Fortinet FortiGate-800 Enabling push updates, Enabling scheduled updates through a proxy server

Enabling scheduled updates through a proxy server

If your FortiGate unit must connect to the Internet through a proxy server, you can use the set system autoupdate tunneling command to allow the FortiGate unit to connect (or tunnel) to the FDN using the proxy server. Using this command you can specify the IP address and port of the proxy server. As well, if the proxy server requires authentication, you can add the user name and password required for the proxy server to the autoupdate configuration. The full syntax for enabling updates through a proxy server is:

set system autoupdate tunneling enable [address <proxy-address_ip> [port <proxy-port> [username <username_str> [password <password_str>]]]]

For example, if the IP address of the proxy server is 64.23.6.89 and its port is 8080, enter the following command:

set system autouopdate tunneling enable address 64.23.6.89 port 8080

For more information about the set system autoupdate command, see Volume 6, FortiGate CLI Reference Guide.

The FortiGate unit connects to the proxy server using the HTTP CONNECT method, as described in RFC 2616. The FortiGate unit sends an HTTP CONNECT request to the proxy server (optionally with authentication information) specifying the IP address and port required to connect to the FDN. The proxy server establishes the connection to the FDN and passes information between the FortiGate unit and the FDN.

The CONNECT method is used mostly for tunneling SSL traffic. Some proxy servers do not allow the CONNECT to connect to any port; they restrict the allowed ports to the well known ports for HTTPS and perhaps some other similar services. Because FortiGate autoupdates use HTTPS on port 8890 to connect to the FDN, your proxy server might have to be configured to allow connections on this port.

There are no special tunneling requirements if you have configured an override server address to connect to the FDN.

Enabling push updates

The FDN can push updates to FortiGate units to provide the fastest possible response to critical situations. You must register the FortiGate unit before it can receive push updates. See “Registering the FortiGate unit” on page 130.

When you configure a FortiGate unit to allow push updates, the FortiGate unit sends a SETUP message to the FDN. The next time a new antivirus engine, new antivirus definitions, or new attack definitions are released, the FDN notifies all FortiGate units that are configured for push updates that a new update is available. Within 60 seconds of receiving a push notification, the FortiGate unit requests an update from the FDN.

Note: Push updates are not supported if the FortiGate unit must use a proxy server to connect to the FDN. For more information, see “Enabling scheduled updates through a proxy server” on page 122.