FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
cborgato_FTNT
Description
This article discusses about 'Server Override Mode Strict' for FortiGuard Proxy can change upon upgrade.

Scope
Report is not expected behavior change upon upgrading FortiManager from 6.0 (or below) to 6.2 (or above) for FortiManager FortiGuard feature.

Solution
FortiManager FortiGuard feature using web proxy to reach public FortiGuard server cannot work anymore if 'Server Override Mode' is set to Strict upon upgrading to 6.2 (or above).

Contest.

It can happen that customer needs to upgrade to 6.2 or above coming from 6.0 or below FortiManager version.
In case FortiGuard feature was using a web proxy to access to public FortiGuard server and 'Server Override Mode' was set to strict, FortiManager could not be able to reach anymore FortiGuard via web proxy.

As consequence, FortiGates requiring IPS/AV updates will not get any more recent package updates.

Normally customer has a FortiGuard configuration on FortiManager like below:




# config fmupdate service
    set avips enable
end




# config fmupdate server-override-status
    set mode strict
end

# config fmupdate av-ips web-proxy
    set address "1.2.3.4"
    set port 8080
    set status enable
    set username "proxy_user"
end
Loose: Allow Access Other Servers (if via Proxy cannot reach public FortiGuard servers, FortiManager will try to use default Gateway, if available).
Strict: Access Override Server Only (
FortiManager uses only the WebProxy to reach public FortiGuard servers).

Customer upgrade to 6.2 or above. Configuration does not change.

Issue.

Immediately after the upgrade,
FortiManager is not able anymore to reach FortiGuard public server via web proxy and cannot download new packages/ DBs.

Explanation.

FortiGuard
FortiManager feature, in particular 'server override' part, has been improved from 6.0 to 6.2 and now, when 'Server Override Mode' is set to Strict, it is mandatory to explicitly config server-override server IP, otherwise FortiManager will not know which FDS server to connect.

Solution.

1) Set 'Server Override Mode' to Loose which does not require explicitly server-override configure, thus it will be able to use the Proxy configuration even if there is no default gateway access to Internet.
web proxy is in charge to solve FDN ULS and reach them.

2) Keep 'Server Override Mode' to Strict and explicitly configure FDN public IP server-list on  server-override.



# config fmupdate fds-setting
# config server-override

    set status enable
    
# config servlist
    edit 1
        set ip 4.5.6.7
    next
end
end
end

Related Articles

Technical Note: Setting up FortiManager behind Web Proxy to act as standalone FortiGuard FDS server ...

Technical Tip: How to configure FortiManager as FortiClients FortiGuard server

Technical Tip: Verifying FortiGuard connectivity on FortiManager

Contributors