FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
kbountouris
Staff
Staff

Description

 

This article describes how to configure the FortiManager to act as a local FortiGuard server for the FortiGates.

 

Scope

 

FortiGates are getting the updates for FortiGuard packages from the FortiManager that is acting as a local FortiGuard server.

Secondary FortiManager that does not have internet connectivity configuration to connect to a FortiManager acting as a local FDN server.

 

Solution

 

The FortiGuard Distribution Network (FDN) provides FortiGuard services for the FortiManager system and its managed units and FortiClient agents.

The FDN is a world-wide network of FortiGuard Distribution Servers (FDS), which update the FortiGuard services on the FortiManager system on a regular basis so that the FortiManager system is protected against the latest threats and can provide those updates to its local FDS service in a proxy manner.

 

The FortiGuard services available on the FortiManager system include:

 

- Antivirus and IPS engines and signatures.

- Web filtering and email filtering rating databases and lookups.

- Vulnerability scan and management support for FortiAnalyzer.

 

FortiManager configuration.

 

FortiManager systems acting as a local FDS synchronize their FortiGuard service update packages with the FDN, then provide FortiGuard these updates and look up replies to the private network’s FortiGates.

The local FDS provides a faster connection, reducing Internet connection load and the time required to apply frequent updates, such as antivirus signatures, to many devices. Enable the built-in FDS:

 

kbountouris_0-1645086636325.png

 

Enable push updates for urgent updates or critical Fortiguard AV/IPS signatures.

If web proxy, it must be configured as shown in the above screenshot.

 

Also on System Settings -> Network, verify that service access for FortiGate Updates (FDS) or Web Filtering (FGD) are enabled on FortiManager management interface.

The IP address that has to be configured needs to be on the same subnet.

These IP addresses should be used in the FortiGate side override server configuration.

 

kbountouris_2-1645086708262.png

 

Configuration on FortiGate.

 

kbountouris_3-1645086708267.png

 

Configuration from FortiGate CLI:

 

# config system central-managemen

    set type fortimanager

    set fmg “10.5.53.201"

# config server-lis

    edit 1

        set server-type update rating

        set server-address 10.5.53.201

    end

        set fmg-update-port 443

        set include-default-servers enable

    end

 

When fmg-update-port is set to 443, the update process will use port 443 to connect to the override update server, which is the local FortiGuard server in the FortiManager.

If this is not set, the update process will use port 8890, and the server address setting has to be the FortiManager access IP address.

Override FortiGuard services come from the server list that is the local FortiGuard server in the FortiManager, and use the traditional, non-OCSP TLS handshake.

If override servers in the FortiManager are not available, the default FortiGuard servers are connected, and the anycast OCSP TLS handshake is used.

 

Configure a FortiManager without Internet connectivity to access a secondary local FortiManager as FDS/.

 

To use a second FortiManager as the FDS see the below screenshot and configure the secondary FortiManager FDN server IP address where FMG_IP_AS_FDS and if required enable Server Override Address for FortiClient:

 

 

kbountouris_4-1645086743468.png

 

 

Operating FortiManager as a FDS in a closed network.

 

The FortiManager can be operated as a local FDS server when it is in a closed network with no internet connectivity.

Without a connection to a FortiGuard server, update packages and licenses must be manually downloaded from support, and then uploaded to the FortiManager.

 

FortiManager configuration in the GUI under FortiGuard -> Settings looks like that:

 

kbountouris_5-1645086768760.png

 

 

Upload Options for FortiGate/FortiMail manually.

 

Packages and Database: it is possible to upload AV/IPS packages, web filter databases, and email filter databases that are already downloaded from the Customer Service & Support portal on your management computer.

 

Service License: Select to import the FortiGate or FortiSOAR license. Browse for the file on the management computer, or drag and drop the file onto the dialog box.

A license file can be obtained from Customer Service support by requesting the account entitlement for the device(s).

 

Upload packages via CLI commands:

 

1) Disable communications with the FortiGuard server and enable a closed network with the following CLI commands:

 

# config fmupdate publicnetwor

    set status disable

end

 

2) Upload an update package or license:

 

- Load the package or license file to an FTP, SCP, or TFTP server.

- Run the following CLI command:

 

# execute fmupdate {ftp | scp | tftp} import <av-ips | fct-av | url | spam | file-query | license-fgt | license-fct | custom-url | domp> <remote_file> <ip> <port> <remote_path> <user> <password

 

Troubleshooting tips for FortiManager connectivity with FortiGuard and with FortiGate.

 

Here add troubleshooting commands.

 

Check if connected to FDS server:

 

IMA02LX075 # diag fmupdate view-serverlist fds

Fortiguard Server Comm : Enabled

Server Override Mode   : Loose

FDS   server list      :

Index   Address                    Port            TimeZone        Distance        Source

------------------------------------------------------------------------------------------------------

*0      149.5.232.66               443             1               0               FDNI

 1      208.184.237.67             443             0               1               FDNI

 2      173.243.138.69             443             0               1               FDNI

 3      209.222.136.6              443             -5              6               FDNI

 4      12.34.97.16                443             -5              6               FDNI

 5      208.184.237.68             443             9               8               FDNI

 6      173.243.138.67             443             9               8               FDNI

 7      208.184.237.66             443             -8              9               FDNI

 8      173.243.138.66             443             -8              9               FDNI

 9      fds1.fortinet.com          443             1               0               DEFAULT

 

Get the debug from fds server:

 

 

IMA02LX075 # diag debug application fdssvrd 255

 

IMA02LX075 # di de en

 

IMA02LX075 # <----- worker process exit.

------ fdssvrd exit ------

Fail to create https service socket <----- Worker process started.

Reload config ...

Server from FDNI: 12.34.97.16

Server from FDNI: 149.5.232.66

Server from FDNI: 173.243.138.66

Server from FDNI: 173.243.138.67

Server from FDNI: 173.243.138.69

Server from FDNI: 208.184.237.66

Server from FDNI: 208.184.237.67

Server from FDNI: 208.184.237.68

Server from FDNI: 209.222.136.6

Server from FDNI: 173.243.138.108

Server from FDNI: 173.243.138.98

Server from FDNI: 173.243.138.99

Server from FDNI: 208.184.237.75

[FMG-->FDS] Request: Protocol=3.0|Command=Poll|Firmware=FMG-VM64-FW-7.00-0180|SerialNumber=FMG-VM0A13000127|Persistent=false|AcceptDelta=0|DataItem=00000000FCNI00000-00000.00000-0000000000*00000000FDNI00000-00000.00000-0000000000

 

FCP_CONN:: receiving package: num_objects=3 total_size=1480

FCP_CONN:: received object: id=00000000FCPR00000 ver=00000.00000-2202091104 size=176

[FDS-->FMG] Response: Protocol=3.0|Response=200|Firmware=FPT033-FW-6.8-0169|SerialNumber=FPT-FDS-DELL0407|Server=FDSG|Persistent=false|ResponseItem=00000000FCNI00000:200*00000000FDNI00000:200

 

FCP_CONN:: received object: id=00000000FCNI00000 ver=00000.00000-2001201850 size=88

FCP_CONN:: received object: id=00000000FDNI00000 ver=00000.00000-2112210241 size=832

TLSv1.2 write warning alert: close notify

 

Check update with fds 149.5.232.66 SUCCESS

 

Check ping to fds1.fortinet.com:443

 

Restart the FDS services:

 

IMA02LX075 # diag fmupdate service-restart fds

 

If there are still some issues, attach all the output of the previous commands and also attach the config backup of the FortiManager and the exe tac report CLI output and send all of them to the Fortinet TAC support by opening a ticket.

 

Related KB articles.

Technical Tip: Verifying FortiGuard connectivity on FortiManager

Technical Note: Setting up FortiManager behind Web Proxy to act as standalone FortiGuard FDS server ...