FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
Article Id 205003



This article describes how to configure FortiManager to act as a local FortiGuard server for FortiGates.




FortiManager, FortiGate.




FortiGates receive the updates for FortiGuard packages from the FortiManager that is acting as a local FortiGuard server.

The secondary FortiManager does not have internet connectivity configured to connect to a FortiManager acting as a local FDN server.


The FortiGuard Distribution Network (FDN) provides FortiGuard services for the FortiManager system and its managed units and FortiClient agents.


The FDN is a worldwide network of FortiGuard Distribution Servers (FDS), which update the FortiGuard services on the FortiManager system on a regular basis so that the FortiManager system is protected against the latest threats and can provide those updates to its local FDS service in a proxy manner.


The FortiGuard services available on the FortiManager system include:


  • Antivirus and IPS engines and signatures.
  • Web filtering and email filtering rating databases and lookups.
  • Vulnerability scan and management support for FortiAnalyzer.


FortiManager configuration.


The FortiManager system acts as a local FDS and synchronizes its FortiGuard service update packages with the FDN, then provides these FortiGuard updates and looks up replies to the private network’s FortiGates.


The local FDS provides a faster connection, reducing internet connection load and the time required to apply frequent updates, such as antivirus signatures, to many devices. Enable the built-in FDS:




Enable push updates for urgent updates or critical FortiGuard AV/IPS signatures.

If web-proxy is enabled, it must be configured as shown in the above screenshot.


Additionally, under System Settings -> Network, verify that service access for FortiGate Updates (FDS) or Web Filtering (FGD) is enabled on the FortiManager management interface.


The IP address that has to be configured needs to be on the same subnet.

These IP addresses should be used in the FortiGate side override server configuration.




Configuration on FortiGate.


2023-12-01 09_25_55-.png





Configuration from the FortiGate CLI:


config system central-management

    set type fortimanager

    set fmg ""

        config server-list

            edit 1

                set server-type update

                set server-address


            edit 2

                set server-type rating

                set server-address



            set fmg-update-port 443

            set include-default-servers enable



When fmg-update-port is set to 443, the update process will use port 443 to connect to the override update server, which is the local FortiGuard server in the FortiManager.


If this is not set, the update process will use port 8890, and the server address setting has to be the FortiManager access IP address.

Override FortiGuard services come from the server list that is the local FortiGuard server in the FortiManager, and use the traditional, non-OCSP TLS handshake.


If the override servers in the FortiManager are not available, the default FortiGuard servers are connected and the anycast OCSP TLS handshake is used.


Configure a FortiManager without Internet connectivity to access a secondary local FortiManager as FDS.


To use a second FortiManager as the FDS, refer to the screenshot below and configure the secondary FortiManager FDN server IP address with FMG_IP_AS_FDS. If required, enable Server Override Address for FortiClient:




Operating FortiManager as a FDS in a closed network.


The FortiManager can be operated as a local FDS server when it is in a closed network with no internet connectivity.

Without a connection to a FortiGuard server, update packages and licenses must be manually downloaded from support and then uploaded to the FortiManager.


The FortiManager configuration in the GUI under FortiGuard -> Settings looks like this:




Upload Options for FortiGate/FortiMail manually.


Packages and Database: It is possible to upload Antivirus/IPS packages, web filter databases, and email filter databases that are already downloaded from the Customer Service & Support portal on the management computer.


Service License: Choose to import the FortiGate or FortiSOAR license. Browse for the file on the management computer, or drag and drop the file into the dialog box.

A license file can be obtained from customer service support by requesting the account entitlement for the device(s).


Upload packages with CLI commands:


  1. Disable communications with the FortiGuard server and enable a closed network with the following CLI commands:


config fmupdate publicnetwork

    set status disable



  1. Upload an update package or license:
  • Load the package or license file to an FTP, SCP, or TFTP server.
  • Run the following CLI command:


execute fmupdate {ftp | scp | tftp} import <av-ips | fct-av | url | spam | file-query | license-fgt | license-fct | custom-url | domp> <remote_file> <ip> <port> <remote_path> <user> <password


CLI Options:


Some of the services can be started only under the CLI. See the CLI reference for more details.


Troubleshooting tips for FortiManager connectivity with FortiGuard and with FortiGate.


Use the following commands to help with troubleshooting.


Check if the system is connected to the FDS server:


diag fmupdate view-serverlist fds

Fortiguard Server Comm : Enabled

Server Override Mode   : Loose

FDS   server list      :

Index   Address                    Port            TimeZone        Distance        Source


*0               443             1               0               FDNI

 1             443             0               1               FDNI

 2             443             0               1               FDNI

 3              443             -5              6               FDNI

 4                443             -5              6               FDNI

 5             443             9               8               FDNI

 6             443             9               8               FDNI

 7             443             -8              9               FDNI

 8             443             -8              9               FDNI

 9          443             1               0               DEFAULT


Retrieve debug info from the FDS server:


diag debug application fdssvrd 255

di de en


IMA02LX075 # <----- Worker process exits.

------ fdssvrd exit ------

Fail to create https service socket <----- Worker process started.

Reload config ...

Server from FDNI:

Server from FDNI:

Server from FDNI:

Server from FDNI:

Server from FDNI:

Server from FDNI:

Server from FDNI:

Server from FDNI:

Server from FDNI:

Server from FDNI:

Server from FDNI:

Server from FDNI:

Server from FDNI:

[FMG-->FDS] Request: Protocol=3.0|Command=Poll|Firmware=FMG-VM64-FW-7.00-0180|SerialNumber=FMG-VM0A13000127|Persistent=false|AcceptDelta=0|DataItem=00000000FCNI00000-00000.00000-0000000000*00000000FDNI00000-00000.00000-0000000000


FCP_CONN:: receiving package: num_objects=3 total_size=1480

FCP_CONN:: received object: id=00000000FCPR00000 ver=00000.00000-2202091104 size=176

[FDS-->FMG] Response: Protocol=3.0|Response=200|Firmware=FPT033-FW-6.8-0169|SerialNumber=FPT-FDS-DELL0407|Server=FDSG|Persistent=false|ResponseItem=00000000FCNI00000:200*00000000FDNI00000:200


FCP_CONN:: received object: id=00000000FCNI00000 ver=00000.00000-2001201850 size=88

FCP_CONN:: received object: id=00000000FDNI00000 ver=00000.00000-2112210241 size=832

TLSv1.2 write warning alert: close notify


Check update with fds SUCCESS


Check ping to


Restart the FDS services:


diag fmupdate service-restart fds


If the issues persist, send the following to Fortinet TAC support in a ticket:


  • All of the output of the previous commands.
  • The config backup of the FortiManager.
  • The exe tac report CLI output.


FortiManager can also be configured as a local FDN Server for FortiProxy.


Related documents:

Technical Tip: Verifying FortiGuard connectivity on FortiManager

Technical Tip: Setting up FortiManager behind Web Proxy to act as standalone FortiGuard FDS server f...

Technical Tip: How to configure FortiAnalyzer/FortiManager to use FortiManager as an FortiGuard serv...

Technical Tip: Configuration to use FortiManager as local FDS server on FGT

DOCS: Fmupdate services

DOCS: Interface