Technical Tip: ICMP to FortiGuard Distribution Servers (FDS)

Description

This article discusses ICMP's response to FortiGuard Distribution Servers (FDS).

Scope

FortiGate.

Solution

ICMP packet loss has been observed on FortiGuard servers occasionally.

execute ping update.fortiguard.net
PING fds1.fortinet.com (96.45.33.86): 56 data bytes
64 bytes from 96.45.33.86: icmp_seq=0 ttl=56 time=158.2 ms
64 bytes from 96.45.33.86: icmp_seq=1 ttl=56 time=158.2 ms
64 bytes from 96.45.33.86: icmp_seq=2 ttl=56 time=158.2 ms
64 bytes from 96.45.33.86: icmp_seq=3 ttl=56 time=158.1 ms
64 bytes from 96.45.33.86: icmp_seq=4 ttl=56 time=158.2 ms

--- fds1.fortinet.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 158.1/158.1/158.2 ms 

exec ping guard.fortinet.net
PING guard.fortinet.net (173.243.138.91): 56 data bytes
64 bytes from 173.243.138.91: icmp_seq=0 ttl=47 time=87.0 ms
64 bytes from 173.243.138.91: icmp_seq=1 ttl=47 time=86.8 ms
64 bytes from 173.243.138.91: icmp_seq=2 ttl=47 time=86.5 ms
64 bytes from 173.243.138.91: icmp_seq=3 ttl=47 time=86.6 ms
64 bytes from 173.243.138.91: icmp_seq=4 ttl=47 time=86.5 ms

execute ping securewf.fortiguard.net [ for HTTPS service ]

PING securewf.fortiguard.net (173.243.138.96): 56 data bytes
64 bytes from 173.243.138.96: icmp_seq=0 ttl=44 time=89.6 ms
64 bytes from 173.243.138.96: icmp_seq=1 ttl=44 time=89.4 ms
64 bytes from 173.243.138.96: icmp_seq=2 ttl=44 time=89.3 ms
64 bytes from 173.243.138.96: icmp_seq=3 ttl=44 time=89.3 ms
64 bytes from 173.243.138.96: icmp_seq=4 ttl=44 time=89.3 ms

--- securewf.fortiguard.net ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 89.3/89.3/89.6 ms

--- guard.fortinet.net ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 86.5/86.6/87.0 ms

execute ping service.fortiguard.net
PING guard.fortinet.net (209.222.147.36): 56 data bytes
64 bytes from 209.222.147.36: icmp_seq=1 ttl=50 time=117.0 ms

--- guard.fortinet.net ping statistics ---
5 packets transmitted, 1 packets received, 80% packet loss
round-trip min/avg/max = 117.0/117.0/117.0 ms

For additional validation, ping the following domains:

execute ping service.fortiguard.net <----- UDP port 53, 8888; UDP and worldwide servers.
execute ping securewf.fortiguard.net <----- HTTPS over port 443, 53, 8888; HTTPS and worldwide servers.
execute ping update.fortiguard.net <----- TCP port 443.
execute ping usupdate.fortinet.net <----- TCP port 443.
execute ping usservice.fortiguard.net <----- UDP and USA-based-only servers.
execute ping ussecurewf.fortiguard.net <----- HTTPS and USA-based-only servers.
execute ping euservice.fortiguard.net <----- UDP and European-based-only servers.
execute ping eusecurewf.fortiguard.net <----- HTTPS and European-based-only servers.

The packet loss occurs due to the ICMP echo rate-limitation applied on the FortiGuard servers. Hence, packet loss to FortiGuard servers is expected. ICMP echo requests and responses can be misleading as protocols are prioritized at various levels. This has no relation to updates from FortiGuard servers as updates happen on port 443.