+972 (0)522-864205 Find our Address info@alternativetours-jerusalem.com

How to Configure FortiManager as an FDS for FortiClient Agents

27 October 2025  By kokomi 

In the world of network security, managing endpoint protection efficiently is paramount. Fortinet provides a powerful ecosystem of products, including FortiManager and FortiClient, to secure your network infrastructure. A key feature for optimising this ecosystem is the ability to use FortiManager as a FortiGuard Distribution Server (FDS). This configuration allows you to centralise updates for FortiClient agents, reducing internet bandwidth consumption and enhancing control over your security posture.

This guide will walk you through the process of setting up FortiManager as an FDS for your FortiClient agents, covering the benefits, prerequisites, and step-by-step instructions.

What are FortiManager and FortiClient?

FortiManager is a centralised management platform that gives you single-pane-of-glass visibility and control over your entire Fortinet security fabric. It simplifies the deployment, monitoring, and management of numerous Fortinet devices, from FortiGate firewalls to FortiAP access points.

FortiClient is Fortinet’s endpoint security solution. It provides features like antivirus, web filtering, firewall, and VPN connectivity to protect desktops, laptops, and mobile devices. When integrated with the Security Fabric, it offers advanced threat protection and visibility into endpoint activity.

Why Use FortiManager as an FDS?

Configuring FortiManager to act as an FDS offers several significant advantages:

  • Bandwidth Optimisation: Instead of each FortiClient agent independently downloading updates from public FortiGuard servers, they connect to the local FortiManager. FortiManager downloads the updates once and distributes them internally, saving a substantial amount of internet bandwidth.
  • Faster Updates: Internal distribution is typically much faster than downloading from the internet, ensuring endpoints are protected against the latest threats more quickly.
  • Enhanced Control and Reliability: You gain more control over the update process. If internet connectivity is temporarily lost, FortiClient agents can still receive updates from the local FortiManager, ensuring continuous protection.
  • Improved Security for Air-Gapped Networks: In isolated or air-gapped environments, FortiManager can be updated manually and then serve as the sole update source for all internal endpoints, maintaining security without direct internet access.

Prerequisites

Before you begin the configuration, ensure you have the following in place:

  1. A licensed and operational FortiManager appliance (physical or virtual).
  2. FortiManager must be able to connect to public FortiGuard servers to download updates. Verify that firewall policies allow this communication.
  3. FortiClient EMS (Endpoint Management Server) must be installed and configured.
  4. Network connectivity between FortiClient endpoints, FortiClient EMS, and FortiManager.
  5. Administrative access to both FortiManager and FortiClient EMS.

Step-by-Step Configuration Guide

Follow these steps to enable and configure FortiManager as your FDS.

Step 1: Enable the FDS Feature on FortiManager

By default, the FortiGuard service is not enabled on FortiManager. You need to activate it first.

  1. Log in to your FortiManager GUI.
  2. Go to System Settings > Admin > Admin Settings.
  3. Under Display Options on GUI, ensure that FortiGuard is enabled. If not, select it and click Apply.
  4. You will now see a FortiGuard pane in the main navigation tree. Navigate to it.
  5. Under Settings, locate the Service Status section.
  6. Toggle the switch to enable FortiGuard Management Service.
  7. In the configuration settings that appear, ensure that Distribution Server is turned on.
  8. Click Apply to save the changes.

FortiManager will now begin downloading AV/IPS signatures, web filter databases, and other FortiGuard updates. You can monitor the status of these downloads under the FortiGuard > Package Management section.

Step 2: Configure FortiClient EMS to Use FortiManager

Next, you need to instruct FortiClient EMS to use your FortiManager as the primary update source.

  1. Log in to your FortiClient EMS GUI.
  2. Navigate to Endpoint Profiles > System Settings.
  3. Select the system settings template you wish to modify.
  4. In the template settings, find the Update section.
  5. Enable the Use alternate FortiGuard servers for updates option.
  6. In the Primary Server IP/FQDN field, enter the IP address or Fully Qualified Domain Name (FQDN) of your FortiManager.
  7. You can leave the Secondary Server field blank or set it to the default FortiGuard servers as a fallback.
  8. Save the changes to the system settings template.

The endpoints assigned to this profile will now receive the updated configuration and begin using FortiManager for their updates.

Step 3: Verify the Configuration

After configuring both systems, it is crucial to verify that everything is working as expected.

  1. On FortiManager:
    • Go to FortiGuard > Package Management > Service Status.
    • Check the status of various packages (e.g., AV & IPS Definitions, Web Filter URL Database). Ensure they show an “Up-to-Date” status and a recent “Last Updated” timestamp. This confirms FortiManager is successfully downloading updates from FortiGuard.
  2. On a FortiClient Endpoint:
    • Open the FortiClient console on a client machine.
    • Navigate to the Settings tab.
    • Under the Update section, you should see the IP address or FQDN of your FortiManager listed as the update server.
    • Trigger a manual update by clicking the Check for Updates button.
    • Observe the update process. It should complete successfully. You can also check the FortiClient logs for entries indicating a successful connection and download from the FortiManager IP address.

Troubleshooting Tips

If you encounter issues, here are a few common problems and their solutions:

  • FortiManager Not Downloading Updates:
    • Firewall Issues: Verify that FortiManager has outbound access to FortiGuard servers on TCP ports 443 and 8890. Check your upstream firewall policies.
    • License Issues: Ensure your FortiManager license is valid and includes FortiGuard services.
  • FortiClient Agents Not Updating from FortiManager:
    • Network Connectivity: Confirm that the endpoints can reach FortiManager on the required port (typically TCP 443). Use tools like ping and telnet to test connectivity from an endpoint to the FortiManager IP address.
    • EMS Profile Not Applied: Ensure the correct endpoint profile with the updated system settings is assigned to the target endpoints in FortiClient EMS.
    • DNS Resolution: If you used an FQDN for the FortiManager server, verify that endpoints can resolve it to the correct IP address.

If you cannot resolve the issues after trying these solutions, consider reaching out to a trusted Fortinet partner such as Spectrum Edge for professional assistance and support.

By centralising your FortiClient updates through FortiManager, your organisation can build a more resilient, efficient, and manageable security infrastructure, a best practice for large-scale Fortinet endpoint deployments.

0