FortiOS Handbook. FortiGuard Licensing for FortiGates with Limited or No Connectivity

Similar documents
FortiMail VM (Microsoft Hyper-V) Install Guide

FortiAnalyzer VM (VMware) Install Guide

FortiManager - Secure DNS Guide VERSION 5.4.1

FortiVoice Enterprise Phone System GA Release Notes

FortiGate RADIUS Single Sign-On (RSSO) with Windows Server 2008 Network Policy Server (NPS) VERSION 5.2.3

What s New for FortiMail 5.2.0

FortiOS Handbook - Hardening your FortiGate VERSION 5.2.3

Purchase and Import a Signed SSL Certificate

Supported Upgrade Paths for FortiOS Firmware VERSION

Configuring FortiVoice for Skype VoIP service

Mobile Configuration Profiles for ios Devices Technical Note

FortiGate-AWS Deployment Guide

FortiOS Handbook - VM Installation VERSION 5.2.0

Configuring FortiVoice for Bandwidth.com VoIP service

Managing a FortiSwitch unit with a FortiGate Administration Guide

FortiAuthenticator v2.0 MR1 Release Notes

Configuring FortiVoice for Cbeyond VoIP service

FortiOS Handbook VM Installation for FortiOS 5.0

FortiFone QuickStart Guide for FON-370i

FortiAuthenticator Agent for Microsoft IIS/OWA. Install Guide

(91) FortiOS 5.2

Fortinet FortiGate App for Splunk

FortiAuthenticator - What's New Guide VERSION 4.0

Please report errors or omissions in this or any Fortinet technical document to

Use FortiWeb to Publish Applications

High Availability. FortiOS Handbook v3 for FortiOS 4.0 MR3

FortiManager VM (Microsoft Hyper-V) Install Guide

FortiFone QuickStart Guide for FON-670i and FON-675i

Setting up VMware ESXi for 2X VirtualDesktopServer Manual

FortiOS Handbook WAN Optimization, Web Cache, Explicit Proxy, and WCCP for FortiOS 5.0

FortiGate Modem Compatibility Matrix

FortiOS Handbook - PCI DSS Compliance VERSION 5.4.0

FortiAnalyzer VM (Microsoft Hyper-V) Install Guide

Installing and Configuring vcloud Connector

Creating Cacti FortiGate SNMP Graphs

FortiOS Handbook - FortiView VERSION 5.2.3

FortiClient v5.2 Administration Guide

Management Pack for vrealize Infrastructure Navigator

How To Use A Fortivoice Phone On A Cell Phone On An Ipad Or Ipad (For A Sim Sim) On A Simplon (For An Ipod) On An Iphone Or Ipod (For Ipad)

WAN Optimization, Web Cache, Explicit Proxy, and WCCP. FortiOS Handbook v3 for FortiOS 4.0 MR3

FortiClient Administration Guide

Setting Up a Unisphere Management Station for the VNX Series P/N Revision A01 January 5, 2010

Analyzing your network traffic using a onearmed

StarWind iscsi SAN Software: Installing StarWind on Windows Server 2008 R2 Server Core

FortiVoice Enterprise

Installing and Configuring vcloud Connector

Hands-On Lab: WSUS. Lab Manual Expediting WSUS Service for XP Embedded OS

vcenter Operations Management Pack for SAP HANA Installation and Configuration Guide

Portions of this product were created using LEADTOOLS LEAD Technologies, Inc. ALL RIGHTS RESERVED.

Windows Server Update Services 3.0 SP2 Step By Step Guide

Syslog Server Configuration on Wireless LAN Controllers (WLCs)

Setting Up and Using the Funambol Outlook Plug-in v7

Setting Up and Using the Funambol Outlook Sync Client v8.0

Bosch ReadykeyPRO Unlimited Installation Guide, product version 6.5. This guide is item number DOC , revision 2.029, May 2012.

SDN Security for VMware Data Center Environments

FortiVoice Enterprise

FortiManager Centralized Device Management

Cyberoam Virtual Security Appliance - Installation Guide for VMware ESX/ESXi. Version 10

DameWare Server. Administrator Guide

VMWARE PROTECTION USING VBA WITH NETWORKER 8.1

EMC Data Domain Management Center

Configuring a Windows 2003 Server for IAS

If you re not using Citrix XenCenter 6.0, your screens may vary. Required Virtual Interface Maps to... mgmt0. virtual network = mgmt0 wan0

How To Configure A Bomgar.Com To Authenticate To A Rdius Server For Multi Factor Authentication

NTP Software QFS for NAS, Hitachi Edition

Copyright 2015 SolarWinds Worldwide, LLC. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified,

StarWind iscsi SAN Software: Using an existing SAN for configuring High Availability storage with Windows Server 2003 and 2008

Integration Guide. SafeNet Authentication Service. Using SAS with Web Application Proxy. Technical Manual Template

User Guide Novell iprint 1.1 March 2015

Integrating Skype for SIP with UC500

SOLARWINDS ORION. Patch Manager Evaluation Guide for ConfigMgr 2012

HA OVERVIEW. FortiGate FortiOS v3.0 MR5.

HP Intelligent Management Center v7.1 Virtualization Monitor Administrator Guide

Web Authentication Proxy on a Wireless LAN Controller Configuration Example

PANO MANAGER CONNECTOR FOR SCVMM& HYPER-V

VERITAS Backup Exec 9.1 for Windows Servers Quick Installation Guide

Setting up Citrix XenServer for 2X VirtualDesktopServer Manual

ActivIdentity 4TRESS AAA Web Tokens and SSL VPN Fortinet Secure Access. Integration Handbook

VMware vcenter Support Assistant 5.1.1

Software Installation Requirements

Sage HRMS 2014 Sage Employee Self Service Tech Installation Guide for Windows 2003, 2008, and October 2013

CA Technologies SiteMinder

SonicWALL SRA Virtual Appliance Getting Started Guide

SIMPLIFY MICROSOFT CRM AND QUICKBOOKS INTEGRATION Microsoft Dynamics CRM Online to QuickBooks Bidirectional

TFTP Firmware upgrade

Implementing Cisco TelePresence Video Solution, Part 1

Managing Software Updates with System Center 2012 R2 Configuration Manager

Hyper-V Installation Guide. Version 8.0.0

Spector 360 Deployment Guide. Version 7

Release Notes. Contents. Release Purpose. Platform Compatibility. Licensing on the SRA Appliances and Virtual Appliance

Getting Started Guide

Sample Configuration: Cisco UCS, LDAP and Active Directory

EMC ViPR Controller Add-in for Microsoft System Center Virtual Machine Manager

Software Version 5.1 November, Xerox Device Agent User Guide

Testing and Restoring the Nasuni Filer in a Disaster Recovery Scenario

System Planning, Deployment, and Best Practices Guide

Universal Management Service 2015

Backup Assistant. User Guide. NEC NEC Unified Solutions, Inc. March 2008 NDA-30282, Revision 6

Configuring Trend Micro Content Security

Transcription:

FortiOS Handbook FortiGuard Licensing for FortiGates with Limited or No Connectivity

FortiOS Handbook - FortiGuard Licensing for FortiGates with Limited or No Connectivity October 10, 2014 Copyright 2014 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and FortiGuard, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet s internal lab tests. Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Technical Documentation Knowledge Base Customer Service & Support Training Services FortiGuard Document Feedback docs.fortinet.com kb.fortinet.com support.fortinet.com training.fortinet.com fortiguard.com techdocs@fortinet.com

Table of contents Change Log 1 Introduction 2 Configuring FortiManager with Internet connectivity as a local FDN server 2 Configuring FortiManager without Internet connectivity as a local FDN server 3 Configuring FortiGate without Internet connectivity to access a local FortiManager as FDN 5 Troubleshooting 7

Change Log Date Change Description 2014-10-10 Official release.

Introduction Configuring FortiManager with Internet connectivity as a local FDN server Introduction If you purchased FortiGuard services and registered your FortiGate unit, a FortiGate connected to the Internet should automatically connect to the FortiGuard Distribution Network (FDN) to validate the license and download FDN updates. In some high security environments however, Internet service from internal FortiGate appliances is restricted. This document will describe how to configure FortiGate in these situations to allow a local FortiManager appliance to provide both license validation and FDN updates. This document assumes internal FortiGate appliances have no Internet connectivity, but can access a local FortiManager physical or virtual appliance. It will cover the following: Configuring FortiManager as a local FDN With Internet connectivity (including through a Proxy Server) Without Internet connectivity (aka Closed Network Mode) Configuring FortiGate to access a local FortiManager as FDN Useful troubleshooting commands Preliminary Steps 1. Register the FortiGate with Fortinet Support under Asset > Register/Renew. For a physical FortiGate appliance, enter the serial number. For a FortiGate virtual machine, enter the registration number. Finish the steps to complete registration. 2. For FortiGate VMs, the registration process creates a unique license file that is available under Asset > View/Manage Products. Select the correct device, and download the license file. The following procedures summarize the steps in the FortiManager 5.2.0 Administration Guide section "Connecting the built-in FDS to the FDN". Configuring FortiManager with Internet connectivity as a local FDN server Follow this procedure to configure a FortiManager with Internet access as a local FDN Server: 1. From the FortiManager GUI, select System Settings > Network. 2. Check the following Service Access options on interfaces that will serve FortiGates as the local FDN server: FortiGate Updates Web Filtering/Anti-Spam 2 Fortinet Inc.

Configuring FortiManager without Internet connectivity as a local FDN server Introduction 3. From the FortiManager GUI, select FortiGuard > Advanced Settings. 4. Enable the types of FDN services that you want to provide through FortiManager s built-in FDS by selecting: Enable AntiVirus and IPS Service Enable Web Filter Service Enable Email Filter Service 5. Select Apply. A green Synchronized checkmark appears when the built-in FDS is enabled, and FDN package downloads are successfully completed. Add these steps to configure FortiManager to access FDN services through a Proxy Server: 6. Expand FortiGuard AntiVirus and IPS Settings. a. Check Use Web Proxy. b. Enter the IP address and credentials for the Proxy server. 7. Expand FortiGuard Web Filter and Email Filter Settings. a. Check Use Web Proxy. b. Enter the IP address and credentials for the Proxy server. Configuring FortiManager without Internet connectivity as a local FDN server FortiManager must have Internet connectivity (direct or via Proxy) to automatically download FDN updates and verify licenses. However, you can manually upload FDN updates and licenses to FortiManager. Known as "Closed Network Mode", this feature allows FortiManager to provide FDN updates and validate licenses to local FortiGate appliances without Internet access. Follow this procedure to Configure FortiManager in Close Network Mode: 1. Verify that your model of FortiManager supports Closed Network Mode. Review the Features section of the FortiManager Product Data Sheet. 2. To enable Closed Network Mode in FortiManager: From the FortiManager GUI, select FortiGuard > Advanced Settings > Check Disable Communication with FortiGuard Servers. Or from the FortiManager CLI, enable Closed Network Mode by disabling FDS access from the public FDN: config fmupdate publicnetwork FortiOS Handbook 3

Introduction Configuring FortiManager without Internet connectivity as a local FDN server end set status disable Once in Closed Network Mode, FortiManager service packages, updates, and license upgrades must be imported manually. Follow this procedure to manually upload FortiGate license validation information to FortiManager in Close Network Mode: 1. Create a Customer Service ticket with Fortinet Support under Assistance > Create Ticket > Customer Service > Submit Ticket. 2. Enter the Serial Number. Under Category, select CS Contact/License. 3. In the Comment field, ask for an entitlement file for the FortiGate. Provide the serial number and license number available in Asset > Manage View Products > <Select product>. Example: Serial Number: FGVM010000024628 License Number: FGVM0035444 As with Asset Registration, for large numbers of FortiGates you can attach a spreadsheet of serial and license numbers for Customer Service. They will provide a single Entitlement File that contains validation information for all included FortiGates. All FortiGates must be registered under the same account devices registered under different accounts cannot be combined into the same Entitlement File. 4. You will soon receive an Entitlement File from Customer Service. 5. In FortiManager, navigate to FortiGuard > Advanced Settings > Upload Options for FGT > Service Licenseand upload d the Entitlement File. Follow this procedure to manually upload FortiGate AntiVirus/IPS Packages to FortiManager in Close Network Mode: 1. From Fortinet Support, navigate to Download > FortiGuard Service Updates. Download the Virus Definition and Attack Definition files for the appropriate version of FortiGate and FortiOS. These files are named in the form vsigupdate*.pkg and nids*.pkg. 2. In FortiManager, navigate to FortiGuard > Advanced Settings > Upload Options for FGT > AntiVirus/IPS Packages and upload the files. 4 Fortinet Inc.

Configuring FortiGate without Internet connectivity to access a local FortiManager as FDN Introduction Configuring FortiGate without Internet connectivity to access a local FortiManager as FDN By default, FortiGate connects to the public FDN to validate its license and download security feature updates, including databases and engines for AntiVirus, IPS, etc. FortiGate can be configured to use a local FortiManager for both license validation and FDN updates. In the case of a FortiGate with no Internet access, the full configuration must be done before the license is uploaded. The moment FortiGate receives a license file (via the GUI or CLI), it immediately attempts to access the public FDN to validate the license. Until successful (e.g. there is no timeout), an administrator is unable to login to the GUI and some CLI commands become unavailable (including those needed to define a local FDN server). This makes it very difficult to add the necessary commands to point the FortiGate to a local FortiManager for license validation. This document will describe the correct way to configure a FortiGate for local FDN access, and a workaround to fix a FortiGate that is unable to access a public license validation server. Follow this procedure to configure a FortiGate to use a local FortiManager for FDN access: Completing these steps in a different order may cause the process to fail, and make the FortiGate unable to validate it s license. From the FortiGate CLI: 1. Configure central management settings: config system central-management config server-list edit 1 set server-type update rating set server-address <fortimanager_ip> next end set include-default-servers disable end 2. Upload the license using TFTP (or via the GUI): execute restore vmlicense tftp <filename>.lic <tftp_ip> The FortiGate will reboot. 3. Complete the central management configuration: config system central-management set fmg <fortimanager_ip> end FortiOS Handbook 5

Introduction Configuring FortiGate without Internet connectivity to access a local FortiManager as FDN From the FortiManager GUI: 1. Add the FortiGate under Device Manager > Devices & Groups > Unregistered Devices. Right-click on the FortiGate and choose Add. 2. Select the correct ADOM, enter proper credentials and other settings, and select OK. Follow this procedure to fix a FortiGate that is unable to access a public FDN server: 1. Complete the sections above to ensure the FortiManager is properly configured to service local FortiGates. 2. From the FortiGate CLI, configure the FortiGate to be managed by FortiManager: config system central-management set fmg <fortimanager_ip> end From the FortiManager GUI: 1. Add the FortiGate under Device Manager > Devices & Groups > Unregistered Devices. Right-click on the FortiGate and choose Add. 2. Select the correct ADOM, enter proper credentials and other settings, and select OK. 3. Configure local FDN access by selecting Device Manager > Provisioning Templates > System Templates > Default. 4. In the right-hand pane, find the FortiGuard Widget (bottom of right column by default). a. Check Enable FortiGuard Security Updates. b. Select the radio button for Retrieve updates from this FortiManager. c. Deselect Include Default Servers. d. Click New, and enter the IP address of the FortiManager. e. Select the radio button for Updates and Rating. f. Click OK, and Apply. 5. Assign the Fortigate to this template. On the menu bar of the right pane, select the Edit link next to Assign Devices. 6. Select the FortiGate in the list of Devices, and click OK. 7. Apply the template. Navigate to the FortiGate by selecting the correct ADOM and selecting Devices & Groups > Managed FortiGates. 8. Right-click on the FortiGate s name, and choose Install. 9. Select Install Device Settings (only). Then click Next. 10. Complete the wizard and choose Install. 6 Fortinet Inc.

Configuring FortiGate without Internet connectivity to access a local FortiManager as FDN Troubleshooting Troubleshooting The following commands can be useful for determining the state of license validation and FDN service connectivity, and gathering information about any connectivity failures. For additional troubleshooting commands, download the FortiOS 5.2 CLI Reference and FortiManager 5.2.0 CLI Reference. On FortiGate: get system status get webfilter status get system auto-update version get system auto-update status On FortiGate-VM: diagnose hardware sysinfo vm full diagnose debug vm-print-license diagnose hardware sysinfo vminfo On FortiManager: diagnose fmupdate vm-license FortiOS Handbook 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information