Can not access Fortiguard severs ( for device registration )

Question

Can not access Fortiguard seversHi, guys,   My Forti600E can not access Fortiguard servers ( for device registration, any Fortinet services), network infrastructure is:   The Forti600E has few network links : 1. The device is using Fortinet DNS services : 208.91.112.53 & 208.91.112.52 2. The default route (0.0.0.0/0.0.0.0) can point to internal network. 3. The route table to Fortinet DNS services are implicitly defined, as the following route table:   Forti600E-01 # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP            O - OSPF, IA - OSPF inter area            N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2            E1 - OSPF external type 1, E2 - OSPF external type 2            i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area           * - candidate default   Routing table for VRF=0 S*    0.0.0.0/0 [10/0] via 10.0.0.250, port2 C      10.0.0.248/30 is directly connected, port2 C      10.10.32.88/29 is directly connected, LL_10M C      10.86.2.0/29 is directly connected, LeaseLine C      10.101.1.0/24 is directly connected, mgmt C      10.102.2.0/30 is directly connected, EXT_Zone C      10.102.2.4/30 is directly connected, INT_Zone S      10.131.1.23/32 [10/0] via 10.102.2.6, INT_Zone S      10.171.4.127/32 [10/0] via 10.101.1.254, mgmt                                  [10/0] via 10.101.2.254, mgmt C      100.100.100.100/32 is directly connected, port2 C      200.200.200.0/24 is directly connected, port2 S      208.91.112.52/32 [10/0] via 10.101.1.254, mgmt S      208.91.112.53/32 [10/0] via 10.101.1.254, mgmt Forti600E-01 #               Tested result: Forti600E-01 # get system dns primary : 208.91.112.53 secondary : 208.91.112.52 dns-over-tls : disable ssl-certificate : Fortinet_Factory domain : ip6-primary : :: ip6-secondary : :: timeout : 5 retry : 2 dns-cache-limit : 5000 dns-cache-ttl : 1800 cache-notfound-responses: disable source-ip : 0.0.0.0 interface-select-method: auto Forti600E-01 #     Forti600E-01 # exe ping 208.91.112.52 PING 208.91.112.52 (208.91.112.52): 56 data bytes 64 bytes from 208.91.112.52: icmp_seq=0 ttl=49 time=233.8 ms 64 bytes from 208.91.112.52: icmp_seq=1 ttl=49 time=233.7 ms 64 bytes from 208.91.112.52: icmp_seq=2 ttl=49 time=233.7 ms 64 bytes from 208.91.112.52: icmp_seq=3 ttl=49 time=233.8 ms 64 bytes from 208.91.112.52: icmp_seq=4 ttl=49 time=233.8 ms --- 208.91.112.52 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 233.7/233.7/233.8 ms   Forti600E-01 # exe ping 208.91.112.53 PING 208.91.112.53 (208.91.112.53): 56 data bytes 64 bytes from 208.91.112.53: icmp_seq=0 ttl=49 time=237.3 ms 64 bytes from 208.91.112.53: icmp_seq=1 ttl=49 time=237.2 ms 64 bytes from 208.91.112.53: icmp_seq=2 ttl=49 time=237.3 ms 64 bytes from 208.91.112.53: icmp_seq=3 ttl=49 time=237.3 ms 64 bytes from 208.91.112.53: icmp_seq=4 ttl=49 time=237.3 ms --- 208.91.112.53 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 237.2/237.2/237.3 ms Forti600E-01 #     But the Forti600E can not connect to FortiGuard servers (WAN IP is unknown), as the attached, and recommendation ?   Many thanks in advance.

boneyard · Accepted Answer

For FortiGuard you need more then just those DNS server, see which hostnames (and thus IPs) are required https://docs.fortinet.com...cols/649403/fortiguard

Can not access Fortiguard severs

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded