Explicit proxy communication to FortiGate Cloud and FortiGuard servers from FortiGate is enabled. A proxy server can be configured in the FortiGuard settings so that all FortiGuard connections under the
forticldd process can be established through the proxy server.
Not all FortiGuard services are supported by these proxy settings. For example, web filter service traffic to FortiGuard will not be directed to the configured proxy.
- Configure FortiGate B as a proxy server:
config firewall proxy-policy edit 1 set proxy explicit-web set dstintf "wan1" set srcaddr "all" set dstaddr "all" set service "webproxy" set action accept set schedule "always" set logtraffic all set users "guest1" next end config user local edit "guest1" set type password set passwd 123456 next end config authentication scheme edit "local-basic" set method basic set user-database "local-user-db" next end config authentication rule edit "local-basic-rule" set srcaddr "all" set ip-based disable set active-auth-method "local-basic" next end
- Configure a firewall policy on FortiGate B to allow FortiGate A to get DNS resolution:
config firewall policy edit 1 set name "dns" set uuid c55cd2fa-9486-51e9-fc0a-c17b296f9c72 set srcintf "port18" set dstintf "wan1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "DNS" set fsso disable set nat enable next end
- Configure the FortiGuard proxy settings on FortiGate A:
config system fortiguard set proxy-server-ip 10.2.2.2 set proxy-server-port 8080 set proxy-username "guest1" set proxy-password 123456 end
- On FortiGate A, log in to FortiGate Cloud to activate the logging service:
execute fortiguard-log login <username> <password>
- On FortiGate A, view the
forticldddebug message to see the connection to the log controller through the proxy server:
#  fds_on_sys_fds_change: trace  fds_queue_task: req-111 is added to log-controller  fds_https_start_server: server: 172.16.95.168:443  ssl_new: SSL object is created  https_create: proxy server 10.2.2.2 port:8080  fds_queue_task: req-101 is added to message-controller  fds_https_start_server: server: 172.16.95.187:443  ssl_new: SSL object is created  https_create: proxy server 10.2.2.2 port:8080  fds_on_log_setting_change: trace  fds_https_connect: https_connect(172.16.95.168) is established.  fds_svr_default_on_established: log-controller has connected to ip=172.16.95.168
diagnose test application forticldd 1 System=FGT Platform=FG201E Management vdom: vdom1, id=1, ha=master. firstname.lastname@example.org acct_st=OK FortiGuard log: status=enabled, full=overwrite, ssl_opt=1, source-ip=0.0.0.0 Centra Management: type=FGD, flags=000000bf. active-tasks=0