Description
This article describes how to configure FortiManager to act as a local FortiGuard server for FortiGates.
Scope
FortiManager, FortiGate.
Solution
FortiGates receive the updates for FortiGuard packages from the FortiManager that is acting as a local FortiGuard server.
The secondary FortiManager does not have internet connectivity configured to connect to a FortiManager acting as a local FDN server.
The FortiGuard Distribution Network (FDN) provides FortiGuard services for the FortiManager system and its managed units and FortiClient agents.
The FDN is a worldwide network of FortiGuard Distribution Servers (FDS), which update the FortiGuard services on the FortiManager system on a regular basis so that the FortiManager system is protected against the latest threats and can provide those updates to its local FDS service in a proxy manner.
The FortiGuard services available on the FortiManager system include:
- Antivirus and IPS engines and signatures.
- Web filtering and email filtering rating databases and lookups.
- Vulnerability scan and management support for FortiAnalyzer.
FortiManager configuration.
The FortiManager system acts as a local FDS and synchronizes its FortiGuard service update packages with the FDN, then provides these FortiGuard updates and looks up replies to the private network’s FortiGates.
The local FDS provides a faster connection, reducing internet connection load and the time required to apply frequent updates, such as antivirus signatures, to many devices. Enable the built-in FDS:
Enable push updates for urgent updates or critical FortiGuard AV/IPS signatures.
If web-proxy is enabled, it must be configured as shown in the above screenshot.
Additionally, under System Settings -> Network, verify that service access for FortiGate Updates (FDS) or Web Filtering (FGD) is enabled on the FortiManager management interface.
The IP address that has to be configured needs to be on the same subnet.
These IP addresses should be used in the FortiGate side override server configuration.
Configuration on FortiGate.
Configuration from the FortiGate CLI:
config system central-management
set type fortimanager
set fmg "10.5.54.111"
config server-list
edit 1
set server-type update
set server-address 10.5.54.1
next
edit 2
set server-type rating
set server-address 10.5.54.2
next
end
set fmg-update-port 443
set include-default-servers enable
end
When fmg-update-port is set to 443, the update process will use port 443 to connect to the override update server, which is the local FortiGuard server in the FortiManager.
If this is not set, the update process will use port 8890, and the server address setting has to be the FortiManager access IP address.
Override FortiGuard services come from the server list that is the local FortiGuard server in the FortiManager, and use the traditional, non-OCSP TLS handshake.
If the override servers in the FortiManager are not available, the default FortiGuard servers are connected and the anycast OCSP TLS handshake is used.
Configure a FortiManager without Internet connectivity to access a secondary local FortiManager as FDS.
To use a second FortiManager as the FDS, refer to the screenshot below and configure the secondary FortiManager FDN server IP address with FMG_IP_AS_FDS. If required, enable Server Override Address for FortiClient:
Operating FortiManager as a FDS in a closed network.
The FortiManager can be operated as a local FDS server when it is in a closed network with no internet connectivity.
Without a connection to a FortiGuard server, update packages and licenses must be manually downloaded from support and then uploaded to the FortiManager.
The FortiManager configuration in the GUI under FortiGuard -> Settings looks like this:
Upload Options for FortiGate/FortiMail manually.
Packages and Database: It is possible to upload Antivirus/IPS packages, web filter databases, and email filter databases that are already downloaded from the Customer Service & Support portal on the management computer.
Service License: Choose to import the FortiGate or FortiSOAR license. Browse for the file on the management computer, or drag and drop the file into the dialog box.
A license file can be obtained from customer service support by requesting the account entitlement for the device(s).
Upload packages with CLI commands:
- Disable communications with the FortiGuard server and enable a closed network with the following CLI commands:
config fmupdate publicnetwork
set status disable
end
- Upload an update package or license:
- Load the package or license file to an FTP, SCP, or TFTP server.
- Run the following CLI command:
execute fmupdate {ftp | scp | tftp} import <av-ips | fct-av | url | spam | file-query | license-fgt | license-fct | custom-url | domp> <remote_file> <ip> <port> <remote_path> <user> <password
CLI Options:
Some of the services can be started only under the CLI. See the CLI reference for more details.
Troubleshooting tips for FortiManager connectivity with FortiGuard and with FortiGate.
Use the following commands to help with troubleshooting.
Check if the system is connected to the FDS server:
diag fmupdate view-serverlist fds
Fortiguard Server Comm : Enabled
Server Override Mode : Loose
FDS server list :
Index Address Port TimeZone Distance Source
------------------------------------------------------------------------------------------------------
*0 149.5.232.66 443 1 0 FDNI
1 208.184.237.67 443 0 1 FDNI
2 173.243.138.69 443 0 1 FDNI
3 209.222.136.6 443 -5 6 FDNI
4 12.34.97.16 443 -5 6 FDNI
5 208.184.237.68 443 9 8 FDNI
6 173.243.138.67 443 9 8 FDNI
7 208.184.237.66 443 -8 9 FDNI
8 173.243.138.66 443 -8 9 FDNI
9 fds1.fortinet.com 443 1 0 DEFAULT
Retrieve debug info from the FDS server:
diag debug application fdssvrd 255
di de en
IMA02LX075 # <----- Worker process exits.
------ fdssvrd exit ------
Fail to create https service socket <----- Worker process started.
Reload config ...
Server from FDNI: 12.34.97.16
Server from FDNI: 149.5.232.66
Server from FDNI: 173.243.138.66
Server from FDNI: 173.243.138.67
Server from FDNI: 173.243.138.69
Server from FDNI: 208.184.237.66
Server from FDNI: 208.184.237.67
Server from FDNI: 208.184.237.68
Server from FDNI: 209.222.136.6
Server from FDNI: 173.243.138.108
Server from FDNI: 173.243.138.98
Server from FDNI: 173.243.138.99
Server from FDNI: 208.184.237.75
…
…
[FMG-->FDS] Request: Protocol=3.0|Command=Poll|Firmware=FMG-VM64-FW-7.00-0180|SerialNumber=FMG-VM0A13000127|Persistent=false|AcceptDelta=0|DataItem=00000000FCNI00000-00000.00000-0000000000*00000000FDNI00000-00000.00000-0000000000
FCP_CONN:: receiving package: num_objects=3 total_size=1480
FCP_CONN:: received object: id=00000000FCPR00000 ver=00000.00000-2202091104 size=176
[FDS-->FMG] Response: Protocol=3.0|Response=200|Firmware=FPT033-FW-6.8-0169|SerialNumber=FPT-FDS-DELL0407|Server=FDSG|Persistent=false|ResponseItem=00000000FCNI00000:200*00000000FDNI00000:200
FCP_CONN:: received object: id=00000000FCNI00000 ver=00000.00000-2001201850 size=88
FCP_CONN:: received object: id=00000000FDNI00000 ver=00000.00000-2112210241 size=832
TLSv1.2 write warning alert: close notify
Check update with fds 149.5.232.66 SUCCESS
Check ping to fds1.fortinet.com:443
Restart the FDS services:
diag fmupdate service-restart fds
If the issues persist, send the following to Fortinet TAC support in a ticket:
- All of the output of the previous commands.
- The config backup of the FortiManager.
- The exe tac report CLI output.
FortiManager can also be configured as a local FDN Server for FortiProxy.
Related documents:
Technical Tip: Verifying FortiGuard connectivity on FortiManager
Technical Tip: Configuration to use FortiManager as local FDS server on FGT
