FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
cborgato_FTNT
Article Id 198401

Description

 

This article describes how the 'Server Override Mode Strict' option for FortiGuard Proxy can change upon upgrade.

Scope

 

An upgraded FortiManager from 6.0 (or below) to 6.2 (or above).

Solution

 

The FortiManager-FortiGuard feature which uses the web proxy to reach the public FortiGuard server cannot work anymore if 'Server Override Mode' is set to Strict upon upgrading to 6.2 (or above).

Contest.

Sometimes, the customer needs to upgrade to 6.2 or above from FortiManager version 6.0 or below.
If the FortiGuard feature was using a web proxy to access to public FortiGuard server and 'Server Override Mode' was set to strict, FortiManager may no longer be able to reach FortiGuard via web proxy.

As a consequence, FortiGates requiring IPS/AV updates will not get any more recent package updates.

Normally, the customer has a FortiGuard configuration on FortiManager like below:


config fmupdate service
set avips enable
end
 

config fmupdate server-override-status
    set mode strict
end

config fmupdate av-ips web-proxy
    set address "1.2.3.4"
    set port 8080
    set status enable
    set username "proxy_user"
end

 
Loose: Allow Access Other Servers (if via Proxy cannot reach public FortiGuard servers, FortiManager will try to use default Gateway, if available).
Strict: Access Override Server Only (
FortiManager uses only the WebProxy to reach public FortiGuard servers).

The customer upgrades to 6.2 or above. The configuration does not change.

Issue.

Immediately after the upgrade,
FortiManager is no longer able to reach FortiGuard public server via web proxy and cannot download new packages/ DBs.

Explanation.

FortiGuard
FortiManager feature, in particular 'server override' part, has been improved from 6.0 to 6.2 and now, when 'Server Override Mode' is set to Strict, it is mandatory to explicitly config server-override server IP, otherwise FortiManager will not know which FDS server to connect.

Solution.
 
  1. Set 'Server Override Mode' to Loose, which does not require an explicitly configured server-override. It will therefore be able to use the Proxy configuration even if there is no default gateway access to Internet. The web proxy is in charge to solve FDN ULS and reach them.

  2. Keep 'Server Override Mode' to Strict and explicitly configure FDN public IP server-list on  server-override.

 
config fmupdate fds-setting
config server-override
    set status enable
config servlist
edit 1
set ip 4.5.6.7
next
end
end
end
 

 

Related articles: