Description
This article describes the necessary configuration on FortiManager and EMS side to allow the FortiClients to use FortiManager as a local FortiGuard update and rating server.
FortiClient can download different update packages from FortiGuard. FortiManager can be configured to act as a local FortiGuard Server.
This can save WAN bandwidth, by downloading the updates only once from the public FortiGuard servers, and then distributing them locally, instead of hundreds or thousands of endpoints downloading the same update from FortiGuard individually.
Another added benefit of the FortiManager's FortiGuard module, is that it allows the administrators to control which object versions to rollout to the endpoints.
Scope
FortiManager version 6.x and 7.x (the config in version 5.x is very similar but some commands may have slightly different syntax)
Solution
On FortiManager, configure the FortiGuard service as below:
Enable the FortiClient update service on the interface where the FortiClients will be connecting:
config system interface
edit "port1"
set allowaccess http https ssh <--- 'http' is required, otherwise port 80 is disabled
set serviceaccess fclupdates webfilter-antispam <--- 'fclupdates' is required and is CLI only!
edit "port1"
set allowaccess http https ssh <--- 'http' is required, otherwise port 80 is disabled
set serviceaccess fclupdates webfilter-antispam <--- 'fclupdates' is required and is CLI only!
next
end
Note:
The web filter rating service (webfilter-antispam) is common for FortiClient/FortiGate/FortiMail and respects the secondary IP (rating-service-ip) option of the interface configuration. The FortiClient update service (fclupdates) is only for FortiClient and does not respect the secondary IP (update-service-ip) option of the interface configuration, which is only used for FortiGate/FortiMail update services on port TCP-443.
Verify that the following port default settings should be in place:
config system admin setting
set http_port 80
end
config fmupdate fct-services
set status enable
set port 80
end
set status enable
set port 80
end
Select which versions of FortiClient updates FortiManager should download from FortiGuard:
config fmupdate fds-setting
set system-support-fct 6.0 6.2 6.4 7.0 7.2 7.4
end
set system-support-fct 6.0 6.2 6.4 7.0 7.2 7.4
end
Enable the required FortiGuard services. With the example below Fo,rtiManager will serve both AV updates and WebFilter:
config fmupdate service
set avips enable
set query-antivirus enable
set query-webfilter enable
end
set avips enable
set query-antivirus enable
set query-webfilter enable
end
The following CLI command can be used to verify that the service is listening on port 80:
diagnose fmnetwork netstat list
...
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
...
For stability of the HTTP service, switch the Apache server mode to 'prefork':
config system global
set apache-mode prefork
end
set apache-mode prefork
end
Verify that FortiManager has successfully downloaded the FortiClient packages (it may take some time depending on the update schedule):
diagnose fmupdate fds-getobject product FCT
Sample output:
Similarly, the receive status can be checked from the FortiManager GUI, under FortiGuard -> Package Management > Receive Status page (disable the 'Show used Object Only' filter to see all objects and filter by product and version for better visibility):
Note:
If no current objects are present on FortiManager, refer to the related article below on how to troubleshoot the FortiManager <--> FortiGuard connectivity.
On EMS, configure the respective endpoint profiles to push the FortiManager IP address and port to the FortiClients:
Configure EMS itself to connect to the FortiManager IP address for FortiGuard updates.
Note:
The option ‘enable SSL’ in the FortiGuard settings must be disabled:
Register the FortiClients to EMS so they can download their updated endpoint profiles:
On a PC with a FortiClient, force a FortiGuard Update to test. Run CMD as administrator from the FortiClient folder (usually C:\Program Files\Fortinet\FortiClient):
update_task -s fd_01
update_task -d fd_01
update_task -d fd_01
This way, the update task is using the server IPs from the registry. Check the output, and if the IP is not correct, test the connectivity by adding the FortiManager IP at the end of these commands, which helps to identify whether there is an issue in the client config or the FortiClient <->FortiManager connection.
C:\Program Files\Fortinet FortiClient>update_task.exe -s 10.5.51.212
update_task.exe
Software update status = -1
Initializing... Terial: FCT8001922******
attempt 1 of 3
Serial number: FCT8001922******
10.5.51.212
Server priority =
10.5.51.212:80
try to connect to server 10.5.51.212:80
Connect to server 10.5.51.212:80 SUCCESS
No new vul stat info to send
Server using FCP ver 4.0 support FCT resume
Data items: 00000000FSCIQ0000000000000000000000000FDNI0000000000000000000000*060000000FVE02800-0.0-99999*06000000FVEN0300-2.28-99999*06000000FVDB01600-1.189-999*06000000FCBN00000000009999999999
Update process received object(1 of 4): FCPR00000, ver:0000000000000000000000 Update process received object(2 of 4): FDNIGUU00, ver:0000000000000000000000 Now move object FDNI from obj_1_a03484_unpacked to C:\Program Files\Fortinet\FortiClient\vir_sig fdni.conf
Update process received object(3 of 4): FSC00000, ver:0000000000000000000000 Update process received object(4 of 4): FUDB01600, ver: 01190190299211300016
Now move object FVDB from obj_3_a03484_unpacked to C:\Program Files\Fortinet\FortiClient\vir_sig\vcm.dat
update_task.exe
Software update status = -1
Initializing... Terial: FCT8001922******
attempt 1 of 3
Serial number: FCT8001922******
10.5.51.212
Server priority =
10.5.51.212:80
try to connect to server 10.5.51.212:80
Connect to server 10.5.51.212:80 SUCCESS
No new vul stat info to send
Server using FCP ver 4.0 support FCT resume
Data items: 00000000FSCIQ0000000000000000000000000FDNI0000000000000000000000*060000000FVE02800-0.0-99999*06000000FVEN0300-2.28-99999*06000000FVDB01600-1.189-999*06000000FCBN00000000009999999999
Update process received object(1 of 4): FCPR00000, ver:0000000000000000000000 Update process received object(2 of 4): FDNIGUU00, ver:0000000000000000000000 Now move object FDNI from obj_1_a03484_unpacked to C:\Program Files\Fortinet\FortiClient\vir_sig fdni.conf
Update process received object(3 of 4): FSC00000, ver:0000000000000000000000 Update process received object(4 of 4): FUDB01600, ver: 01190190299211300016
Now move object FVDB from obj_3_a03484_unpacked to C:\Program Files\Fortinet\FortiClient\vir_sig\vcm.dat
On the FortiClient EMS server, it is also possible to force a FortiGuard Update using the Administrator DOS command page:
C:\Program Files (x86)\Fortinet\FortiClientEMS>FcmUpdateDaemon.exe -e
Initializing...
serial: FCTEMS0000xxxxxx
Serial number: FCTEMS0000xxxxxx
Server is 10.5.53.228
A custom server is being used
10.5.53.228
Server priority =
1) 10.5.53.228:80
2) 10.5.53.228:8000
Try to connect to server 10.5.53.228:80
Connect to server 10.5.53.228:80 SUCCESS
Server using FCP ver 4.0 support FCT resume
data_items: 01000000FSCI00100000000000000000
Initializing...
serial: FCTEMS0000xxxxxx
Serial number: FCTEMS0000xxxxxx
Server is 10.5.53.228
A custom server is being used
10.5.53.228
Server priority =
1) 10.5.53.228:80
2) 10.5.53.228:8000
Try to connect to server 10.5.53.228:80
Connect to server 10.5.53.228:80 SUCCESS
Server using FCP ver 4.0 support FCT resume
data_items: 01000000FSCI00100000000000000000
It is also possible to run live debug on FortiManager during the update operation:
diagnose debug application fgdupd 255
diagnose de en
diagnose de en
diagnose debug app fdssvrd 255 <--- (as of FortiManager v7.2 +)
diagnose debug en
diagnose debug en
Packet capture can be used to verify that the FortiClient requests reach the FortiManager interface:
diagnose sniffer packet any "port 80" 3 0 a
interfaces=[any]
filters=[port 80]
interfaces=[any]
filters=[port 80]
Related article:
Technical Tip: How to validate the connection status from FortiManager to FortiGuard services
