Fortinet white logo
Fortinet white logo

Administration Guide

Using a proxy server to connect to the FortiGuard Distribution Network

Using a proxy server to connect to the FortiGuard Distribution Network

You can configure FortiOS to use a proxy server to connect to the FortiGuard Distribution Network (FDN).

Note

Proxy tunneling is supported only for registration, AV, and IPS updates. For FortiGate virtual machines, proxy tunneling can also be used for license validation. For web filtering or spam filtering, UDP protocol is used on ports 53 or 8888. UDP protocol traffic cannot be directed over a proxy server, even if you are using versions of FortiOS that support web filtering over port 443.

Consider the following before configuring FortiOS to use a proxy server to connect to FDN:

  • FortiOS connects to the proxy server using the HTTP CONNECT method. For information about the HTTP CONNECT method, see RFC 2616.

  • The proxy server must not inspect the HTTPS traffic used for FortiOS communication.

  • FortiOS sends to the proxy server an HTTP CONNECT request that specifies the IP address and port required for the FDN connection. Authentication information is optional for the request.

  • FortiOS or the proxy server must be configured to use DNS servers that resolve the addresses of FDN servers to support AV and IPS updates.

  • The proxy server establishes the connection to FDN and passes information between FortiOS and FDN.

Use the following syntax to configure a proxy server in the CLI:

config system autoupdate tunneling
    set address <proxy_address>
    set port <proxy_port>
    set username <username>
    set password <password>
    set status {enable | disable}
end

In the following example, a proxy server with IP address 10.1.1.1 is configured to listen on port TCP/3128 without authentication.

To configure a proxy server:
config system autoupdate tunneling
    set address 10.1.1.1
    set port 3128
    set status enable
end

Alternatively, in a closed network without direct internet connection for web filtering or spam filtering, you can use FortiManager as a local FortiGuard server. FortiManager supports allowing FortiOS to retrieve its updates and ratings through FortiManager. See Using FortiManager as a local FortiGuard server.

Using a proxy server to connect to the FortiGuard Distribution Network

Using a proxy server to connect to the FortiGuard Distribution Network

You can configure FortiOS to use a proxy server to connect to the FortiGuard Distribution Network (FDN).

Note

Proxy tunneling is supported only for registration, AV, and IPS updates. For FortiGate virtual machines, proxy tunneling can also be used for license validation. For web filtering or spam filtering, UDP protocol is used on ports 53 or 8888. UDP protocol traffic cannot be directed over a proxy server, even if you are using versions of FortiOS that support web filtering over port 443.

Consider the following before configuring FortiOS to use a proxy server to connect to FDN:

  • FortiOS connects to the proxy server using the HTTP CONNECT method. For information about the HTTP CONNECT method, see RFC 2616.

  • The proxy server must not inspect the HTTPS traffic used for FortiOS communication.

  • FortiOS sends to the proxy server an HTTP CONNECT request that specifies the IP address and port required for the FDN connection. Authentication information is optional for the request.

  • FortiOS or the proxy server must be configured to use DNS servers that resolve the addresses of FDN servers to support AV and IPS updates.

  • The proxy server establishes the connection to FDN and passes information between FortiOS and FDN.

Use the following syntax to configure a proxy server in the CLI:

config system autoupdate tunneling
    set address <proxy_address>
    set port <proxy_port>
    set username <username>
    set password <password>
    set status {enable | disable}
end

In the following example, a proxy server with IP address 10.1.1.1 is configured to listen on port TCP/3128 without authentication.

To configure a proxy server:
config system autoupdate tunneling
    set address 10.1.1.1
    set port 3128
    set status enable
end

Alternatively, in a closed network without direct internet connection for web filtering or spam filtering, you can use FortiManager as a local FortiGuard server. FortiManager supports allowing FortiOS to retrieve its updates and ratings through FortiManager. See Using FortiManager as a local FortiGuard server.