Created on 07-20-2021 10:40 PM Edited on 08-29-2024 04:25 AM By Stephen_G
Description
This article describes how the 'Server Override Mode Strict' option for FortiGuard Proxy can change upon upgrade.
Scope
An upgraded FortiManager from 6.0 (or below) to 6.2 (or above).
Solution
The FortiManager-FortiGuard feature which uses the web proxy to reach the public FortiGuard server cannot work anymore if 'Server Override Mode' is set to Strict upon upgrading to 6.2 (or above).
Contest.
Sometimes, the customer needs to upgrade to 6.2 or above from FortiManager version 6.0 or below.
If the FortiGuard feature was using a web proxy to access to public FortiGuard server and 'Server Override Mode' was set to strict, FortiManager may no longer be able to reach FortiGuard via web proxy.
As a consequence, FortiGates requiring IPS/AV updates will not get any more recent package updates.
Normally, the customer has a FortiGuard configuration on FortiManager like below:
config fmupdate server-override-status
set mode strict
end
config fmupdate av-ips web-proxy
set address "1.2.3.4"
set port 8080
set status enable
set username "proxy_user"
end
Strict: Access Override Server Only (FortiManager uses only the WebProxy to reach public FortiGuard servers).
The customer upgrades to 6.2 or above. The configuration does not change.
Issue.
Immediately after the upgrade, FortiManager is no longer able to reach FortiGuard public server via web proxy and cannot download new packages/ DBs.
Explanation.
FortiGuard FortiManager feature, in particular 'server override' part, has been improved from 6.0 to 6.2 and now, when 'Server Override Mode' is set to Strict, it is mandatory to explicitly config server-override server IP, otherwise FortiManager will not know which FDS server to connect.
Solution.
- Set 'Server Override Mode' to Loose, which does not require an explicitly configured server-override. It will therefore be able to use the Proxy configuration even if there is no default gateway access to Internet. The web proxy is in charge to solve FDN ULS and reach them.
- Keep 'Server Override Mode' to Strict and explicitly configure FDN public IP server-list on server-override.
set status enable
Related articles:
- Technical Tip: Setting up FortiManager behind Web Proxy to act as standalone FortiGuard FDS server f...
- Technical Tip: How to configure FortiManager as FortiClients FortiGuard server
- Technical Tip: Verifying FortiGuard connectivity on FortiManager
- Troubleshooting Tip: Upgrade Status ‘Firmware Upgrade Status Not Found’ for Managed Devices in Forti...