Hi
We're running Fortigates with v5.2.x and FMG 5.2.1.
How do you tell a fortigate to check FMG for Fortiguard updates before going to the proper Fortiguard Service Service?
The fortiOS manual say
config system central-management
set fortimanager-fds-sigupdate-override enable
set sig-update-server-1 10.10.10.10
set sig-update-server-2 20.20.20.20
set sig-update-server-3 30.30.30.30
end
But none of these commands actually exist in the CLI.
I've seen other websites stating run "set fortimanager-fds-override enable" but this doesn't exist anymore.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi
even I have to say I do not work with 5.2 at the moment because it is too buggy for me I would say following:
config system central-management set mode normal set type fortimanager set fmg "3.3.3.3" #set fmg-source-ip 0.0.0.0 set schedule-config-restore enable set schedule-script-restore enable set allow-push-configuration enable set allow-pushd-firmware enable set allow-remote-firmware-upgrade enable set allow-monitor enable #set serial-number set vdom root set enc-algorithm default config server-list edit 1 set server-type upate server-address 0.0.0.0 end end
The config which points the FGT to FMG is the "config server list". Again I'm not sure but it is visible in this way for me. There is also a addtional command which should be probably disable which means:
include-default-servers {enable | disable} Enable or disable inclusion of public FortiGuard servers in the override server list.
Because this command enables default FortiGuard server etc. I would recommend to disable the stuff because you do not want to use FortiGuard.
Hope this helps
have fun
Andrea
Hi there,
I have the exact same config and the Fortimanager is not pushing the updates to the Fortigates
have you enabled service access on FMG interface?
FMG-VM64 # conf sys interface (interface)# ed port1 (port1)# set serviceaccess fclupdates FortiClient updates access. fgtupdates FortiGate updates access. webfilter-antispam Web filtering and antispam access.
Thanks
Simon
Thanks,
This config is already there.
conf sys int
edit 'port1'
set serviceaccess fgtupdates webfilter-antispam webfilter antispa
This has been enabled on the interface which is connected to the Fortigate firewall and not on the interface which is connected to the Internet? Is this how its meant to be?
This has been enabled on the interface which is connected to the Fortigate firewall
-- correct
what is the FOS version? can you enable below debug see which IP FGT send request to?
diag deb en
diag deb app update 255
and then "exec update-now"
Thanks
simon
The Fortios is 5.2.6
upd_act.c[275] __upd_act_update-Trying FDS 10.200.1.1:8890 with AcceptDelta=0
upd_comm.c[215] tcp_connect_fds-Proxy tunneling is disabled
This is the correct FMG ip address
does FMG link to public FGD and have received latest update?
Thanks
Simon
tcp_connect_fds-Proxy tunneling is disabled
-- from this debug, seems FGT can not reach that IP 10.200.1.1 somehow
so ping from FGT to 10.200.1.1 is OK? and 8890 port is allowed from FGT to FMG?
Sorry, thats not the case. The Fortigate happily downloads all the AV/IPS updates and does license verification for the number of vdoms, AV/IPS.
There is no firewall between FMG & FGT
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1645 | |
1070 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.