Skip to Content

Solved: How do I configure FortiGate for using FortiManager as local FDS

This article describes how to use FortiManager as local FDS and the configuration needed on FortiGate.

Step 1: After enabling service access for FortiGate Updates and Web Filtering on FortiManager interface, there is option to Bind to IP Address.

After enabling service access for FortiGate Updates and Web Filtering on FortiManager interface, there is option to Bind to IP Address.

Step 2: If Bind to IP Address is 0.0.0.0/0.0.0.0 (default value), the interface IP will be used (10.47.19.244 in the screenshot above).

Step 3: FortiManager will accept port 8890 for package updates and port 53/8888 for web filtering.

Step 4: In this case, FortiGate needs to set the update port to 8890 (default 8890) and FortiGuard port to 53/8888 (default https 443).

Package updates:

FGT # config system central-management
FGT (central-management) # config server-list
FGT (server-list) # edit 1
FGT (1) # set server-type update rating
FGT (1) # set addr-type ipv4
FGT (1) # set server-address 10.47.19.244
FGT (1) # end
FGT (central-management) # set fmg-update-port 8890
FGT (central-management) # end

Web Filtering:

FGT # config system fortiguard
FGT (fortiguard) # set fortiguard-anycast disable
FGT (fortiguard) # set protocol udp
FGT (fortiguard) # set port 8888FGT (fortiguard) # end

Step 5: In the event when IP address configured in Bind to IP Address, FortiManager will use TCP port 443.

In the event when IP address configured in Bind to IP Address, FortiManager will use TCP port 443.

Step 6: Do note that bind IP must be on the same subnet as the interface IP. The IP address cannot be the same for FortiGate Update and Web Filtering.

Step 7: FortiGate needs to set the update port to 443 and FortiGuard port to 443.

Package updates:

FGT # config system central-management
FGT (central-management) # config server-list
FGT (server-list) # edit 1
FGT (1) # set server-type update
FGT (1) # set addr-type ipv4
FGT (1) # set server-address 10.47.19.245
FGT (1) # next
FGT (server-list) # edit 2
FGT (1) # set server-type rating
FGT (1) # set addr-type ipv4
FGT (1) # set server-address 10.47.19.246
FGT (1) # next
FGT (central-management) # set fmg-update-port 443
FGT (central-management) # end

Web Filtering:

FGT # config system fortiguard
FGT (fortiguard) # set protocol https
FGT (fortiguard) # set port 443
FGT (fortiguard) # end

Step 8: Update debug can be run on FortiGate to verify the connecting IP and port number.

FGT # diag debug app update -1 <----- Debug messages will be on for 30 minutes.
FGT # diag debug enable
FGT # execute update-now
upd_comm_connect_fds[458]-Trying FMG 10.47.19.245:443
… … … … …
upd_install_pkg[1306]-MADB001 is up-to-date
upd_install_pkg[1306]-AFDB001 is up-to-date
upd_status_save_status[130]-try to save on status file
upd_status_save_status[196]-Wrote status file
__upd_act_update[325]-Package installed successfully
upd_comm_disconnect_fds[499]-Disconnecting FMG 10.47.19.245:443

Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.