Description
This article describes how to configure the FortiManager to act as a local FortiGuard server for the FortiGates.
Scope
FortiGates are getting the updates for FortiGuard packages from the FortiManager that is acting as a local FortiGuard server.
Secondary FortiManager that does not have internet connectivity configuration to connect to a FortiManager acting as a local FDN server.
Solution
The FortiGuard Distribution Network (FDN) provides FortiGuard services for the FortiManager system and its managed units and FortiClient agents.
The FDN is a world-wide network of FortiGuard Distribution Servers (FDS), which update the FortiGuard services on the FortiManager system on a regular basis so that the FortiManager system is protected against the latest threats and can provide those updates to its local FDS service in a proxy manner.
The FortiGuard services available on the FortiManager system include:
- Antivirus and IPS engines and signatures.
- Web filtering and email filtering rating databases and lookups.
- Vulnerability scan and management support for FortiAnalyzer.
FortiManager configuration.
FortiManager systems acting as a local FDS synchronize their FortiGuard service update packages with the FDN, then provide FortiGuard these updates and look up replies to the private network’s FortiGates.
The local FDS provides a faster connection, reducing Internet connection load and the time required to apply frequent updates, such as antivirus signatures, to many devices. Enable the built-in FDS:
Enable push updates for urgent updates or critical Fortiguard AV/IPS signatures.
If web proxy, it must be configured as shown in the above screenshot.
Also on System Settings -> Network, verify that service access for FortiGate Updates (FDS) or Web Filtering (FGD) are enabled on FortiManager management interface.
The IP address that has to be configured needs to be on the same subnet.
These IP addresses should be used in the FortiGate side override server configuration.
Configuration on FortiGate.
Configuration from FortiGate CLI:
# config system central-managemen
set type fortimanager
set fmg “10.5.53.201"
# config server-lis
edit 1
set server-type update rating
set server-address 10.5.53.201
end
set fmg-update-port 443
set include-default-servers enable
end
When fmg-update-port is set to 443, the update process will use port 443 to connect to the override update server, which is the local FortiGuard server in the FortiManager.
If this is not set, the update process will use port 8890, and the server address setting has to be the FortiManager access IP address.
Override FortiGuard services come from the server list that is the local FortiGuard server in the FortiManager, and use the traditional, non-OCSP TLS handshake.
If override servers in the FortiManager are not available, the default FortiGuard servers are connected, and the anycast OCSP TLS handshake is used.
Configure a FortiManager without Internet connectivity to access a secondary local FortiManager as FDS/.
To use a second FortiManager as the FDS see the below screenshot and configure the secondary FortiManager FDN server IP address where FMG_IP_AS_FDS and if required enable Server Override Address for FortiClient:
Operating FortiManager as a FDS in a closed network.
The FortiManager can be operated as a local FDS server when it is in a closed network with no internet connectivity.
Without a connection to a FortiGuard server, update packages and licenses must be manually downloaded from support, and then uploaded to the FortiManager.
FortiManager configuration in the GUI under FortiGuard -> Settings looks like that:
Upload Options for FortiGate/FortiMail manually.
Packages and Database: it is possible to upload AV/IPS packages, web filter databases, and email filter databases that are already downloaded from the Customer Service & Support portal on your management computer.
Service License: Select to import the FortiGate or FortiSOAR license. Browse for the file on the management computer, or drag and drop the file onto the dialog box.
A license file can be obtained from Customer Service support by requesting the account entitlement for the device(s).
Upload packages via CLI commands:
1) Disable communications with the FortiGuard server and enable a closed network with the following CLI commands:
# config fmupdate publicnetwor
set status disable
end
2) Upload an update package or license:
- Load the package or license file to an FTP, SCP, or TFTP server.
- Run the following CLI command:
# execute fmupdate {ftp | scp | tftp} import <av-ips | fct-av | url | spam | file-query | license-fgt | license-fct | custom-url | domp> <remote_file> <ip> <port> <remote_path> <user> <password
Troubleshooting tips for FortiManager connectivity with FortiGuard and with FortiGate.
Here add troubleshooting commands.
Check if connected to FDS server:
IMA02LX075 # diag fmupdate view-serverlist fds
Fortiguard Server Comm : Enabled
Server Override Mode : Loose
FDS server list :
Index Address Port TimeZone Distance Source
------------------------------------------------------------------------------------------------------
*0 149.5.232.66 443 1 0 FDNI
1 208.184.237.67 443 0 1 FDNI
2 173.243.138.69 443 0 1 FDNI
3 209.222.136.6 443 -5 6 FDNI
4 12.34.97.16 443 -5 6 FDNI
5 208.184.237.68 443 9 8 FDNI
6 173.243.138.67 443 9 8 FDNI
7 208.184.237.66 443 -8 9 FDNI
8 173.243.138.66 443 -8 9 FDNI
9 fds1.fortinet.com 443 1 0 DEFAULT
Get the debug from fds server:
IMA02LX075 # diag debug application fdssvrd 255
IMA02LX075 # di de en
IMA02LX075 # <----- worker process exit.
------ fdssvrd exit ------
Fail to create https service socket <----- Worker process started.
Reload config ...
Server from FDNI: 12.34.97.16
Server from FDNI: 149.5.232.66
Server from FDNI: 173.243.138.66
Server from FDNI: 173.243.138.67
Server from FDNI: 173.243.138.69
Server from FDNI: 208.184.237.66
Server from FDNI: 208.184.237.67
Server from FDNI: 208.184.237.68
Server from FDNI: 209.222.136.6
Server from FDNI: 173.243.138.108
Server from FDNI: 173.243.138.98
Server from FDNI: 173.243.138.99
Server from FDNI: 208.184.237.75
…
…
[FMG-->FDS] Request: Protocol=3.0|Command=Poll|Firmware=FMG-VM64-FW-7.00-0180|SerialNumber=FMG-VM0A13000127|Persistent=false|AcceptDelta=0|DataItem=00000000FCNI00000-00000.00000-0000000000*00000000FDNI00000-00000.00000-0000000000
FCP_CONN:: receiving package: num_objects=3 total_size=1480
FCP_CONN:: received object: id=00000000FCPR00000 ver=00000.00000-2202091104 size=176
[FDS-->FMG] Response: Protocol=3.0|Response=200|Firmware=FPT033-FW-6.8-0169|SerialNumber=FPT-FDS-DELL0407|Server=FDSG|Persistent=false|ResponseItem=00000000FCNI00000:200*00000000FDNI00000:200
FCP_CONN:: received object: id=00000000FCNI00000 ver=00000.00000-2001201850 size=88
FCP_CONN:: received object: id=00000000FDNI00000 ver=00000.00000-2112210241 size=832
TLSv1.2 write warning alert: close notify
Check update with fds 149.5.232.66 SUCCESS
Check ping to fds1.fortinet.com:443
Restart the FDS services:
IMA02LX075 # diag fmupdate service-restart fds
If there are still some issues, attach all the output of the previous commands and also attach the config backup of the FortiManager and the exe tac report CLI output and send all of them to the Fortinet TAC support by opening a ticket.
Related KB articles.
Technical Tip: Verifying FortiGuard connectivity on FortiManager
