Description
This article describes the optimization of FortiManager as an override server for IoT query services to get better results for IoT device information and vulnerabilities.
Note:
FortiManager supports IoT queries on TCP port 443 so it has to set bind IP with enabling WebFilter Services.
Scope
FortiManager
Solution
To optimize IoT update queries from FortiGate to FortiManager, the below configuration needs to be done.
On FortiGate:
config system central-management
set type fortimanager
set fmg "<FMG_WebFilter Service IP>"
config server-list
edit 1
set server-type update rating iot-query iot-collect <----- Change to 'rating iot-query'.
set server-address X.X.X.X <----- It has to be bind IP for web filter service.
next
end
set include-default-servers disable
end
On FortiManager:
config system interface
edit "port1"
set ip X.X.X.X 255.255.254.0
set allowaccess ping https ssh snmp http webservice
set serviceaccess fgtupdates fclupdates webfilter-antispam
set rating-service-ip X.X.X.X 255.255.254.0
set type physical
next
end
config fmupdate service
set query-iot enable
set query-webfilter enable
end
config fmupdate web-spam fgd-setting
set iot-log all
set iotv-preload enable
end
Related documents:
FortiManager as Override Server for IoT Query Services
Technical-Tip-Configuration-to-use-FortiManager-as-local-FDS
