DescriptionThis article will focus on the configuration on the Webfiltering service using one FortiManager behind a Web Proxy for internet access. It will also look at the correct configuration for an optimal Webfiltering service rating functionality.
FortiManager can act as a standalone FDS server and it is independent of the device management. It will provide FortiGuard services:
- FGD services -> Webfiltering + AntiSpam
- FDS services -> IPS + AntiVirus
- Service license
Packages, databases and FortiGate service licenses will be downloaded from public FDS servers. ScopeFirmware v5.2.3, v5.2.4.
SolutionConfiguration CLI
Step 1. Configuration of the FortiManager
1) The FortiManager needs a minimum of 10GB of RAM for correct Webfiltering service functionality.
2) Once RAM provisioning is correct, using the CLI, increase memory usage allowed for Webfiltering service.
config fmupdate web-spam fgd-setting
set wf-cache 4000
set wf-preload enable
end
3) Using the CLI, enable the FortiManager to provide Webfiltering services.
config fmupdate service
set query-webfilter enable
end
Note that this will initiate automatically the Webfiltering database download from FortiGuard, this may take few hours.
4) Using the CLI, enable the Webfiltering service on the corresponding Interface used (in this example "port1" is used).
config system interface
edit "port1"
set serviceaccess webfilter-antispam fgtupdates
end
The Webfiltering service will be fully operational when the complete Webfiltering database will be downloaded from FortiGuard.
5) Using the CLI, modify the Webfiltering database polling interval checks for changes settings to every 20 minutes.
conf fmupdate web-spam poll-frequency
set time 0:20
end
6) Enable FortiManager to connect to FortiGuard FDS network via a WEB Proxy, for example 10.10.10.10:8080.
config fmupdate av-ips web-proxy
set ip 10.10.10.10
set port 8080
set status enable
end
config fmupdate web-spam web-proxy
set ip 10.10.10.10
set port 8080
set status enable
end
It is important to setup the Web Proxy IP and Port on both av-ips and web-spam service settings.
Step 2. Configuration of the FortiGate
On the FortiGate define the FortiManager acting as FDS Server using the CLI.
config system central-management
set type fortimanager
set serial-number "fmg-serial-number"
set fmg "fmg-ip-address"
config server-list
edit 1
set server-type update rating --> enable the Webfiltering rating request
set server-address fmg-ip-address
next
end
set include-default-servers disable --> enable or disable as needed
end
Diagram
FortiGate --- FortiManager --- HTTP PROXY --- INTERNET
Verification of configuration and troubleshooting
Use this command in FortiManager to check correct communication:
diagnose fmupdate view-linkd-log fds
Use CTRL-C to stop the output and exit the command.
Use this command in FortiManager to check correct FortiGate license information:
diagnose fmupdate fgd-dbcontract
Use these commands in FortiManager to restart the services
diagnose fmupdate fds-updatenow
diagnose fmupdate fgd-updatenow
If the Webfiltering database is corrupted, it is possible to delete it. It will be downloaded again but service will be disrupted:
diagnose fmupdate fgd-del-db wf
But before deleting the database:
- Disable the WF/AS client service on the FortiManager interface(s).
- Stop the WF/AS server service in the GUI using > System Settings > FortiGuard Center
On the FortiGate it is possible to clear the Webfiltering cache and restart the daemon urlfilter:
diagnose test application urlfilter 2 ---> Clear
diagnose test application urlfilter 99 ---> Restart
