Technical Tip: Enabling Push Updates through a NAT device

Description

Procedure

Enabling push updates through a NAT device

If the FDN can connect to the FortiGate unit only through a NAT device, you must configure port forwarding on the NAT device and add the port forwarding information to the push update configuration. Using port forwarding, the FDN connects to the FortiGate unit using UDP on either port 9443 or an override push port that you specify.

Note: You cannot receive push updates through a NAT device if the external IP address of the NAT device is dynamic (for example, set using PPPoE or DHCP).

General procedure

Use the following steps to configure the FortiGate NAT device and the FortiGate unit on the internal network so that the FortiGate unit on the internal network can receive push updates:

1. Add a port forwarding virtual IP to the FortiGate NAT device.
2. Add a firewall policy to the FortiGate NAT device that includes the port forwarding virtual IP.
3. Configure the FortiGate unit on the internal network with an override push IP and port.

Note: Before completing the following procedure, you should register the internal network FortiGate unit so that it can receive push updates.

To add a port forwarding virtual IP to the FortiGate NAT device

Configure a FortiGate NAT device to use port forwarding to forward push update connections from the FDN to a FortiGate unit on the internal network.

1. Go to Firewall > Virtual IP.
2. Select Create New.
3. Type a name for the virtual IP.
4. In the External Interface section, select the external interface that the FDN connects to.
5. In the Type section, select Port Forwarding.
6. In the External IP Address section, type the external IP address that the FDN connects to.
7. Type the External Service Port that the FDN connects to.
8. In the Map to IP section, type the IP address of the FortiGate unit on the internal network.
   If the FortiGate unit is operating in NAT/Route mode, enter the IP address of the external interface.
   If the FortiGate unit is operating in Transparent mode, enter the management IP address.
9. Set the Map to Port to 9443.
10. Set Protocol to UDP.
11. Select OK.

To add a firewall policy to the FortiGate NAT device

1. Add a new external to internal firewall policy.
2. Configure the policy with the following settings:
   

   Source	External_All
   Destination	The virtual IP added above.
   Schedule	Always
   Service	ANY
   Action	Accept
   NAT	Selected

3. Select OK.

To configure the FortiGate unit on the internal network

1. Go to System > Maintenance > Update center.
2. Select the Allow Push Update check box.
3. Select the Use override push check box.
4. Set IP to the external IP address added to the virtual IP.
5. Set Port to the external service port added to the virtual IP.
6. Select Apply.
   The FortiGate unit sends the override push IP address and port to the FDN. The FDN now uses this IP address and port for push updates to the FortiGate unit on the internal network.
   If the external IP address or external service port changes, add the changes to the Use override push configuration and select Apply to update the push information on the FDN.
7. You can select Refresh to make sure that push updates work.
   Push Update changes to Available.