Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
ckarwei
Staff
Staff

Created on ‎07-21-2022 10:45 PM Edited on ‎07-31-2022 10:56 PM By Community Manager

Article Id 218117

Technical Tip: FortiGate configuration for using FortiManager as local FDS

Description

 

This article describes how to use FortiManager as local FDS and the configuration needed on FortiGate.

 

Solution


1) After enabling service access for 'FortiGate Updates' and 'Web Filtering' on FortiManager interface, there is option to 'Bind to IP Address'.

 

3.JPG

 

2) If 'Bind to IP Address' is 0.0.0.0/0.0.0.0 (default value), the interface IP will be used (10.47.19.244 in the screenshot above).

 

3) FortiManager will accept port 8890 for package updates and port 53/8888 for web filtering.

 

4) In this case, FortiGate needs to set the update port to 8890 (default 8890) and FortiGuard port to 53/8888 (default https 443).

 

Package updates:

 

FGT # config system central-management

FGT (central-management) # config server-list

FGT (server-list) # edit 1

FGT (1) # set server-type update rating

FGT (1) # set addr-type ipv4

FGT (1) # set server-address 10.47.19.244

FGT (1) # end

FGT (central-management) # set fmg-update-port 8890

FGT (central-management) # end

 

Web Filtering:

 

FGT # config system fortiguard

FGT (fortiguard) # set fortiguard-anycast disable

FGT (fortiguard) # set protocol udp

FGT (fortiguard) # set port 8888

FGT (fortiguard) # end

 

5) In the event when IP address configured in 'Bind to IP Address', FortiManager will use TCP port 443.

 

6.JPG

 

6) Do that note that bind IP must be on the same subnet as the interface IP. The IP address cannot be the same for 'FortiGate Update'” and 'Web Filtering'.

 

7) FortiGate needs to set the update port to 443 and FortiGuard port to 443.

 

Package updates:

 

FGT # config system central-management

FGT (central-management) # config server-list

FGT (server-list) # edit 1

FGT (1) # set server-type update

FGT (1) # set addr-type ipv4

FGT (1) # set server-address 10.47.19.245

FGT (1) # next

FGT (server-list) # edit 2

FGT (1) # set server-type rating

FGT (1) # set addr-type ipv4

FGT (1) # set server-address 10.47.19.246

FGT (1) # next

FGT (central-management) # set fmg-update-port 443

FGT (central-management) # end

 

Web Filtering:

 

FGT # config system fortiguard

FGT (fortiguard) # set protocol https

FGT (fortiguard) # set port 443

FGT (fortiguard) # end

 

8) Update debug can be run on FortiGate to verify the connecting IP and port number.            

 

FGT # diag debug app update -1 <----- Debug messages will be on for 30 minutes.

FGT # diag debug enable

FGT # execute update-now

 

upd_comm_connect_fds[458]-Trying FMG 10.47.19.245:443

… … … … …

upd_install_pkg[1306]-MADB001 is up-to-date

upd_install_pkg[1306]-AFDB001 is up-to-date

upd_status_save_status[130]-try to save on status file

upd_status_save_status[196]-Wrote status file

__upd_act_update[325]-Package installed successfully

upd_comm_disconnect_fds[499]-Disconnecting FMG 10.47.19.245:443

 

Related link:

https://community.fortinet.com/t5/FortiManager/Technical-Tip-Configure-FortiManager-as-a-local-FDN-s...

4664
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.