Skip to main content
FortiArt
Staff
FortiArt
Staff
February 7, 2025

Technical Tip: Connection to FortiGuard Services when Internet Traffic is routed via SD-WAN IPSec VPN Remote Site

  • February 7, 2025
  • 0 replies
  • 1140 views
Description This article explains how to connect to FortiGuard Services when Internet traffic is routed via SD-WAN IPSec VPN remote site B. Error message 'Unable to Connect to FortiGuard Servers' shows on the FortiGate Dashboard of site A.
Scope FortiGate.
Solution

Scenario:

 

In cases where the Internet access is routed to an SD-WAN IPSec VPN tunnel interfaces to a remote site B when BGP is used as the routing protocol and it advertises the default route to site A, with site A having the public circuits over which the tunnels are attached, sometimes there's a requirement to split FortiGuard traffic at site A to locally update licenses and security databases, rather than going to the remote site B.

 

Solution:

 

In the above cases, at site A create a static route using a public interface with a low distance, lower than the 200 distance of the BGP default route, set the destination to the FortiGuard FQDNs (see relevant article below), and adjust the FortiGuard configuration.

 

Relevant configuration excerpts from FortiGate at site A (port1 is the public interface): 

 

config  firewall address

    edit "service.fortiguard.net"

        set type fqdn

        set associated-interface "port1"

        set allow-routing enable

        set fqdn "service.fortiguard.net"

    next

    edit "securewf.fortiguard.net"

        set type fqdn

        set associated-interface "port1"

        set allow-routing enable

        set fqdn "securewf.fortiguard.net"

    next

    edit "update.fortiguard.net"

        set type fqdn

        set associated-interface "port1"

        set allow-routing enable

        set fqdn "update.fortiguard.net"

    next
    ...   <---- Other FortiGuard FQDNs.

    end

end

 

config firewall addrgrp

    edit "FortiGuard_FQDNs"

        set allow-routing enable

        set member "service.fortiguard.net" "securewf.fortiguard.net" "update.fortiguard.net"

        "usupdate.fortinet.net" "usservice.fortiguard.net" "ussecurewf.fortiguard.net" <fqdn>

        <fqdn>............."

    next

end

config router static

    set gateway 10.9.15.254

    set device "port1"

    set dstaddr "FortiGuard_FQDNs"

    next

end

 

Routing table for VRF=0
B*      0.0.0.0/0 [200/0] via 10.8.8.1 (recursive via ipsec tunnel 10.10.10.35), 00:14:48, [1/0]
S       12.34.97.16/32 [10/0] via 10.9.15.254, port1, [1/0] <----FortiGuard FQDN
S       12.34.97.18/32 [10/0] via 10.9.15.254, port1, [1/0] <----FortiGuard FQDN
S       12.34.97.71/32 [10/0] via 10.9.15.254, port1, [1/0] <----FortiGuard FQDN
.

.

 

On configuring the above, the error message at site A 'Unable to Connect to Fortiguard Servers' will disappear from the dashboard, and the licenses and security databases will be updated locally at site A rather than via site B.

 

Note: It is necessary to use the relevant FortiGuard FQDNs from the link below to match the geolocation configuration and requirements.

 

Related articles: 

Troubleshooting Tip: FortiGate FortiGuard Servers
Technical Tip: Communicating with FortiGuard Servers when FortiGate has no internet access or limited internet access
      Terms & ConditionsAccessibility statement