Does my FortiManager need access to the internet to gain any access to features that are dynamically populated like the updated OS's?
If so please can someone let me know what services it needs to have access to so that I can poke the right holes through our FW? Any documentation that goes alongside it would be helpful for approval too.
Note that, while a proxy is configured, FortiManager uses the following URLs to access the FortiGuard Distribution Network (FDN) for the following updates:[ul]fds1.fortinet.com - FortiGate AV/IPS package downloadsguard.fortinet.net - Webfilter/AntiSpam DB and AVfileQuery DB downloadsforticlient.fortinet.com - FortiClient signature package downloadsfgd1.fortigate.com:8888 - FortiClient Webfilter queries to FortiGuard[/ul]
FortiManager needs to have access in Fortiguard for two purposes:
- For its own operation
- For the devices it manages (if you have set the FMG to act as Fortiguard server for these devices)
At either case, the FMG needs to have Internet access for ports 443, 53 and/or 8888. Port 443 is used for antivirus and IPS signatures updates and ports 53 or 8888 are used for web filtering and antispam.
It is UDP. Port 53 is selected in purpose, because it is open in almost all ISP networks. I'm copying from the FortiOS handbook:
"FortiGates contact the FortiGuard Distribution Network (FDN) for the latest list of FDN servers by sending UDP
packets with typical source ports of 1027 or 1031, and destination ports of 53 or 8888. The FDN reply packets
have a destination port of 1027 or 1031.
If your ISP blocks UDP packets in this port range, the FortiGate cannot receive the FDN reply packets. As a result,
the FortiGate will not receive the complete FDN server list.
If your ISP blocks the lower range of UDP ports (around 1024), you can configure your FortiGate to use highernumbered ports, using the CLI command:
config system global
set ip-src-port-range <start port>-<end port>
…where the <start port> and <end port> are numbers ranging of 1024 to 25000."
Also, if you configure your FMG to act as FortiGuard server to your FortiGates, make sure that the ports numbers match, because (copying from the FMG admin guide):
"When configuring a device to override default FDN ports and IP addresses with that of a FortiManager system,
the default port settings for the device’s update or query requests may not match the listening port of the
FortiManager system’s built-in FDS. If this is the case, the device’s requests will fail. To successfully connect
them, you must match the devices’ port settings with the FortiManager system’s built-in FDS listening ports.
For example, the default port for FortiGuard antivirus and IPS update requests is TCP 443 on FortiOS v4.0 and
higher, but the FortiManager system’s built-in FDS listens for those requests on TCP 8890. In this case, the
FortiGate unit’s update requests would fail until you configure the unit to send requests on TCP 8890."
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.