FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
mdeparisse_FTNT
Article Id 195307

Description

 
This article describes the necessary configuration changes on FortiManager and EMS side to allow the FortiClients to use FortiManager as a local FortiGuard update and rating server.

FortiClient is connecting to FortiGuard for different update package. The FortiManager can act as a local FortiGuard Server and therefore save Wan bandwidth and time for the update to be delivered as well as extra flexibility.

This article shows how to configure the FortiManager to provide update Package.

Solution
Configure the EMS server to provide the FortiManager IP address and port to use to the FortiClient:
 
 
Configure the EMS server to connect to FortiManager IP address to download FortiGuard update: (untick ‘enable SSL’ to connect to port 80).
 
 
Register again the FortiClient so that it downloads the updated profile or wait for the profile timer to provide new profile settings to clients.
 
 
On the FortiManager, configure the FortiGuard server as below:
 
# config system interface
    edit "port1"
        set allowaccess http https ssh                                         <----- Need HTTP.
        set serviceaccess fclupdates webfilter-antispam
end
 
# config fmupdate fds-setting
    set system-support-fct 5.6 6.0         <----- Need to set the client versions planned to be used (*).
end

# config fmupdate service
    set avips enable
    set query-antivirus enable
    set query-webfilter enable
end
 
# config fmupdate fct-services
    set status enable
    set port <port_number>
end
 
(*) Note:
Prior to 6.0, it is necessary to use the below command:
 
#config fmupdate device-version
    set fct 5.0 6.0
end
 
Option: configuration of port 80 (default backup port for FortiClient update).
 
# config fmupdate fct-services
    set port 80
end
 
Then, check the presence of the FortiClient packages:
 
#diag fmupdate fds-getobject
 
Look at the below line:

FortiClient object version information.
ObjectId                Description             Version         Size    Created Date Time.

Or on the GUI of the FortiManager in the FortiGuard Receive status page (untick Show used Object Only):
 
 
 
Check that the FortiGuard update service is running on the correct port on the FortiManager.
 
# diagnose fmnetwork netstat list
tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN
 
On the FortiClient force a FortiGuard Update on an Administrator DOS command page:

Run the command as administrator, and navigate to the FortiClient folder (usually C:\Program Files\Fortinet\FortiClient):
 
# update_task -s fd_01
# update_task -d fd_01
 
This way the update task is using the server IPs from the registry.
Check the output, and if the IP is not correct, test the connectivity by adding the FortiManager IP at the end of these commands, which helps to identify whether there is an issue in the client config or in the FortiClient <->FortiManager connection.
 
C:\Program Files\Fortinet PortiClient>update_task.exe -s 10.5.51.212
update_task.exe
Software update status = -1
Initializing... Terial: FCT8001922******
attempt 1 of 3
Serial number: FCT8001922******
10.5.51.212
Server priority =
10.5.51.212:80
try to connect to server 10.5.51.212:80
Connect to server 10.5.51.212:80 SUCCESS
No new vul stat info to send
Server using FCP ver 4.0 support FCT resume
Data items: 00000000FSCIQ0000000000000000000000000FDNI0000000000000000000000*060000000FVE02800-0.0-99999*06000000FVEN0300-2.28-99999*06000000FVDB01600-1.189-999*06000000FCBN00000000009999999999
Update process received object(1 of 4): FCPR00000, ver:0000000000000000000000 Update process received object(2 of 4): FDNIGUU00, ver:0000000000000000000000  Now move object FDNI from obj_1_a03484_unpacked to C:\Program Files\Fortinet\FortiClient\vir_sig fdni.conf
Update process received object(3 of 4): FSC00000, ver:0000000000000000000000 Update process received object(4 of 4): FUDB01600, ver: 01190190299211300016
Now move object FVDB from obj_3_a03484_unpacked to C:\Program Files\Fortinet\FortiClient\vir_sig\vcm.dat
 
On the FortiClient EMS server it is also possible to force a FortiGuard Update using the Administrator DOS command page:
 
C:\Program Files (x86)\Fortinet\FortiClientEMS>FcmUpdateDaemon.exe -e
Initializing...
serial: FCTEMS0000xxxxxx
Serial number: FCTEMS0000xxxxxx
Server is 10.5.53.228
A custom server is being used

10.5.53.228
Server priority =
1) 10.5.53.228:80
2) 10.5.53.228:8000
Try to connect to server 10.5.53.228:80
Connect to server 10.5.53.228:80 SUCCESS
Server using FCP ver 4.0 support FCT resume
data_items: 01000000FSCI00100000000000000000
 
It is also possible to perform a diag debug application process on the FortiManager during the update operation:
 
#diagnose debug application fgdupd 255

#diagnose de en
If needed, launch a sniffer to see the update:
 
FMG-VM64-KVM # diag sniffer packet any "port 80" 3 0 a
interfaces=[any]
filters=[port 80]

 

Related Articles:

Technical Note: How to validate the connection status from FortiManager to FortiGuard services