FortiGate Cloud / FDN communication through an explicit proxy
Explicit proxy communication to FortiGate Cloud and FortiGuard servers from FortiGate is enabled. A proxy server can be configured in the FortiGuard settings so that all FortiGuard connections under the forticldd
process can be established through the proxy server.
Not all FortiGuard services are supported by these proxy settings. For example, web filter service traffic to FortiGuard will not be directed to the configured proxy. |
To configure a proxy server and communicate with FortiGate Cloud though it:
- Configure FortiGate B as a proxy server:
config firewall proxy-policy edit 1 set proxy explicit-web set dstintf "wan1" set srcaddr "all" set dstaddr "all" set service "webproxy" set action accept set schedule "always" set logtraffic all set users "guest1" next end config user local edit "guest1" set type password set passwd 123456 next end config authentication scheme edit "local-basic" set method basic set user-database "local-user-db" next end config authentication rule edit "local-basic-rule" set srcaddr "all" set ip-based disable set active-auth-method "local-basic" next end
- Configure a firewall policy on FortiGate B to allow FortiGate A to get DNS resolution:
config firewall policy edit 1 set name "dns" set uuid c55cd2fa-9486-51e9-fc0a-c17b296f9c72 set srcintf "port18" set dstintf "wan1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "DNS" set fsso disable set nat enable next end
- Configure the FortiGuard proxy settings on FortiGate A:
config system fortiguard set proxy-server-ip 10.2.2.2 set proxy-server-port 8080 set proxy-username "guest1" set proxy-password 123456 end
- On FortiGate A, log in to FortiGate Cloud to activate the logging service:
execute fortiguard-log login <username> <password>
- On FortiGate A, view the
forticldd
debug message to see the connection to the log controller through the proxy server:# [136] fds_on_sys_fds_change: trace [40] fds_queue_task: req-111 is added to log-controller [596] fds_https_start_server: server: 172.16.95.168:443 [654] ssl_new: SSL object is created [117] https_create: proxy server 10.2.2.2 port:8080 [40] fds_queue_task: req-101 is added to message-controller [596] fds_https_start_server: server: 172.16.95.187:443 [654] ssl_new: SSL object is created [117] https_create: proxy server 10.2.2.2 port:8080 [124] fds_on_log_setting_change: trace [528] fds_https_connect: https_connect(172.16.95.168) is established. [265] fds_svr_default_on_established: log-controller has connected to ip=172.16.95.168
# diagnose test application forticldd 1