Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TomWhi
New Contributor

Internet Access for FortiManager

Hi,

 

Does my FortiManager need access to the internet to gain any access to features that are dynamically populated like the updated OS's?

 

If so please can someone let me know what services it needs to have access to so that I can poke the right holes through our FW? Any documentation that goes alongside it would be helpful for approval too. 

 

Cheers 

-------------------------------------------------

Tom Whiteley Infrastructure Engineer

------------------------------------------------- Tom Whiteley Infrastructure Engineer
1 Solution
Toshi_Esumi
Esteemed Contributor III

6 REPLIES 6
Toshi_Esumi
Esteemed Contributor III

This is probably what you're looking for.

http://help.fortinet.com/...ls-54/FortiManager.htm

TomWhi

Yup! Right at the bottom of that post. Thank you! 

 

Note that, while a proxy is configured, FortiManager uses the following URLs to access the FortiGuard Distribution Network (FDN) for the following updates:

[ul]fds1.fortinet.com - FortiGate AV/IPS package downloadsguard.fortinet.net - Webfilter/AntiSpam DB and AVfileQuery DB downloadsforticlient.fortinet.com - FortiClient signature package downloadsfgd1.fortigate.com:8888 - FortiClient Webfilter queries to FortiGuard[/ul]

-------------------------------------------------

Tom Whiteley Infrastructure Engineer

------------------------------------------------- Tom Whiteley Infrastructure Engineer
aagrafi

FortiManager needs to have access in Fortiguard for two purposes:

- For its own operation

- For the devices it manages (if you have set the FMG to act as Fortiguard server for these devices)

At either case, the FMG needs to have Internet access for ports 443, 53 and/or 8888. Port 443 is used for antivirus and IPS signatures updates and ports 53 or 8888 are used for web filtering and antispam.

TomWhi
New Contributor

Odd - port 53 isn't mentioned in that article. 

 

It also amuses me that as network specialists they don't state the protocol between tcp or udp in their article - so I've assumed tcp in these cases. 

 

@aagrafi - do you know if tcp is good enough or should I also create the 53 port (which I'm assuming DNS) as udp?

-------------------------------------------------

Tom Whiteley Infrastructure Engineer

------------------------------------------------- Tom Whiteley Infrastructure Engineer
aagrafi

It is UDP. Port 53 is selected in purpose, because it is open in almost all ISP networks. I'm copying from the FortiOS handbook:

 

"FortiGates contact the FortiGuard Distribution Network (FDN) for the latest list of FDN servers by sending UDP packets with typical source ports of 1027 or 1031, and destination ports of 53 or 8888. The FDN reply packets have a destination port of 1027 or 1031. If your ISP blocks UDP packets in this port range, the FortiGate cannot receive the FDN reply packets. As a result, the FortiGate will not receive the complete FDN server list. If your ISP blocks the lower range of UDP ports (around 1024), you can configure your FortiGate to use highernumbered ports, using the CLI command: config system global set ip-src-port-range <start port>-<end port> end …where the <start port> and <end port> are numbers ranging of 1024 to 25000."

 

Also, if you configure your FMG to act as FortiGuard server to your FortiGates, make sure that the ports numbers match, because (copying from the FMG admin guide):

 

"When configuring a device to override default FDN ports and IP addresses with that of a FortiManager system, the default port settings for the device’s update or query requests may not match the listening port of the FortiManager system’s built-in FDS. If this is the case, the device’s requests will fail. To successfully connect them, you must match the devices’ port settings with the FortiManager system’s built-in FDS listening ports.

 

For example, the default port for FortiGuard antivirus and IPS update requests is TCP 443 on FortiOS v4.0 and higher, but the FortiManager system’s built-in FDS listens for those requests on TCP 8890. In this case, the FortiGate unit’s update requests would fail until you configure the unit to send requests on TCP 8890."

 

Hope that helps.

TomWhi
New Contributor

Brilliant, thanks for the detailed response! I'll read through it properly and then get this setup in my rules.

-------------------------------------------------

Tom Whiteley Infrastructure Engineer

------------------------------------------------- Tom Whiteley Infrastructure Engineer
Labels
Top Kudoed Authors