Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
arie_arie
New Contributor III

Created on ‎06-26-2024 01:51 AM

Disabling Initiate Traffic from FortiGate to Fortinet Global Update

Hi,

In the FortiGate, I can see there are traffics initiating from FortiGate' IP address (10.90.0.2) to IP Public which is globalupdate.fortinet.net.

I have configured the FGT so that it will use FortiManager as local FDN, but seems like the FortiGate still trying to IP Public by itself. How to disable it in FortiGate?

 

config system central-management
set type fortimanager
set fmg "10.1.71.57"
set fmg-source-ip 10.90.32.11
config server-list
edit 1
set server-type update rating
set server-address 10.1.71.57
next
end
set interface-select-method sdwan
endLog Traffic.jpg

 

Labels:
892
0 Kudos
10 REPLIES 10
ozkanaltas
Valued Contributor III

Created on ‎06-26-2024 02:01 AM

Hello @arie_arie ,

 

When I reviewed your configuration, I saw the configuration for rating and update on the same line. Can you separate these configurations like that? Maybe the problem is caused by that. 

 

config system central-management
set type fortimanager
set fmg "10.1.71.57"
set fmg-source-ip 10.90.32.11
config server-list
edit 1
set server-type rating
set server-address 10.1.71.57
next
edit 2
set server-type update
set server-address 10.1.71.57
next
end
set interface-select-method sdwan
end

 

 

Also, can you restart fds service on Fortigate?

 

diag fmupdate service-restart fds

 

You can follow that document for use FortiManager as FDN server.

 

https://community.fortinet.com/t5/FortiManager/Technical-Tip-Configure-FortiManager-as-a-local-FDN-s...

 

 

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
759
arie_arie
New Contributor III
In response to ozkanaltas

Created on ‎06-26-2024 03:21 AM

Hi,

It can't separate the rating and update using same IP address.

730
0 Kudos
srajeswaran
Staff
Staff

Created on ‎06-26-2024 02:22 AM

Can you configure "set include-default-servers disable " under central-management and check.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-setup-FortiGate-to-get-updates-from...

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
747
arie_arie
New Contributor III
In response to srajeswaran

Created on ‎06-26-2024 03:17 AM

Hi,

I tried to configure "set include-default-servers disable " but still there are traffics to fortinet.

 

WhatsApp Image 2024-06-26 at 17.12.18.jpeg

 

733
0 Kudos
srajeswaran
Staff
Staff
In response to arie_arie

Created on ‎06-26-2024 03:26 AM

This is to globalproductapi.fortinet.net, do you see traffic to globalupdate.fortinet.net now?
globalproductapi.fortinet.net is used for GUI icon download and not fortiguard updates- ref :
https://docs.fortinet.com/document/fortigate/7.4.0/fortios-ports/622145/anycast-and-unicast-services

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
722
arie_arie
New Contributor III
In response to srajeswaran

Created on ‎06-26-2024 03:38 AM

Hi,

Yes, I don't see traffic to globalupdate.fortinet.net anymore.

For globalproductapi.fortinet.net, I tried disable  "set fortiguard-anycast disable" in system fortiguard.

Now, the remaining is to this msgctrl1.fortinet.com, what does it for? And how to disable it?

 

Screenshot 2024-06-26 173533.jpg

 

717
0 Kudos
srajeswaran
Staff
Staff
In response to arie_arie

Created on ‎06-26-2024 03:48 AM

All cloud communication can be disabled with the following CLI command:

config system global
    set cloud-communication disable
end

ref: https://docs.fortinet.com/document/fortigate/6.2.0/new-features/569561/disable-all-cloud-communicati...

 

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
714
arie_arie
New Contributor III
In response to srajeswaran

Created on ‎06-26-2024 04:06 AM

Hi,

After disable all cloud communication, now there are traffic to update.fortiguard.net and productapi.fortinet.com.

Screenshot 2024-06-26 180431.jpg

 

710
0 Kudos
srajeswaran
Staff
Staff
In response to arie_arie

Created on ‎06-26-2024 04:31 AM

Can you verify " set include-default-servers disable" is still in place?

 

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
653
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.