Configuring FortiGuard services
The FortiGuard Management provides a central location for configuring how the FortiManager system accesses the FDN and FDS, including push updates. The following procedures explain how to configure FortiGuard services and configuring override and web proxy servers, if applicable.
If you need to host a custom URL list that are rated by the FortiGate unit, you can import a list using the CLI.
Enabling push updates
When an urgent or critical FortiGuard antivirus or IPS signature update becomes available, the FDN can push update notifications to the FortiManager system’s built-in FDS. The FortiManager system then immediately downloads the update.
FortiGuard services
To use push update, you must enable both the built-in FDS and push updates. Push update notifications will be ignored if the FortiManager system is not configured to receive them. If TCP port 443 downloads must occur through a web proxy, you must also configure the web proxy connection. See Enabling updates through a web proxy.
If push updates must occur through a firewall or NAT device, you may also need to override the default push IP address and port.
For example, overriding the push IP address can be useful when the FortiManager system has a private IP address, and push connections to a FortiManager system must traverse NAT. Normally, when push updates are enabled, the FortiManager system sends its IP address to the FDN; this IP address is used by the FDN as the destination for push messages; however, if the FortiManager system is on a private network, this IP address may be a private IP address, which is not routable from the FDN – causing push updates to fail.
To enable push through NAT, type a push IP address override, replacing the default IP address with an IP address of your choice such as the NAT device’s external or virtual IP address. This causes the FDN to send push packets to the override IP address, rather than the FortiManager system’s private IP address. The NAT device can then forward the connection to the FortiManager system’s private IP address.
The built-in FDS may not receive push updates if the external IP address of any intermediary NAT device is dynamic (such as an IP address from PPPoE or DHCP). When the NAT device’s external IP address changes, the FortiManager system’s push IP address configuration becomes out-of-date.
To enable push updates to the FortiManager system:
- Go to FortiGuard Management > Advanced Settings.
- Select the arrow to expand FortiGuard Antivirus and IPS Settings; see FortiGuard antivirus and IPS settings.
- Select the check box beside Allow Push Update.
- If there is a NAT device or firewall between the FortiManager system and the FDN which denies push packets to the FortiManager system’s IP address on UDP port 9443, type the IP Address and/or Port number on the NAT device which will forward push packets to the FortiManager system. The FortiManager system will notify the FDN to send push updates to this IP address and port number.
- IP Address is the external or virtual IP address on the NAT device for which you will configure a static NAT or port forwarding.
- Port is the external port on the NAT device for which you will configure port forwarding.
- Select Apply.
- If you performed step “FortiGuard Management” on page 413, also configure the device to direct that IP address and/or port to the FortiManager system.
- If you entered a virtual IP address, configure the virtual IP address and port forwarding, and use static NAT mapping.
- If you entered a port number, configure port forwarding; the destination port must be UDP port 9443, the FortiManager system’s listening port for updates.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!