When an urgent or critical FortiGuard antivirus or IPS signature update becomes available, the FDN can push update notifications to the FortiManager system’s built-in FDS. The FortiManager system then immediately downloads the update.
To use push update, you must enable both the built-in FDS and push updates. Push update notifications will be ignored if the FortiManager system is not configured to receive them. If TCP port 443 downloads must occur through a web proxy, you must also configure the web proxy connection. See Enabling updates through a web proxy.
If push updates must occur through a firewall or NAT device, you may also need to override the default push IP address and port.
For example, overriding the push IP address can be useful when the FortiManager system has a private IP address, and push connections to a FortiManager system must traverse NAT. Normally, when push updates are enabled, the FortiManager system sends its IP address to the FDN; this IP address is used by the FDN as the destination for push messages; however, if the FortiManager system is on a private network, this IP address may be a private IP address, which is not routable from the FDN – causing push updates to fail.
To enable push through NAT, type a push IP address override, replacing the default IP address with an IP address of your choice such as the NAT device’s external or virtual IP address. This causes the FDN to send push packets to the override IP address, rather than the FortiManager system’s private IP address. The NAT device can then forward the connection to the FortiManager system’s private IP address.
The built-in FDS may not receive push updates if the external IP address of any intermediary NAT device is dynamic (such as an IP address from PPPoE or DHCP). When the NAT device’s external IP address changes, the FortiManager system’s push IP address configuration becomes out-of-date.
To enable push updates to the FortiManager system:
- Go to FortiGuard > Settings.
- Click the arrow to expand FortiGuard Antivirus and IPS Settings; see FortiGuard antivirus and IPS settings.
- Toggle ON beside Allow Push Update.
- If there is a NAT device or firewall between the FortiManager system and the FDN which denies push packets to the FortiManager system’s IP address on UDP port 9443, type the IP Address and/or Port number on the NAT device which will forward push packets to the FortiManager system. The FortiManager system will notify the FDN to send push updates to this IP address and port number.
- IP Address is the external or virtual IP address on the NAT device for which you will configure a static NAT or port forwarding.
- Port is the external port on the NAT device for which you will configure port forwarding.
- Click Apply.
- If you performed step 4, also configure the device to direct that IP address and/or port to the FortiManager system.
- If you entered a virtual IP address, configure the virtual IP address and port forwarding, and use static NAT mapping.
- If you entered a port number, configure port forwarding; the destination port must be UDP port 9443, the FortiManager system’s listening port for updates.
To enable push through NAT in the CLI:
Enter the following commands:
config fmupdate fds-setting
set status enable
set ip <override IP that FortiGate uses to download updates from FortiManager>
set port <port that FortiManager uses to send the update announcement>