Description
This article describes the necessary configuration changes on FortiManager and EMS side to allow the FortiClients to use FortiManager as a local FortiGuard update and rating server.
FortiClient is connecting to FortiGuard for different update package. The FortiManager can act as a local FortiGuard Server and therefore save Wan bandwidth and time for the update to be delivered as well as extra flexibility.
This article shows how to configure the FortiManager to provide update Package.
Solution
Configure the EMS server to provide the FortiManager IP address and port to use to the FortiClient:
Configure the EMS server to connect to FortiManager IP address to download FortiGuard update: (untick ‘enable SSL’ to connect to port 80).
Register again the FortiClient so that it downloads the updated profile or wait for the profile timer to provide new profile settings to clients.
On the FortiManager, configure the FortiGuard server as below:
# config system interface
edit "port1"
set allowaccess http https ssh <----- Need HTTP.
set serviceaccess fclupdates webfilter-antispam
end
# config fmupdate fds-setting
set system-support-fct 5.6 6.0 <----- Need to set the client versions planned to be used (*).
end
# config fmupdate service
set avips enable
set query-antivirus enable
set query-webfilter enable
end
# config fmupdate fct-services
set status enable
set port <port_number>
end
(*) Note:
Prior to 6.0, it is necessary to use the below command:
#config fmupdate device-version
set fct 5.0 6.0
end
Option: configuration of port 80 (default backup port for FortiClient update).
# config fmupdate fct-services
set port 80
end
Then, check the presence of the FortiClient packages:
#diag fmupdate fds-getobject
Look at the below line:
FortiClient object version information.
ObjectId Description Version Size Created Date Time.
Or on the GUI of the FortiManager in the FortiGuard Receive status page (untick Show used Object Only):
Check that the FortiGuard update service is running on the correct port on the FortiManager.
# diagnose fmnetwork netstat list
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN
On the FortiClient force a FortiGuard Update on an Administrator DOS command page:
Run the command as administrator, and navigate to the FortiClient folder (usually C:\Program Files\Fortinet\FortiClient):
# update_task -s fd_01
# update_task -d fd_01
This way the update task is using the server IPs from the registry.
Check the output, and if the IP is not correct, test the connectivity by adding the FortiManager IP at the end of these commands, which helps to identify whether there is an issue in the client config or in the FortiClient <->FortiManager connection.
C:\Program Files\Fortinet PortiClient>update_task.exe -s 10.5.51.212
update_task.exe
Software update status = -1
Initializing... Terial: FCT8001922******
attempt 1 of 3
Serial number: FCT8001922******
10.5.51.212
Server priority =
10.5.51.212:80
try to connect to server 10.5.51.212:80
Connect to server 10.5.51.212:80 SUCCESS
No new vul stat info to send
Server using FCP ver 4.0 support FCT resume
Data items: 00000000FSCIQ0000000000000000000000000FDNI0000000000000000000000*060000000FVE02800-0.0-99999*06000000FVEN0300-2.28-99999*06000000FVDB01600-1.189-999*06000000FCBN00000000009999999999
Update process received object(1 of 4): FCPR00000, ver:0000000000000000000000 Update process received object(2 of 4): FDNIGUU00, ver:0000000000000000000000 Now move object FDNI from obj_1_a03484_unpacked to C:\Program Files\Fortinet\FortiClient\vir_sig fdni.conf
Update process received object(3 of 4): FSC00000, ver:0000000000000000000000 Update process received object(4 of 4): FUDB01600, ver: 01190190299211300016
Now move object FVDB from obj_3_a03484_unpacked to C:\Program Files\Fortinet\FortiClient\vir_sig\vcm.dat
On the FortiClient EMS server it is also possible to force a FortiGuard Update using the Administrator DOS command page:
C:\Program Files (x86)\Fortinet\FortiClientEMS>FcmUpdateDaemon.exe -e
Initializing...
serial: FCTEMS0000xxxxxx
Serial number: FCTEMS0000xxxxxx
Server is 10.5.53.228
A custom server is being used
10.5.53.228
Server priority =
1) 10.5.53.228:80
2) 10.5.53.228:8000
Try to connect to server 10.5.53.228:80
Connect to server 10.5.53.228:80 SUCCESS
Server using FCP ver 4.0 support FCT resume
data_items: 01000000FSCI00100000000000000000
It is also possible to perform a diag debug application process on the FortiManager during the update operation:
#diagnose debug application fgdupd 255
#diagnose de enIf needed, launch a sniffer to see the update:
FMG-VM64-KVM # diag sniffer packet any "port 80" 3 0 a
interfaces=[any]
filters=[port 80]
Related Articles:
Technical Note: How to validate the connection status from FortiManager to FortiGuard services