Skip to main content
heng
Staff
heng
Staff
October 24, 2023

Technical Tip: How to enable anycast in FortiManager/FortiAnalyzer for FortiGuard update

  • October 24, 2023
  • 0 replies
  • 2737 views
Description

 

This article describes how to enable anycast in FortiManager/FortiAnalyzer to FortiGuard for an update. By default, anycast with FortiGuard update is disabled. The current anycast domain name for Global servers and US-Only servers are listed as follows and the domain is signed by a public CA, DigiCert

 

FortiGuard Service Global Servers US-Only Servers
AV-IPS package

globalupdate.fortinet.net

globalupdate2.fortinet.net

usupdate.fortinet.net

usupdate2.fortinet.net
AV-IPS packages  (FortiClient) globalfctupdate.fortinet.net fctusupdate.fortinet.net
GeoIP 

globalupdate.fortinet.net

globalupdate2.fortinet.net

usupdate.fortinet.net

usupdate2.fortinet.net

Webfilter

AntiSpam

Outbreak Prevention

Query Category

File Query

AntiVirus Query

globalupdate.fortinet.net

globalupdate2.fortinet.net

usupdate.fortinet.net

usupdate2.fortinet.net

IoT Collect

 globalupdate.fortinet.net usupdate.fortinet.net

 

For the full Unicast and Anycast domain name comparison table, see this reference.

 

Scope

 

FortiManager/FortiAnalyzer.

 

Solution

 

  1. In this example, enable anycast to use FortiGuard global servers.

 

config system global
    set usg disable
end

 

Note: The system will reboot to apply the change. 

 

config fmupdate fds-setting
    set fortiguard-anycast enable
end

 

  1. To verify the change for both FDS and FGD, the address will change the prefix globalupdate instead of usupdate.

 

diagnose fmupdate view-serverlist fds
Fortiguard Server Comm : Enabled
Server Override Mode : Loose
FDS server list :
Index    Address                            Port    TimeZone    Distance    Source
------------------------------------------------------------------------------------------------------
*0       globalupdate.fortinet.net          443     8           0           ANYCAST

 

FCT server list :
Index    Address                            Port    TimeZone    Distance    Source
------------------------------------------------------------------------------------------------------
*0       fctupdate.fortinet.net             443     8           0           ANYCAST

 

diagnose fmupdate view-serverlist fgd
Fortiguard Server Comm : Enabled
Server Override Mode : Loose
FGD server list :
Index    Address                            Port    TimeZone    Distance    Source
------------------------------------------------------------------------------------------------------
*0       globalupdate.fortinet.net          443     8           0           ANYCAST

 

GEOIP server list :
Index    Address                            Port    TimeZone    Distance    Source
------------------------------------------------------------------------------------------------------
*0       globalupdate.fortinet.net          443     8           0           ANYCAST

 

 

  1. Debugging can also be run to determine if the connection to FortiGuard via anycast update is failing. 

     

diagnose debug application fdssvrd 255

diagnose debug enable

 

Related article:

Technical Tip: Verifying FortiGuard connectivity on FortiManager.

      Terms & ConditionsAccessibility statement