Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
cborgato_FTNT
Staff
Staff

Created on ‎09-22-2015 07:43 AM Edited on ‎03-25-2022 10:03 AM By Anonymous

Article Id 197538

Technical Tip : How different FortiOS 5.2 can reach FortiGuard servers using backup ADOM with FortiManager

Description

This article explains how the FortiGate can use public FortiGuard servers with FortiManager Backup ADOM and shows the different behaviors on FortiOS 5.2 GA releases.

On FortiOS v5.0, the FortiGate had to use FortiManager for FDS update.

On FortiOS v5.2.1 and v5.2.2 GA, the FortiGate can reach directly the FDN network manually applying the public IP as server-list under central-management configuration.

Starting with FortiOS v5.2.3 GA, the FortiGate can reach directly the FDN network by default without any server-list.


Solution

 

The FortiOS v5.2.1 and v5.2.2 GA (manual server-list configuration) and FortiOS v5.2.3/latest GA (automatic behavior) are explained below:


Configuring manually the public FortiGuard servers IP on central-management configuration on FortiOS v5.2.1 and v5.2.2 GA

1.  Connect to the FortiManager via SSH and run the following command to know the FortiGuard Public IP and save the output:
#diagnose fmupdate fgd-serverlist
Note: That it would have been possible to do it in a similar way on FortiGate directly.

2.  Connect to the FortiGate via SSH, set the backup mode and disable the "include-default-servers" in order to allow the FortiGate to synchronize the configuration to the FortiManager.
#config system central-management 
    #set mode backup
    #set type fortimanager
    #set fmg "1.2.3.4"
    #set include-default-servers disable  <-------
#end
Notes:
  • "include-default-servers disable” to avoid FortiGate to try to synchronize its configuration to public servers (this is to workaround the by-design behavior on v5.2.1 and v5.2.2 GA Release).
  • "include-default-servers disable” on v5.2 is the equivalent of “set fortimanager-fds-override enable”

3.  Manually setup some or all the public IP known from step 1 in central-management under  server-list.
#config system central-management
#config server-list
#edit 1
#set server-type update rating
#set server-address 208.91.113.75
#next
#edit 2
#set server-type update rating
#set server-address 208.91.112.196
#next
#edit 3
#set server-type update rating
#set server-address 62.209.40.74
#next
#end
4.    Convert step 3 into a FortiManager script to apply to all the FortiGates managed by the same backup ADOM.

Configuring automatically the public FortiGuard servers IP on central-management configuration on FortiOS 5.2.3 and latest GA

1.  Connect to the FortiGate via SSH, set the backup mode and leave enable "include-default-servers".
#config system central-management
       #set mode backup
    #set type fortimanager
    #set fmg "1.2.3.4"
    #set include-default-servers enable  <--------------default
#end
Note:
  • On v5.2.3 GA and latest, by default the FortiGate is able to use public IP for FortiGuard updates and to synchronize in the main time its configuration to FortiManager.

 

Related Articles

Configure FortiManager v5.0 in backup mode & Confirm Auto-Retrieve works

5029
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.