Description
The article provides instructions on setting up and optimizing FortiManager as a UDP Local Web Rating Server (web-filter) and includes troubleshooting tips. Although the article emphasizes a UDP-based web-filter setup, there is the option to choose a TCP scenario (default and more secure) by referring to the KB article linked in the notes under the 'Step 1' section.
Scope
FortiManager.
Solution
Prerequisites:
- Access to FortiManager with administrative privileges.
- Internet access on FortiManager to fetch the latest web rating database from FortiGuard servers.
- Web-filter policies configured on FortiGate with SSL inspection profile.
- DNS servers IPs configured on FortiManager (port1).
Schema of the configured environment:
Glossary and terminology:
Antivirus (AV): Software designed to detect and remove computer viruses.
Intrusion Prevention System (IPS): Security tool preventing unauthorized network access and attacks.
Web Filtering (WF): Restricting or allowing web content access based on predefined criteria.
Antispam (AS): Technology filtering and blocking unwanted email (spam).
Rating Database: Repository of categorized information used for assessing the security or trustworthiness of entities, often in the context of web content, files, or outbreaks.
FDS: Fortinet Distribution Server.
FDN: Fortinet Distribution Network.
1. Configuration on FortiManager:
Step 1 - Enabling service access for web filtering on FortiManager.
After enabling service access for FortiGate Updates and Web Filtering on the FortiManager interface, there is an option to Bind to an IP Address (System settings -> Network -> port1).
If the 'Web Filtering' option is disabled, FortiManager will reset the communication and the packages will not be deployed to FortiGate/s.
If 'Bind to IP Address' is 0.0.0.0/0.0.0.0 (default value), the interface IP will be used (10.5.49.190 in the screen capture above). That configuration option has been chosen for this article.
Important notes:
If the IP address is set in the 'Bind to IP Address' configuration, FortiManager will utilize TCP port 443 (Not used in this article). If it is desired to configure web-filter by using a TCP scenario (more secured), follow the following KB article from steps 5 to 7: Technical Tip: FortiGate configuration for using FortiManager as local FDS
The FortiManager interfaces may have three assigned IP addresses:
- The primary IP is configured for TCP/8890 with AV/IPS and UDP/8888/53 with WF/AS.
- The secondary IP, designated for update services (AV/PS), operates on TCP/443.
- The tertiary IP, designated for rating services (Web-Filter/AntiSpam), also operates on TCP/443.
It is essential to clarify that assigning secondary or tertiary IPs does not disrupt the primary IP's ability to listen on UDP ports. All IPs can operate simultaneously on their designated ports, enabling different FortiGates to access services on distinct ports without any interference.
Step 2 - Connect FortiManager to FortiGuard Distribution Network (FDN) for local Web-filter server use.
Via GUI: FortiGuard -> Settings -> Enable Web Filter Service.
Currently, the Web-Filter Database is empty as FortiManager has not yet pulled the signature packages from guard.fortinet.net.
Via CLI:
config fmupdate service
set query-webfilter enable
end
The initial setup of the WF/AS rating databases may take several hours, possibly even exceeding a day, primarily because of the substantial downloads of delta packages for the database, which amount to more than 20GB for WF. Subsequently, the process involves merging the databases.
When the Database version appears, FortiManager has obtained the latest full web filter database.
The first server contacted by FortiManager is https://guard.fortinet.net/. Upon successful connection, it sends FortiManager a list of all available FortiGuard rating servers where FortiManager can download/update the rating databases from:
Note that the CPU and I/O utilization may increase significantly during the database download and initial setup. This is expected and usually caused by the fdglinkd process downloading and writing packages to the disk, and the fgdupd process working to consolidate the updates.
FortiManager is configured to poll FDN every 10 minutes by default. A forced update can be done using the following CLI command: diag fmupdate updatenow fgd.
Step 3 - Refine Web-Filter Configuration on FortiManager.
Execute the command 'config fmupdate web-spam fgd-setting' to Fine-Tune Web-Filter Configuration on FortiManager.
get fmupdate web-spam fgd-setting
as-cache : 300
as-log : nospam
as-preload : disable
av-cache : 300
av-log : novirus
av-preload : disable
av2-cache : 800
av2-log : noav2
av2-preload : disable
eventlog-query : disable
fgd-pull-interval : 10
fq-cache : 300
fq-log : nofilequery
fq-preload : disable
iot-cache : 300
iot-log : nofilequery
iot-preload : disable
iotv-preload : disable
linkd-log : debug
max-client-worker : 0
max-log-quota : 6144
max-unrated-site : 500
restrict-as1-dbver : (null)
restrict-as2-dbver : (null)
restrict-as4-dbver : (null)
restrict-av-dbver : (null)
restrict-av2-dbver : (null)
restrict-fq-dbver : (null)
restrict-iots-dbver : (null)
restrict-wf-dbver : (null)
server-override:
stat-log : disable
stat-log-interval : 60
stat-sync-interval : 60
update-interval : 6
update-log : enable
wf-cache : 600
wf-dn-cache-expire-time: 30
wf-dn-cache-max-number: 10000
wf-log : nourl
wf-preload : disable
Below are the most important commands to fine-tune Web-Filter Configuration on FortiManager:
fgd-pull-interval <integer>: Configure how frequently to poll the FDN servers (or override configured ones) to obtain AS/WF/FQ/GeoIP delta package updates and verify license information.
- FortiGuard pull interval in minutes (1 - 1440, default = 1).
update-interval <integer>: Defines the number of hours to wait before initiating the Database merging operation if an insufficient number of delta files are received.
- The default value is to wait for 6 hours for the Database to merge if insufficient delta files are received. Otherwise, merging occurs after receiving 100 delta files.
- This duration can be minimized to a minimum of 2 hours, and the shorter it is, the greater the accuracy and synchronization between FortiManager's web filtering database and our FortiGuard database.
update-log {enable|disable}:
- enable – Enable detailed fgdupd merge process information to internal log files. Ok for production.
- disable – Disable detailed fgdupd merge process information to internal log files.
wf-log {all|disable|nourl}:
- all – All enables detailed WF query (and GeoIP) logging (Use only for troubleshooting and disable in production. Set to 'all' is not recommended as it will significantly impact the performances.
- disable – Disabling the web-filter logging.
- nourl – Log non-URL events.
wf-dn-cache-max-number <integer>:
- Maximum number of Web filter DN (domain names) cache (0 = disable, default = 10000). Added in FortiManager 5.6.1 and used for FortiGate v5.6 and later for new WF categories 90 & 91.
wf-dn-cache-expire-time <integer>:
- Web filter DN cache expire time, in minutes (1 - 1440, 0 = never, default = 30). Added in FortiManager 5.6.1 and used for FortiGate v5.6 and later for new WF categories 90 & 91.
wf-cache <integer>: Web filter service maximum memory usage, in megabytes (maximum = physical memory-1024, 0 = no limit, default = 600).
- Setting wf-cache to 0 allows dynamic allocation of memory up to the web-filter database size. Ensure sufficient physical memory on the hardware or VM platform to prevent web-filter process issues, such as crashes or unresponsiveness.
- The web-filter database is cached in rundb directory: sh-4.3# cd /var/fgd/URLs/rundb/.
- In the event of a brief disconnection from the FDS network, the local FDS server will persist in delivering local FGD service, although it may not have the latest database.
wf-preload {enable|disable}:
- disable – Default on all platforms, except hardware models with more than 64 GB RAM.
The web-filter database is operating on the disk. The increased disk I/O utilization in this scenario is expected to cause higher CPU utilization, as well as slower rating response if many devices are sending requests at the same time. However, this allows units with RAM less than double the total size of the rating databases to operate as web-filter rating servers.
- enable – Uploads the whole web-filter database to the memory.
This ensures optimal performance and reliability of the Web Filter rating server but requires a memory capacity of at least twice the combined size of all enabled rating databases (in addition to the required memory for FMG and other modules).
For example: As of the time of writing this article, the combined size of the Web-filter (11GB) and Antispam (1GB) databases is approximately 12 GB. FortiManager itself requires a minimum of 8GB of memory. Consequently, a Web-filter/Antispam server needs a minimum of 30GB for proper functioning when utilizing 'wf-preload enable.'
Incorporating additional rating databases, such as Filequery (4GB), Outbreak (2GB), etc., would require additional memory.
2. Configuration on FortiGate.
Step 1: Configure the FortiGate to use FortiManager as a local server for both AV/IPS updates and WF/AS rating:
config system central-management
config server-list
edit 1
set server-type update rating <- To get both updates and web rating from FortiManager.
set addr-type ipv4
set server-address 10.5.49.190
end
set fmg-update-port 8890 <- Dst. port for AV/IPS updates.
end
Step 2: Configure the Web Filter rating port on FortiGate.
In this example, FortiGate needs to set the update port to UDP 8888 FortiGuard port (default is TCP/443).
config system fortiguard
set fortiguard-anycast disable <- If anycast is enabled only TCP/443 is available for the below config.
set protocol udp <- Defines the protocol to be used.
set port 8888 <- Dst. port for WF/AS rating requests (can be 8888 or 53).
end
3. Validation of Functionality: Confirming Operational Status.
Step 1: Verification of FortiGuard connectivity from FortiManager.
Run the command 'diag fmupdate view-linkd-log fgd' on FortiManager to check whether FMG successfully established a connection with the FortiGuard servers.
The status should display as 'SUCCESS', as illustrated in the example below:
Note: This command shows only the last 10 lines of the log. If the status messages are not visible, with the log running wait for the next connection (every 10 minutes by default).
Step 2: Confirm the Current Status of Device License (FortiManager/FortiGate).
Once done, check FortiGuard -> Device Licenses. Ensure the FortiGate for web filtering has a valid FortiGuard Subscription and 'up to date' Service Status. This confirms the successful communication of FortiGuard license contract information to FortiManager.
The same is available in FortiManager CLI using the command 'diag fmupdate dbcontract <serial_number>' or, in the FortiGate CLI under: 'diag test update info'.
'diagnose debug rating' to Further check the FortiGate web filter status.
Ensure that the web-filter service is enabled, the license is in 'Contract' status and FortiManager IP is at the top of the table with flags as in the screenshot below:
If the license is valid in FortiGate but not in FortiManager, this may indicate that FortiManager is failing to reach FortiGuard servers.
Step 3: Confirm that FortiGuard connectivity is working (FortiGate).
Update debug commands can also be run on FortiGate to verify the connecting IP port number and the updated packages:
Use the below CLI commands on FortiGate:
diag debug app update -1
diag debug enable
execute update-now
upd_comm_connect_fds[458]-Trying FMG 10.5.49.190:8890
upd_install_pkg[1306]-MADB002 is up-to-date
upd_install_pkg[1306]-AFDB0013 is up-to-date
upd_status_save_status[130]-try to save on status file
upd_status_save_status[196]-Wrote status file
__upd_act_update[325]-Package installed successfully
upd_comm_disconnect_fds[499]-Disconnecting FMG 10.5.49.190:8890
Troubleshooting.
Step 1: Troubleshoot FortiGuard connectivity (FortiManager).
Below is an example of a failed connection:
Use CLI command: diag fmupdate view-linkd-log fgd.
diag fmupdate view-linkd-log fgd
30|LastSuccessTime=10:57:57|Status=0|UpullStat=Syncing|UpullErr=Connect error|UpullServer=65.x.x.x…………
2021/04/30_08:09:22.324 error fgdlinkd[780]: DES=LOGTP_COMM:REQ_uppull_objects: Failed to connect to fds server: 65.x.x.x:443
2021/04/30_08:09:22.324 debug fgdlinkd[780]: DES=LOGTP_COMM:REQ_uppull_objects:result is: -3, respode = 0
2021/04/30_08:09:22.324 error fgdlinkd[780]: ERR=900|DES=LOGTP_MEM:pollcmd_sendto_fds_server: Failed to get info from 65.x.x.x:443
The above error indicates that the connectivity between FortiManager and FortiGuard servers is not functional. It might be due to a misconfiguration of FortiGuard on FortiManager or a firewall behind FortiManager that may block the traffic on TCP port 443.
Step 2: Troubleshoot FortiGuard connectivity (FortiGate).
Update debug commands can also be run on FortiGate to verify the connecting IP port number and the updated packages:
Use the below CLI commands on FortiGate:
diag debug app update -1
diag debug enable
execute update-now
upd_daemon[1790]-Received update now request
upd_daemon[1519]-Found cached action=00000002
do_update[493]-Starting now UPDATE (final try)
upd_comm_connect_fds[458]-Trying FDS 10.5.49.190:8890
tcp_connect_fds[259]-select() timed out
upd_comm_connect_fds[472]-Failed TCP connect
do_update[505]-UPDATE failed
The error message above suggests that traffic from the downstream FortiGate, FortiGuard may be blocked by an upstream firewall.
It is also possible to use the 'diag sniffer packet' CLI command to check network connectivity on port 8890.
Step 3: Get the details on the downloaded web-filter package version.
To gather more details on the downloaded web-filter package version (md5 package highlighted in red), it is possible to either utilize the CLI command diag fmupdate view-linkd-log fgd or access the log file via the shell (optional): cat /var/log/fgdlinkd.log.
diag fmupdate view-linkd-log fgd
2023/12/14_11:24:23.041 info fgdlinkd[6164]: FCP_CONN:: received object[1/4]: id=00000000FCPR00000 ver=00000.00000-2312141024 size=200
2023/12/14_11:24:23.042 info fgdlinkd[6164]: [FDS-->FMG] Response: Protocol=4.0|Response=200|Firmware=FGD033-FW-6.8-0193|SerialNumber=FGD-FGS-
DELL0903|Server=FGDG|Persistent=false|ResponseItem=04000000FURL00000:200*00000000FCNI00000:200*00000000FDNI00000:200^M ^M
2023/12/14_11:24:23.042 info fgdlinkd[6164]: __uppull_record_event_history: svc=fgd, event=256
2023/12/14_11:24:23.042 info fgdlinkd[6164]: FCP_CONN:: receiving objhdr: objid=04000000FURL00000
2023/12/14_11:24:23.144 info fgdlinkd[6164]: __uppull_record_event_history: svc=fgd, event=512
2023/12/14_11:24:23.144 debug fgdlinkd[6164]: __obj_move_to_running_path,562:svc(fgd) package export to /var/fgd/URLs/FortiGuard_00232_52048.md5
Related articles:
FortiManager-related KB articles:
- Technical Tip: Configure FortiManager as a local FDN server for FortiGates.
- Technical Tip: FortiGate configuration for using FortiManager as local FDS.
FortiGate-related KB articles:
- Troubleshooting Tip: Unable to connect to FortiGuard servers.
- Technical Tip: FortiGuard is not reachable via Anycast default method.
- Technical Tip: Configuration to use FortiManager as local FDS server.
- Troubleshooting Tip: FortiGuard Web Filtering problems.
- Technical Tip: Configure web filter and URL filter via CLI.
