- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- [SOLVED] UTM Updates with private IP on WAN inter...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[SOLVED] UTM Updates with private IP on WAN interface.
Hi all,
I have difficulties in cases where the FGT' s WAN port had no public IP address but a private one (having the FGT behind an Metropolitan Network; with private address).
I have found different topics for this problem but i was not able to find the solution / best way for a Fortigate 310B in V5 build 291.
Here is the topology (i can' t connect to the MAN/WAN equipments):
MAN <--> 310B is interconnected by static routes.
WAN <--> MAN (10.63.32.13) <---> (10.63.32.14) WAN MY-FG310B <---> Internal Networks, DMZ....
Default route on the Fortigate unit is 0.0.0.0/0.0.0.0 dst 10.63.32.13 on WAN Port.
10.63.32.14 can' t be routed/NAT-ed over internet; I have already ask to my provider.
Using source-ip command in CLI:
Works for DNS lookup, Sflow, NTP.... using " source-ip A.B.C.D" where source-ip is one of my public ip located on port2 " DMZ" .
Unfortunatly i was not able to update. If I trace packet for DNS or NTP, my source ip is A.B.C.D (well) but for a force update my source ip is 10.63.32.14.
NTP Exemple (work):
# diagnose sniffer packet any ' host 145.238.203.14' 4 0.634692 port1 out A.B.C.D.123 -> 145.238.203.14.123: udp 48 0.646904 port1 in 145.238.203.14.123 -> A.B.C.D.123: udp 48UPDATE Exemple (don' t work)
#diagnose sniffer packet any ' host 208.91.112.68' 4 8.432481 port1 out 10.63.32.14.7033 -> 208.91.112.68.443: syn 4151528419 11.431059 port1 out 10.63.32.14.7033 -> 208.91.112.68.443: syn 4151528419 17.431062 port1 out 10.63.32.14.7033 -> 208.91.112.68.443: syn 4151528419I can resolve but not go out:
firewall-a # execute traceroute update.fortiguard.net traceroute to update.fortiguard.net (96.45.33.88), 32 hops max, 72 byte packets 1 10.63.32.13 1.740 ms 1.705 ms 1.600 ms 2 *Normal; 10.63.32.0 is not routed over internet. Is there a mistake in my config? What can I do for this? Using a radius proxy server: To forward requests from my 310B directly on update.fortiguard.net:443 via DMZ interface (which is routed on internet, of course). I was not able to configure it over Apache2, I have no answers from the update.fortiguard.net server. My fault? Using VDom Maybe is this the only way to solve my problem? I have no Fortigate v5 for tests but if it' s the only one solution, via internal FGT routing, I will try. Let me know if it' s the solution for me. Using Local-in policy I Think this is not the solution, i have just read the docs and I think that it can' t resolve this kind of problems. Thanks for your suggestions; Sorry for my poor English. Regards, Adrien
15 REPLIES 15
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
and welcome to the forums.
This one is difficult. I find it peculiar that the default route does not point to the internet but the MAN. How is surfing possible at all then?
What I am thinking of is RPF, reverse path checking which the FGT performs. In short, all incoming traffic for which there is no route is discarded silently.
Unfortunately, there is only 1 default route per system or VDOM. So a second VDOM combined with some routing with the aim to get the updates via the DMZ port would be a (faint) hope. But this needs more scrutinizing.
In the meantime, you could open a support call with TAC to get help from them as well.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ede,
Thanks for your fast reply.
In fact the MAN router route my Public /24 (issue from my 310B DMZ interface) into BGP. 10.63.32 is used only for management (Metropolitan side) and interconnections.
I Have a possible solution (already done for an other site where i have never found the solution... But today I ask to the forum ;) ) who consist of divide my /24 DMZ subnet and then give one of my public IP to the WAN Interface. Lot of work...
and need modification to the MAN Router to change default gateway to my Fortigate.
If there is no other solutions I will do the same for this 310B, but i' m surprised that there is no other ways.
Regards,
Adrien
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
firewall-a # execute traceroute update.fortiguard.net traceroute to update.fortiguard.net (96.45.33.88), 32 hops max, 72 byte packets 1 10.63.32.13 1.740 ms 1.705 ms 1.600 ms 2 *So how does the fgt get to internet if the 10net is not NAT' d by the SP? Some where down the line, something/somewhere is doing a source-nat.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Emnoc;
This is my problem, provider don' t NAT the 10.63.32 ip address.
Is it possible to do this in FGT " localhost" : Route update.fortiguard.net traffic to DMZ Gateway via static route and after NAT 10.63.32 in a rule DMZ->WAN
I' m trying but not sure that is possible.
Thanks for your help;
Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So in your traceroute, your lookup work , was that a foreign dns-server or what device handled your lookup?
( sorry for my confusion )
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is the (new) option " source-ip" that you can use in the application CLI sub-menu.
If i use source-ip directive for the DNS, I can use an ip of my choice (The IP of DMZ interface in my case) to go out. This is why I can resolve, using an internal DNS or an external one. (For exemple the 8.8.8.8 from google works too, cause i go out with the specified source-ip).
In my comprehension of the Admin book, ther is no equivalent for updates.
It exist for Sflow, NTP, DNS, Syslog, Analyzer (I log to an external Analyzer with success).... but not for my problem and not for " execute" command (that why traceroute don' t work but lookup work).
I hope that my explanation is clear.
Regards;
Adrien
EDIT:
Here the config for accessing Analyzer (Internet)
config log fortianalyzer setting
set status enable
set server MYANALYZER
set enc-algorithm enable
set source-ip MY-IP-DMZ-INTERFACE
end
or other exemple who' s working, DNS:
config system dns
set primary 8.8.8.8
set secondary 208.91.112.52
set source-ip MY-IP-DMZ-INTERFACE
end
firewall-a # get system source-ip status The following services force their communication to use a specific source IP address: service=NTP source-ip=MY-IP-DMZ-INTERFACE service=DNS source-ip=MY-IP-DMZ-INTERFACE service=FortiAnalyzer #1 source-ip=MY-IP-DMZ-INTERFACE service=Syslog #1 source-ip=MY-IP-DMZ-INTERFACEEDIT 2: Here is the related documentation: FortiOS source-ip But i have not the exemple line of the docs:
FortiGuard Updates (AV/IPS): x.x.x.x FortiGuard Queries (WebFilter/SpamFilter): x.x.x.xImpossible to find/activate it in my CLI. Is Fortiguard is the updates that i' m looking (i think)? (I have no " FortiCloud" , " FortiManager" , just a full UTM licence(bundle)).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay here' s what I came up with?
Under 5.2GA you can set the update-source. Now I know that doesn' t help yuo but I checked a few devices I have and none have that option
config system fortiguard
set source-ip 0.0.0.0
end
Than you can diag debug en ; diag debug app update -1 ; execute update-now
As long as you have HTTPS outbound to the fds services you should update;
upd_fds.c[228] extract_fds_info-SEQ TZ IP:PORT TYPE
upd_fds.c[302] extract_fds_info- 0 000 208.91.112.68:443 3
upd_fds.c[302] extract_fds_info- 1 -005 208.91.112.69:443 3
upd_fds.c[302] extract_fds_info- 2 009 208.91.112.70:443 3
upd_fds.c[302] extract_fds_info- 3 -005 209.222.136.6:443 3
upd_fds.c[302] extract_fds_info- 4 009 61.204.170.252:443 3
upd_fds.c[302] extract_fds_info- 5 -008 208.91.112.71:443 3
upd_fds.c[302] extract_fds_info- 6 000 208.91.112.72:443 3
upd_fds.c[302] extract_fds_info- 7 -005 208.91.112.73:443 3
upd_fds.c[302] extract_fds_info- 8 -005 208.91.112.75:443 3
upd_fds.c[302] extract_fds_info- 9 -008 208.91.112.78:443 3
upd_fds.c[302] extract_fds_info- 10 -008 208.91.112.79:443 3
upd_fds.c[302] extract_fds_info- 11 009 208.91.112.80:443 3
upd_fds.c[302] extract_fds_info- 12 009 208.91.112.81:443 3
upd_fds.c[302] extract_fds_info- 13 009 208.91.112.82:443 3
upd_fds.c[302] extract_fds_info- 14 009 208.91.112.83:443 3
upd_fds.c[302] extract_fds_info- 15 -005 96.45.32.80:443 3
upd_fds.c[302] extract_fds_info- 16 -005 96.45.32.81:443 3
upd_fds.c[302] extract_fds_info- 17 -005 64.26.151.39:443 3
upd_fds.c[302] extract_fds_info-
Make sure DNS is working correctly
;)
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As per CLI-Reference guide of FortiOS 5.0 in Whats-New section this should be available in FortiOS 5.0.
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Dipen;
I' m not able to find this information in Whats-New section; FortiOS5 or FortiOS5.2
5.0.7: http://docs.fortinet.com/uploaded/files/1094/fortigate-whats-new-50.pdf
5.2 http://docs.fortinet.com/uploaded/files/1912/fortigate-whats-new-52.pdf
They are new available option for netflow, and for updates via FortiManager that I don' t use. Nothing about source-ip for UTM updates.
I have missed something? Thanks.
Regards,
Adrien
Related Posts
- IPSEC Down After Changing the IP... 81 Views
- Fortigates with PPPoE WAN suddenly need... 304 Views
- Connecting Two SIP Trunks with Different... 274 Views
- 81F updated the version (7.2.4 ->7.2.8)... 240 Views
- Adding 26 locations with dual redundant... 210 Views
Labels
-
FortiGate
6,534 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
Firewall policy
23 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.