The article describes how to configure the upstream FortiGate to allow connections from FortiManager and FortiAnalyzer to public FortiGuard servers.
Scope
FortiManager, FortiAnalyzer.
Solution
FortiManager and FortiAnalyzer do not have any region-specific servers for Europe. The FQDN used for Unicast servers are listed below:
fds1.fortinet.com —> AntiVirus/IPS service
guard.fortinet.net —>Web-Filtering/AntiSpam service
fqsvr.fortinet.com —> File query and GEO IP service
forticlient.fortinet.net –>FortiClient updates
These FQDNs will not include all the FDNI IP lists. So FortiManager/FortiAnalyzer will connect to FortiGuard to download a list of IP addresses. This dynamic list needs to be manually updated in FortiGate’s policy to allow traffic from FortiManager/FortiAnalyzer to FortiGuard.
Step 1: Run the below command from FortiManager/FortiAnalyzer to get the IP list:
diag fmupdate view-serverlist fds
diag fmupdate view-serverlist fgd
Step 2: Create a firewall policy in FortiGate with the Source Address set as FortiManager/FortiAnalyzer and Service port 443 and manually update the FortiGuard IP address list we get from step 1 as the Destination Address in the FortiGate’s policy. FortiGate policy configuration can be done following these steps: Firewall policy
Example:
Note:
- FortiManager and FortiAnalyzer will use port 443 to communicate with the FortiGuard server. Make sure this port is open for communication.
- FortiGate can be configured with the Internet service signature for FortiGuard.
Navigate under Firewall policy > Destination > Internet Service > ‘Fortinet-Fortiguard‘