Description
This article describes how to use FortiManager as local FDS and the configuration needed on FortiGate.
Solution
1) After enabling service access for 'FortiGate Updates' and 'Web Filtering' on FortiManager interface, there is option to 'Bind to IP Address'.
2) If 'Bind to IP Address' is 0.0.0.0/0.0.0.0 (default value), the interface IP will be used (10.47.19.244 in the screenshot above).
3) FortiManager will accept port 8890 for package updates and port 53/8888 for web filtering.
4) In this case, FortiGate needs to set the update port to 8890 (default 8890) and FortiGuard port to 53/8888 (default https 443).
Package updates:
FGT # config system central-management
FGT (central-management) # config server-list
FGT (server-list) # edit 1
FGT (1) # set server-type update rating
FGT (1) # set addr-type ipv4
FGT (1) # set server-address 10.47.19.244
FGT (1) # end
FGT (central-management) # set fmg-update-port 8890
FGT (central-management) # end
Web Filtering:
FGT # config system fortiguard
FGT (fortiguard) # set fortiguard-anycast disable
FGT (fortiguard) # set protocol udp
FGT (fortiguard) # set port 8888
FGT (fortiguard) # end
5) In the event when IP address configured in 'Bind to IP Address', FortiManager will use TCP port 443.
6) Do that note that bind IP must be on the same subnet as the interface IP. The IP address cannot be the same for 'FortiGate Update'” and 'Web Filtering'.
7) FortiGate needs to set the update port to 443 and FortiGuard port to 443.
Package updates:
FGT # config system central-management
FGT (central-management) # config server-list
FGT (server-list) # edit 1
FGT (1) # set server-type update
FGT (1) # set addr-type ipv4
FGT (1) # set server-address 10.47.19.245
FGT (1) # next
FGT (server-list) # edit 2
FGT (1) # set server-type rating
FGT (1) # set addr-type ipv4
FGT (1) # set server-address 10.47.19.246
FGT (1) # next
FGT (central-management) # set fmg-update-port 443
FGT (central-management) # end
Web Filtering:
FGT # config system fortiguard
FGT (fortiguard) # set protocol https
FGT (fortiguard) # set port 443
FGT (fortiguard) # end
8) Update debug can be run on FortiGate to verify the connecting IP and port number.
FGT # diag debug app update -1 <----- Debug messages will be on for 30 minutes.
FGT # diag debug enable
FGT # execute update-now
upd_comm_connect_fds[458]-Trying FMG 10.47.19.245:443
… … … … …
upd_install_pkg[1306]-MADB001 is up-to-date
upd_install_pkg[1306]-AFDB001 is up-to-date
upd_status_save_status[130]-try to save on status file
upd_status_save_status[196]-Wrote status file
__upd_act_update[325]-Package installed successfully
upd_comm_disconnect_fds[499]-Disconnecting FMG 10.47.19.245:443
Related link:
