Configuring devices to use the built-in FDS
After enabling and configuring the FortiManager system’s built-in FDS, you can configure devices to use the built-in FDS by providing the FortiManager system’s IP address and configured port as their override server.
Devices are not required to be registered with FortiManager system’s Device Manager to use the built-in FDS for FortiGuard updates and services.
Procedures for configuring devices to use the built-in FDS vary by device type. See the documentation for your device for more information.
If you are connecting a device to a FortiManager system’s built-in FDS, some types of updates, such as antivirus engine updates, require you to enable SSH and HTTPS Administrative Access on the network interface which will receive push updates. If the settings are disabled, see Network.
Matching port settings
When configuring a device to override default FDN ports and IP addresses with that of a FortiManager system, the default port settings for the device’s update or query requests may not match the listening port of the FortiManager system’s built-in FDS. If this is the case, the device’s requests will fail. To successfully connect them, you must match the devices’ port settings with the FortiManager system’s built-in FDS listening ports.
For example, the default port for FortiGuard antivirus and IPS update requests is TCP 443 on FortiOS v4.0 and higher, but the FortiManager system’s built-in FDS listens for those requests on TCP 8890. In this case, the FortiGate unit’s update requests would fail until you configure the unit to send requests on TCP 8890.
In some cases, the device may not be configurable; instead, you must configure the FortiManager system to listen on an alternate port.
Configuring
Handling connection attempts from unregistered devices
The built-in FDS replies to FortiGuard update and query connections from devices registered with the device manager’s device list. If the FortiManager is configured to allow connections from unregistered devices, unregistered devices can also connect.
For example, you might choose to manage a FortiGate unit’s firmware and configuration locally (from its Web-based Manager), but use the FortiManager system when the FortiGate unit requests FortiGuard antivirus and IPS updates. In this case, the FortiManager system considers the FortiGate unit to be an unregistered device, and must decide how to handle the connection attempt. The FortiManager system will handle the connection attempt based on how it is configured. Connection attempt handling is only configurable via the CLI
To configure connection attempt handling:
- Go to the CLI console widget in the System Settings For information on widget settings, see Customizing the dashboard.
- Click inside the console to connect.
- Type the following CLI command lines to allow unregistered devices to be registered: config system admin setting set allow_register enable
end
- To configure the system to add unregistered devices and allow service requests, type the following CLI command lines:
config system admin setting set unreg_dev_opt add_allow_service
end
- To configure the system to add unregistered devices but deny service requests, type the following CLI command lines:
config system admin setting set unreg_dev_opt add_no_service
end
For more information, see the FortiManagerCLI Reference.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!