Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Route only Fortiguard service traffic

Hi All, Can someone point me in the right direction for the right solution or documentation for the following: Situation: Firewall(Different brand)<<>>Proxy Server(Open Source)<<>>Fortigate(NAT) 1)The client wants to get the Fortiguard services updates through a different interface so it will bypass the Proxy and go directly to the perimeter firewall. 2)Only updates must leave the Fortigate through that specific interface port, so only port and destination for Fortiguard services must go through that interface 3)On the Perimeter Firewall will forward that traffic only to Fortiguard services from its interface and only through specific port and destination. Question: 1)Destination addresses what are those, do they differ per location basis? (Caribbean/Latin-america region) 2)The ports that will be used for sending and receiving to the Fortiguard services? If you have any other suggestions then they' re more then welcome off course ;-) Thanks for letting me post here. Wishing you all a Good Day, R
New Contributor III

I can' t think of any commands that would allow this topology, but there could be a couple of ways to do it. 1. Fortigates can be forced to make all Fortiguard comms through a Fortimanager. That would stop you from having to modify the routing table on the Fortigate. 2. I' m fairly certain the Fortiguard services use a small subset of IP' s, I' m in Australia and most of the time our units hit a couple Canadian IP' s. You could use a separate interface to connect to the external firewall and set static routes on the Fortigate. Without policies it won' t route traffic. You have complications though if you' re doing dynamic routing, eg: OSPF 3. Separate the unit into vdoms, use the Root VD for management (Fortiguard comms) and another VD for the Routing/Firewalling. That should actually help with routing in option 2. Of course the FGT may support what you want, I' ve never had much reason to investigate further. Regards, Matthew Mollenhauer
Contributor III

Hi some addtional information: If you set you region on the FGT this will be base for some UTM feature to use the specific DB. This means as example: If you set the region to GMT+2 for Switzerland for the WebFilter DB will be used the European one. The comunication port for FortiGuard is defined under " System > Config > Fortiguard" (wait some seconds if you click on this register because in the background newest information will be updated from fortiguard. If all the site is loaded go ahead). At the buttom you will find the standard config port 53 which is actually DNS and not a good way to go. This means if your ISP does IPS he will recognize that this traffic is not DNS and will block it. What I recommend is to use port 8888. This means all comunication for FortiGuard is based on DNS resolution to reach and port 8888 (if you config and use 8888). One exception: this means for push update port 9443 if you like to use. To be found under " AV & IPS Download Options" . To use a FortiManager to get the update of full UTM feature is a idea but NOT for VM which means lower versions VM-BASE etc. are not able to be used for Webfiltering etc. below tables shows a overview: Hope this addtional information helps have fun Andrea
New Contributor III

To use a FortiManager to get the update of full UTM feature is a idea but NOT for VM which means lower versions VM-BASE etc. are not able to be used for Webfiltering etc. below tables shows a overview:
While that is true, it the FMG will still proxy connectiong to FortiGuard. We have all of our units using our FMG (Base + 2x 10UG), and so far as I can see the FMG is the only device contacting Fotrtiguard. But still depending on the number of units and the budget of the OP, using a dedicated VDom for management that is connected to the network with a single port maybe a better option. Though on thinking about it, would there be any way to use a PBR to accomplish this? Regards, Matthew Mollenhauer

Good week to you both! Thanx for the many suggestions. -Fortimanager would be nice and the solution. -VDOM as well FMG is not the option for this client, but VDOM surely can be. I post my solution later this week when i' ve implemented it. So many thanx!

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors