping usservice.fortiguard.net <----- UDP and USA-based-only servers.
execute ping ussecurewf.fortiguard.net <----- HTTPS and USA-based-only servers.
execute ping euservice.fortiguard.net <----- UDP and European-based-only servers.
execute ping eusecurewf.fortiguard.net <----- HTTPS and European-based-only servers.
config system fortiguard <-- Leave the rest of the config as default.
set interface-select-method specify
set interface wan
set source-ip 31.x.x.x
config system DNS
set primary 8.8.8.8
set secondary 96.45.46.46
set interface-select-method specify
set interface wan
set source-ip 31.x.x.x
After both config setups, the issue with FortiGuard communication should be resolved.
To verify the configuration, use the following commands:
diagnose debug application update -1
Related documents:
Use anycast to communicate with FortiGuard servers
FortiGuard
|
