Chapter 10 Install and System Administration for FortiOS 5.0 : FortiGuard : Antivirus and IPS : Push IP override
  
Push IP override
If the FortiGate unit is behind another NAT device (or another FortiGate unit), to ensure it receives the push update notifications, you need to use an override IP address for the notifications. To do this, you create a virtual IP to map to the external port of the NAT device.
Generally speaking, if there are two FortiGate devices as in the diagram below, the following steps need to be completed on the FortiGate NAT device to ensure the FortiGate unit on the internal network receives the updates:
Add a port forwarding virtual IP to the FortiGate NAT device that connects to the Internet by going to Firewall Objects > Virtual IP.
Add a security policy to the FortiGate NAT device that connects to the Internet that includes the port forwarding virtual IP.
Configure the FortiGate unit on the internal network with an override push IP and port.
On the FortiGate internal device, the virtual IP is entered as the Use push override IP address.
Figure 231: Using a virtual IP for a FortiGate unit behind a NAT device
To enable push update override- web-based manager
1. Got to System > Config > FortiGuard.
2. Click the Expand Arrow for AV and IPS Options.
3. Select Allow Push Update.
4. Select Use push override IP.
5. Enter the virtual IP address configured on the NAT device.
6. Select Apply.
To enable push updates - CLI
config system autoupdate push-update
set status enable
set override enable
set address <vip_address>
end
See Also
Scheduling updates
Push updates
Manual updates
Antivirus and IPS Options
FortiGuard Services
Antivirus and IPS
Web filtering
Email filtering
Security tools
Troubleshooting