Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ddiez
New Contributor III

How to perform special internet access for FortiGuard services

Hi there,

 

I configured two FortiGate that are running on smaller locations. This FGT have internet access and DHCP enabled. All of the traffic of the clients of the location network is routed straight through IPsec-VPN to the bigger FortiGate in the main office. On this bigger FGT every traffic runs through policies etc. So on the small FGT there is only an allow in/out policy and a default route pointing to the S2S VPN tunnel. Inside the tunnel there is also the 0.0.0.0/0.0.0.0 defined.

 

Now I wonder how I can assure that the FGT can perform their connections fo FortiGuard services, performing signature and ISDB updates etc. as well as checking for firmware at Fortinet directly from the FGT itself without going the whole way through the tunnel towarding the main office.

 

Actually I configred at least the both external internet DNS servers that are configured on the both FGT in the routing table as static route pointing to the gateway from the provider. A static route for the ISDB service "Fortinet-FortiGuard" is also directing to the corresponding WAN gateway interface. In the policy traffic logs I cannot see any packets going throw or being blocked for this FortiGuard traffic at all.

 

Regards,

Daniel

 

Is there any option for this scenario?

 

KuC
KuC
6 REPLIES 6
ddeguzman
Staff
Staff

Dear ddiez,

 

You may try referring with the required services and ports on this article. 
https://docs.fortinet.com/document/fortigate/7.2.0/fortios-ports/622145/anycast-and-unicast-services

https://docs.fortinet.com/document/fortigate/7.2.0/fortios-ports/160067/outgoing-ports

I assume "Fortinet-FortiGuard" static route to your local gateway should be sufficient but you can cross check the document for further reference.

Thank you.

Regards,
Denice

Regards,
Denice
jbernabe
Staff
Staff

Dear ddiez,


To verify if your fortigate is not traversing towards IPSec tunnel when reaching the fortiguard servers.

Try to do a ping and traceroute from your fortigate towards fortiguard servers.
# ping service.fortiguard.net
# exec traceroute service.fortiguard.net
Fortiguard servers must be reachable for ping test.
For traceroute hops should be traversing to your WAN gateway interface and not in your IPSec Tunnel.

If the traceroute hops were not traversing to your WAN gateway interface, you may consider editing your routing table and filter only the traffic that will traverse to IPSec tunnel and to your WAN gateway.

You may try also to use policy route to manipulate your traffic routes towards exited interface.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-firewall-Policy-Routes/ta-...

Regards,
Jef

hbac
Staff
Staff

Hi @ddiez,

 

So you have 2 default routes? One to local WAN and one to the tunnel? If so, you can configure policy routes to route FortiGuard traffic to wan and anything else to the tunnel. 

 

Regards,  

ddiez
New Contributor III

I already put in a static route for the ISDB "Fortinet-FortiGuard" pointing to the WAN, but this seem not to be the correct (or only one) that is needed to get the connection working, still have this message: "Unable to connect to FortiGuard servers" ... Maybe I have to add further Fortinet-services as static route. But hard to find out wheter - maybe - "Fortinet-FortiCloud" may help for this or even other predefined internet services.

KuC
KuC
ddeguzman

Hi ddiez,

 

Can you try disabling anycast and follow the document below if it helps fixing the "Unable to connect to FortiGuard servers" error?
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGuard-is-not-reachable-via-Anycast-de...

 

Regards,
Denice

Regards,
Denice
Yurisk
SuperUser
SuperUser

May be worth splitting your FGT into 2 VDOMs - leave the current configuration as the root VDOM (will be auto-assigned on enabling multi-vdom mode and restart) and then add another VDOM with inter-VDOM link as ADministrative VDOM to reach Internet via the root VDOM. Then you will be able to set up SD-WAN on root VDOM and have 2 default gateways - via IPSec tunnel and WAN, managing which traffic goes to which via regular and proven SD-WAN rules. 

On a second thought - quite a large change for small benefit :) . Did you try setting source interface to be WAN for the Fortiguard service ? https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-control-change-the-FortiGate-source... 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors