you may wanna use ISDB static route

try that and please update if its working

[link]https://ibb.co/F5mMPPw[/link]

Thanks for the reply,

I think you did not understand what my query is.

Let me explain

Let say i have two internet connection one is Wired and one is a device which as 4G mobile sim installed for my backup connection.

Fortigate choose the best connection to update the fortigate database.

But i want to enforce wired connection always used this wired connection for fortiguard update only. line Antivirus, IPS signatures etc.

I hope now you will help to solve this issue.

Thanks

Hi Talha Saleem

Have you tried my suggestion t you?

What live89 suggested would work for downstream FortiGates, but probably not in your scenario since the traffic is self-originating.  It appears this article somewhat addresses your issue if you're on latest code, but I would suggest bringing this up to TAC and/or your local sales team as I don't know of any elegant solution.

As already said the SD-WAN rules do not apply to the self-originated traffic (easily at least). On the other hand, Fortigate decides which interfaces to use for Fortiguard servers based on source ip and routing table. So if you have static IP for your DSL interface, it may work (haven't verified myself) - set source ip for Fortiguard access to the DSL interface IP as shown here: https://kb.fortinet.com/kb/documentLink.do?externalID=FD43725 

Hi lobstercreed

My suggestion was after we faced the same situation last month

Our customer asked us to configure a static 0.0.0.0/0 route to his palo alto , so that all traffic originated behind the fortigate and all self originated traffic will go through his palo alto firewall .

His Palo blocked fortiguard services , then fortigate was not able to communicate with FDN .

So for immediate assistence , we setup ISDB static route to the previous WAN interface and that solved the issue .

So I think this is also relevant for self originated traffic :)

Hey Abed,

I definitely didn't read carefully enough.  I hadn't ever actually seen the option for an ISDB *route*, I was only thinking of policy. 

That's very cool, but wouldn't that still fail to accomplish what the OP needs because when the interface that it points to is down, it will simply fall back to the default route?  In your example, if the old WAN interface went down, the traffic would go back to the Palo Alto, wouldn't it?  What is needed is an ISDB policy route, I guess.

Yuri's idea sounds somewhat promising, but I'm not sure it wouldn't have the same failover flaw.

- Daniel

Good point

I know for regular static route will be vanished from routing table if interface is down.

But ISDB static routes never shown in the routing-table.

So, I simulated that in my lab where I have two WAN interfaces, regular ISP and MPLS

default route to regular ISP (port1)

ISDB fortiguard route to MPLS (port5)

When both WAN interfaces were UP:

6.883266 port3 in 10.100.88.12.49970 -> 96.45.33.73.443: psh 2615968575 ack 4050379698
6.883437 port5 out 10.100.65.101.49970 -> 96.45.33.73.443: ack 4050379698

FortiGuard traffic went through port5

And when port5 was DOWN:

36.913197 port3 in 10.100.88.12.48938 -> 96.45.33.88.443: rst 3365366204 ack 127384645 
36.913232 port1 out 10.100.64.101.48938 -> 96.45.33.88.443: rst 3365366204 ack 127384645 

FortiGuard traffic went through port1

Regarding PBR, I don't think you can create ISDB PBR...