- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Disabling Initiate Traffic from FortiGate to Fortinet Global Update
Hi,
In the FortiGate, I can see there are traffics initiating from FortiGate' IP address (10.90.0.2) to IP Public which is globalupdate.fortinet.net.
I have configured the FGT so that it will use FortiManager as local FDN, but seems like the FortiGate still trying to IP Public by itself. How to disable it in FortiGate?
config system central-management
set type fortimanager
set fmg "10.1.71.57"
set fmg-source-ip 10.90.32.11
config server-list
edit 1
set server-type update rating
set server-address 10.1.71.57
next
end
set interface-select-method sdwan
end
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @arie_arie ,
When I reviewed your configuration, I saw the configuration for rating and update on the same line. Can you separate these configurations like that? Maybe the problem is caused by that.
config system central-management
set type fortimanager
set fmg "10.1.71.57"
set fmg-source-ip 10.90.32.11
config server-list
edit 1
set server-type rating
set server-address 10.1.71.57
next
edit 2
set server-type update
set server-address 10.1.71.57
next
end
set interface-select-method sdwan
end
Also, can you restart fds service on Fortigate?
diag fmupdate service-restart fds
You can follow that document for use FortiManager as FDN server.
NSE 4-5-6-7 OT Sec - ENT FW
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
It can't separate the rating and update using same IP address.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you configure "set include-default-servers disable " under central-management and check.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-setup-FortiGate-to-get-updates-from...
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I tried to configure "set include-default-servers disable " but still there are traffics to fortinet.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is to globalproductapi.fortinet.net, do you see traffic to globalupdate.fortinet.net now?
globalproductapi.fortinet.net is used for GUI icon download and not fortiguard updates- ref :
https://docs.fortinet.com/document/fortigate/7.4.0/fortios-ports/622145/anycast-and-unicast-services
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Yes, I don't see traffic to globalupdate.fortinet.net anymore.
For globalproductapi.fortinet.net, I tried disable "set fortiguard-anycast disable" in system fortiguard.
Now, the remaining is to this msgctrl1.fortinet.com, what does it for? And how to disable it?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All cloud communication can be disabled with the following CLI command:
config system global set cloud-communication disable end
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
After disable all cloud communication, now there are traffic to update.fortiguard.net and productapi.fortinet.com.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you verify " set include-default-servers disable" is still in place?
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.