I need to update a backend Fortinet FortiGate100E firewall and the only machine in the network whose ip address is authorized for internet access (from the frontend firewall) is 10.1.2.3 running SquidProxy on CentOS linux. Web Hosting Sri Lanka
I followed Fortinet's technical note on how to setup the proxy by opening the CLI and issuing
config system autoupdate tunneling set address 10.1.2.3 set port 3128 set status enable end
Now part of the traffic flows through the proxy but there are still connection attempts directly from the firewall to Fortinet servers on port 443. The updates are not working, I opened every port and protocol from the firewall interface to the SquidProxy machine and through tcpdump on the proxy I can see data flowing back and forth like this
Internet <---> SquidProxy <---> FortiGate
but from the firewall GUI I can see that it's not communicating with the update servers. I haven't been able to redirect ALL traffic from the firewall through the proxy
What other configurations am I missing?
As per this article: https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGuard-updates-using-a-proxy-server/ta...not all features are supported via proxy. So only registration, AV and IPS updates will be sent through the proxy. For Web/DNS/Spam requests these will not go through the proxy.
If you have a FortiManager you can use it as webfiltering service for the FortiGate, and it in turn can update it's webfiltering database through the proxy.
you could also download a firmware image from support portal and upload it via FGT webinterface manually instead of the auto update.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.