Configuring push updates

When push updates are configured, the FortiMail unit first notifies the FDN of its IP address, or the IP address and port number override. (If your FortiMail unit’s IP address changes, including if it is configured with DHCP, the FortiMail unit automatically notifies the FDN of the new IP address.) As soon as new FortiGuard Antivirus and FortiGuard Antispam packages become available, the FDN sends an update availability notification to that IP address and port number. Within 60 seconds, the FortiMail unit then requests the package update as if it was a scheduled or manually initiated update.

You can use scheduled updates or manually initiate updates as alternatives or in conjunction with push updates. If protection from the latest viral threats is a high priority, you could configure both scheduled updates and push updates, using scheduled updates as a failover method to increase the likelihood that the FortiMail unit will still periodically retrieve updates if connectivity is interrupted during a push notification. Using push updates, however, can potentially cause short disruptions to antivirus scans that can occur if the FortiMail unit applies push updates during peak volume times. For additional/alternative update methods, see “Configuring scheduled updates” and “Manually requesting updates”.

Before configuring push updates, first verify that the FortiMail unit can connect to the FDN or override server. For details, see “Verifying connectivity with FortiGuard services”.

3. If the FortiMail unit is behind a firewall or router performing NAT, enable Use override push IP and enter the external IP address and port number of the NAT device.

You must also configure the NAT device with port forwarding or a virtual IP to forward push notifications (UDP port 9443) to the FortiMail unit. For example, if the FortiMail unit is behind a FortiGate unit, configure the FortiGate unit with a virtual IP that forwards push notifications from its external network interface to the private network IP address of the FortiMail unit. Then, on the FortiMail unit, configure Use override push IP with the IP address and port number of that virtual IP. For details on configuring virtual IPs and/or port forwarding, see the documentation for the NAT device.


	Push updates require that the external IP address of the NAT device is not dynamic (such as an IP address automatically configured using DHCP). If dynamic, when the IP address changes, the override push IP will become out-of-date, causing subsequent push updates to fail.

If you do not enable Use override push IP, the FDN will send push notifications to the IP address of the FortiMail unit, which must be a public network IP address routable from the Internet.

The FortiMail unit notifies the FDN of its IP address or, if configured, the override push IP. When an update is available, the FDN will send push notifications to this IP address and port number.

The FDN tests the connection to the FortiMail unit. Time required varies by the speed of the FortiMail unit’s network connection, and the number of timeouts that occur before the connection attempt is successful or the FortiMail unit determines that it cannot connect. When the connection test completes, the page refreshes. Test results appear in the Push update field.

• Unavailable: The FDN could not connect to the FortiMail unit, and cannot send push notifications to it. Verify that intermediary firewalls and routers do not block push notification traffic (UDP port 9443). If the FortiMail unit is behind a NAT device, verify that you have enabled and configured Use override push IP, and that the NAT device is configured to forward push notifications to the FortiMail unit.