Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aishaqui
New Contributor III

Created on ‎11-07-2022 11:28 PM Edited on ‎01-19-2024 02:38 AM By Moderator

Article Id 229201

Technical Tip: Communicating with FortiGuard Servers when FortiGate has no internet access or limited internet access

Description

This article provides steps to configure FortiGate so it can still communicate with FortiGuard servers when it has no internet access or limited internet access.
Scope FortiOS 7.0, 7.2.
Solution

1st Method: Use FortiManager as a local FDN server for FortiGate.

 

Technical Tip: Configure FortiManager as a local FDN server for FortiGates

 

2nd Method: Update FortiGuard with a proxy server.

 

Operating FortiManager as a FDS in a closed network. 

 

3rd Method: Create Static routes to FortiGuard Server FQDNs. 

 

First, check whether FortiGuard anycast is enabled or disabled. Use the following command:

 

config system fortiguard 

    get | grep fortiguard-anycast 

end 

 

If fortiguard-anycast is DISABLED:

 

Create FQDN type address objects for the below FQDNs and ensure static route configuration is enabled:

 

update.fortiguard.net 

usupdate.fortiguard.net 

service.fortiguard.net  

securewf.fortiguard.net  

usservice.fortiguard.net  

ussecurewf.fortiguard.net 

globaldevquery.fortinet.net 

globaldevcollect.fortinet.net 

usdevquery.fortinet.net 

usdevcollect.fortinet.net  

 

Below is one example of an FQDN-type address object:

 

config firewall address 

    edit "update.fortiguard.net" 

        set type fqdn 

        set allow-routing enable 

        set fqdn "update.fortiguard.net" 

    next 

end 

 

Next, create a static route for the FQDNs outside of the WAN interface:

 

config router static 

    set gateway 10.9.15.254 

    set device "wan” 

    set dstaddr "update.fortiguard.net" 

    next

 

If Fortiguard-Anycast is ENABLED:

 

Create FQDN type address objects for the below FQDNs and ensure static route configuration is enabled. Next, create a static route for the below FQDNs out of the WAN interface. For ease of creating the static route, optionally group these address objects into one group and use that group in the static route. 

 

globalupdate.fortinet.net 

globalupdate2.fortinet.net  

usupdate.fortinet.net 

usupdate2.fortinet.net  

euupdate.fortiguard.net  

euupdate.fortinet.net 

euupdate2.fortinet.net  

fctupdate.fortinet.net 

fctusupdate.fortinet.net 

fcteuupdate.fortinet.net 

fctguard.fortinet.net 

fctusguard.fortinet.net 

fcteuguard.fortinet.net 

globalguardservice.fortinet.net 

globalguard.fortinet.net 

globalguard2.fortinet.net  

usguardservice.fortinet.net 

usguard2.fortinet.net  

euservice.fortiguard.net  

eusecurewf.fortiguard.net  

euguardservice.fortinet.net 

euguard2.fortinet.net  

globaldevquery.fortinet.net  

globaldevcollect.fortinet.net  

usdevquery.fortinet.net  

usdevcollect.fortinet.net  

globaldevquery2.fortinet.net  

globaldevcollect2.fortinet.net  

usdevquery2.fortinet.net  

usdevcollect2.fortinet.net  

eudevquery.fortinet.net  

eudevcollect.fortinet.net  

eudevquery2.fortinet.net  

eudevcollect2.fortinet.net 

qaupdate.fortinet.net 

qafctupdate.fortinet.net 

qaguard.fortinet.net 

qafctguard.fortinet.net 

 

2860
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.