Description
This article describes how to on FortiGate does the update to the FortiGuard server via proxy server.
Solution
For this example, we're using FortiGate as the web-proxy server & only allowing DNS for outbound traffic.
Diagram:
Prerequisite:
- These ports are need to be allowed on the proxy server (53, 443, 8888, 8889, 8890 & 9443)
- These FQDN needs to be allowed, in order to send & receive updates from FortiGuard servers
-> service.fortiguard.net
-> update.fortiguard.net
Example of the gateway FortiGate that acts as the proxy server:
1) FortiGate menu:
2) The explicit web-proxy setting.
3) Firewall policy section for proxy.
4. The explicit web-proxy firewall policy example:
5) The 'Internet Service Database' section, where you can view & get the current used IP addresses for FortiGuard DNS.
6. The IP addresses that were used by FortiGuard DNS.
7) The 'Internet Service Database' section, where you can view & get the current used IP addresses for FortiGuard servers.
8) The IP addresses that were used by FortiGuard servers.
9) The firewall policy section.
10) An example firewall policy, for allowing only DNS for outbound.
Example of the FortiGate that is doing the update:
11) FortiGate menu.
12) FortiGate’s interface setting.
13) FortiGate’s outbound IP, which is a private IP.
14) The outbound route static entry.
15) The CLI entry for enabling proxy tunneling. This option is available in CLI.
16) Debug output example, while the FortiGate is initiating update to FortiGuard server.
Here are the CLI commands for enable & disable debugging, while initiating the update to FortiGuard server:
To start:
diagnose debug application update -1
diagnose debug enable
To stop:
diagnose debug disable
diagnose debug application update 0
diagnose debug reset
# do_update[369]-Starting now UPDATE (final try)
__upd_act_update[296]-Trying FDS 173.243.138.73:443 with AcceptDelta=1
tcp_connect_fds[173]-Proxy tunneling enabled to 11.11.11.1:8080
__upd_peer_vfy[305]-Server certificate OK.
__upd_peer_vfy[305]-Server certificate OK.
upd_pkg_create_update_req[585]-Update comp 0x1ffaff
upd_cfg_extract_av_db_version[308]-version=05006000AVDB00201-00056.00792-1803120015
upd_pkg_create_update_req[596]-Exclude object version 1
upd_pkg_create_update_req[596]-Exclude object version 3
upd_cfg_extract_ibdb_botnet_db_version[453]-version=05006000IBDB00101-00004.00175-1803091000
upd_cfg_extract_ids_db_version[367]-version=05006000NIDS02402-00012.00333-1803090345
..........
upd_cfg_extract_dbdb_version[685]-version=05006000DBDB00100-00001.00943-1803121102
upd_cfg_extract_ids_db_version[367]-version=05006000APDB00102-00012.00333-1803090345
upd_cfg_extract_ids_db_version[367]-version=05006000ISDB00102-00006.00741-1512010230
pack_obj[182]-Packing obj=Protocol=3.2|Command=Update|Firmware=FGT51E-FW-5.06-1547|SerialNumber=FGT51E3U15000207|UpdateMethod=0|AcceptDelta=1|DataItem=05006000AVDB00201-00056.00792-1803120015*05006000IBDB00101-00004.00175-1803091000*05006000NIDS02402-00012.00333-1803090345*00000000FCNI00000-00000.00000-0000000000*00000000FDNI00000-00000.00000-0000000000*01000000FSCI00100-00000.00000-0000000000*05006000AVEN03000-00005.00355-1712151823*05006000FLEN02700-00003.00507-1711232216*05006000CIDB00000-00001.00066-1803151249*05006000IPGE00000020121803070752*05006000FFDB00304-00004.00305-1803121022*05006000FFDB00404-00004.00305-1803121022*05006000UWDB00100-00001.00976-1803120805*05006000CRDB00000-00001.00010-1710031618*05006000MMDB00101-00056.00814-1803130120*05006000DBDB00100-00001.00943-1803121102*05006000APDB00102-00012.00333-1803090345*05006000ISDB00102-00006.00741-1512010230
get_fcpr_response[288]-Unpacked obj: Protocol=3.2|Response=300|Firmware=FPT033-FW-6.6-0089|SerialNumber=FPT-FDS-DELL0073|Server=FDSG|Persistent=false|PEER_IP=210.19.8.106|ResponseItem=05006000AVDB00201:200*05006000IBDB00101:200*05006000NIDS02402:200*00000000FCNI00000:200*00000000FDNI00000:200*05006000AVEN03000:204*05006000FLEN02700:204*05006000CIDB00000:204*05006000IPGE00000:204*05006000FFDB00304:200*05006000FFDB00404:200*05006000UWDB00100:200*05006000CRDB00000:204*05006000MMDB00101:200*05006000DBDB00100:200*05006000APDB00102:200*05006000ISDB00102:401*01000000FSCI00100:200
doInstallUpdatePackage[980]-Full obj found for AVDB002
doInstallUpdatePackage[990]-Updating obj AVDB
17) Debug output example, while the FGT is getting verification reply from FortiGuard server.
installUpdObjRest[586]-Step 3:Signal parent not to respawn
installUpdObjRest[596]-Step 4:Kill daemon(s)
installUpdObjRest[746]-Step 8:Re-initialize using new obj file
extract_fds_info[246]-SEQ TZ IP:PORT TYPE
extract_fds_info[318]- 0 009 173.243.138.79:443 3
extract_fds_info[318]- 1 009 173.243.138.80:443 3
extract_fds_info[318]- 2 000 96.45.33.80:443 3
extract_fds_info[318]- 3 000 96.45.33.81:443 3
extract_fds_info[318]- 4 000 96.45.33.82:443 3
extract_fds_info[318]- 5 000 96.45.33.85:443 3
extract_fds_info[318]- 6 -005 209.222.136.7:443 3
extract_fds_info[318]- 7 -005 96.45.33.89:443 3
extract_fds_info[318]- 8 000 96.45.33.90:443 3
extract_fds_info[318]- 9 009 96.45.33.91:443 3
extract_fds_info[318]- 10 -005 209.222.136.8:443 3
extract_fds_info[318]- 11 001 62.209.40.78:443 3
extract_fds_info[318]- 12 -005 65.210.95.241:443 3
extract_fds_info[318]- 13 -008 173.243.138.78:443 3
extract_fds_info[318]- 14 -005 65.210.95.242:443 3
extract_fds_info[318]- 15 -008 173.243.138.66:443 3
extract_fds_info[318]- 16 -008 173.243.138.67:443 3
extract_fds_info[318]- 17 -008 173.243.138.68:443 3
extract_fds_info[318]- 18 -005 173.243.138.69:443 3
extract_fds_info[318]- 19 -005 173.243.138.70:443 3
extract_fds_info[318]- 20 -005 173.243.138.71:443 3
extract_fds_info[318]- 21 -008 173.243.138.72:443 3
extract_fds_info[318]- 22 -008 173.243.138.73:443 3
extract_fds_info[318]- 23 -008 173.243.138.74:443 3
extract_fds_info[318]- 24 -005 173.243.138.75:443 3
extract_fds_info[318]- 25 -005 173.243.138.76:443 3
extract_fds_info[318]- 26 -005 173.243.138.77:443 3
extract_fds_info[338]-================================
extract_fds_info[339]-downloaded 27 fds list
installUpdObjRest[758]-Step 9:Delete backup /tmp/update.backup
18. The list of responding FortiGuard servers, whereby different servers respond to different subscription components.
installUpdObjRest[746]-Step 8:Re-initialize using new obj file
installUpdObjRest[758]-Step 9:Delete backup /tmp/update.backup
waitUpdateProcess[905]-ips_update_flush pid=257 exit code 0
upd_install_pkg[1337]-AVEN is up-to-date
upd_install_pkg[1363]-AVDB installed successfully
upd_install_pkg[1363]-IBDB installed successfully
upd_install_pkg[1363]-FCNI installed successfully
upd_install_pkg[1363]-FDNI installed successfully
upd_install_pkg[1363]-FSCI installed successfully
upd_install_pkg[1337]-FLEN is up-to-date
upd_install_pkg[1363]-NIDS installed successfully
upd_install_pkg[1363]-APDB installed successfully
upd_install_pkg[1343]-ISDB is unauthorized
upd_install_pkg[1337]-CIDB is up-to-date
upd_install_pkg[1337]-IPGE is up-to-date
upd_install_pkg[1363]-FFDB installed successfully
upd_install_pkg[1363]-FFDB installed successfully
upd_install_pkg[1363]-UWDB installed successfully
upd_install_pkg[1337]-CRDB is up-to-date
upd_install_pkg[1363]-MMDB installed successfully
upd_install_pkg[1363]-DBDB installed successfully
upd_status_save_status[114]-try to save on status file
upd_status_save_status[179]-Wrote status file
__upd_act_update[353]-Package installed successfully
do_update[405]-UPDATE successful
19) Debug output example, for successful updates.
Related Article:
