Configuring a proxy server for FortiGuard updates
You can configure FortiOS to use a proxy server to connect to the FortiGuard Distribution Network (FDN).
Proxy tunneling is supported only for registration, AV, and IPS updates. For FortiGate virtual machines, proxy tunneling can also be used for license validation. For web filtering or spam filtering, UDP protocol is used on ports 53 or 8888. UDP protocol traffic cannot be directed over a proxy server, even if you are using versions of FortiOS that support web filtering over port 443. |
Consider the following before configuring FortiOS to use a proxy server to connect to FDN:
-
FortiOS connects to the proxy server using the HTTP CONNECT method. For information about the HTTP CONNECT method, see RFC 2616.
-
The proxy server must not inspect the HTTPS traffic used for FortiOS communication.
-
FortiOS sends to the proxy server an HTTP CONNECT request that specifies the IP address and port required for the FDN connection. Authentication information is optional for the request.
-
FortiOS or the proxy server must be configured to use DNS servers that resolve the addresses of FDN servers to support AV and IPS updates.
-
The proxy server establishes the connection to FDN and passes information between FortiOS and FDN.
Use the following syntax to configure a proxy server in the CLI:
config system autoupdate tunneling set address <proxy_address> set port <proxy_port> set username <username> set password <password> set status {enable | disable} end
In the following example, a proxy server with IP address 10.1.1.1 is configured to listen on port TCP/3128 without authentication.
To configure a proxy server:
config system autoupdate tunneling set address 10.1.1.1 set port 3128 set status enable end
In a closed network without direct internet connection for web filtering or spam filtering, you can use FortiManager as a FortiGuard server. FortiManager supports proxy for both updates and rating, and FortiOS retrieves its updates and ratings through FortiManager. See Using FortiManager as a local FortiGuard server.