I need to update a backend Fortinet FortiGate100E firewall and the only machine in the network whose ip address is authorized for internet access (from the frontend firewall) is 10.1.2.3 running SquidProxy on CentOS linux.
I followed Fortinet's technical note on how to setup the proxy by opening the CLI and issuing
config system autoupdate tunneling
set address 10.1.2.3
set port 3128
set status enable
end
Now part of the traffic flows through the proxy but there are still connection attempts directly from the firewall to Fortinet servers on port 443. The updates are not working, I opened every port and protocol from the firewall interface to the SquidProxy machine and through tcpdump on the proxy I can see data flowing back and forth like this
Internet <---> SquidProxy <---> FortiGate
but from the firewall GUI I can see that it's not communicating with the update servers. I haven't been able to redirect ALL traffic from the firewall through the proxy
What other configurations am I missing?
Best Answer
The easiest solution is to download the current firmware from the support webpage (https://support.fortinet.com) and import it manually over the Admin Web GUI. That are possible over System->Firmware.
Please be aware of the upgrade path for FortiGates. https://docs.fortinet.com/upgrade-tool
On that way you don't need any internet connection.