Keep-Alive messages
The FortiGate unit sends keep-alive messages to the FortiManager every 120 seconds or 2 minutes. If the FortiManager unit does not receive 3 consecutive messages (360 seconds or 6 minutes), it considers that specific FortiGate unit to be unreachable, disabled or otherwise offline.
When that unit comes back online, it must re-establish an SSL connection with the FortiManager before management functions can continue. It will attempt to do so using the last-known IP address and serial number of the FortiManager device. The FortiManager will do the same.
The keep-alive message contains information that assists the FortiManager in managing the FortiGate unit, such as current OS version, platform, configuration checksum and versions of the unit’s AV and IPS databases.
Customizing the Keep-Alive settings
You can customize how quickly the FortiManager can detect an issue or failure of a managed FortiGate device.
Keep in mind that shortening the interval between the units will let the FortiManager find a device failure more quickly, it can also generate a substantial amount of processing overhead to the FortiManager system when the unit is managing many devices.
To change the keep-alive interval (default values are listed):
get system dm
.......
fgfm-sock-timeout: 360
fgfm_keepalive_itvl: 120
.......
end
Please note the difference between the two above commands (dash versus underscore). |
FortiManager passive mode
After a FortiGate unit receives a keep-alive message from a FortiManager unit containing the unit’s OS version, AV and IPS database versions and configuration information, it compares that information with its local versions. If the FortiManager unit has a newer version of any of the above and the FortiGate is configured to receive automatic updates, the fgfm daemon running on the FortiGate will then notify the FortiGuard daemon running. The FortiGuard daemon will then issue an update request to the FortiManager unit. The information sent by the FortiManager is not sent via the SSL connection on TCP port 541; FortiManager uses UDP port 9443 to send this information.
The keep-alive message is the de facto ‘push’ action for delivering update notifications. The FortiManager unit will never send updates to the FortiGate unit; the FortiGate unit instead downloads updates from the FortiManager.