Skip to main content
mateusguilherme
mateusguilherme
Explorer II
February 25, 2025
Solved

Unable to connect to FortiGuard servers.

  • February 25, 2025
  • 2 replies
  • 4568 views

Hello

 

I am having problems connecting to the FortiGuard servers on a FortiGate 40f firmware v7.0.13 build0566 (Mature) (HA Cluster). I am also receiving the message "FortiGate time is out of sync.", I use an NTP server 200.160.0.8.

 

Images below
fortigate.pngfortigate2.png

From FortiGate, I can ping the servers service.fortiguard.net, update.fortiguard.net, guard.fortinet.net. I get a response time of approximately 150ms. And I can also ping the IP 200.160.0.8 with approximately 18ms of response time.

 

The output of the "diagnose debug rating" command is shown below:
fortigate4.png

 

I also tried changing from https to udp with port 8888 with the commands below and I was also unsuccessful.

config system fortiguard set fortiguard-anycast disable set protocol udp set port 8888 set sdns-server-ip 208.91.112.220 <-- IMPORTANT TO ADD THIS OR ANY OTHER FDN SERVER TO PREVENT DOWNTIME! end

I have two internet links and I can ping the Fortiguard servers from both links. Both internet links are PPPOE. I tried to change the tcp-mss to 1452 as described in this article (link) and I was also unsuccessful.

 

I am also attaching the debug output of the following command (link)

 

diagnose debug reset diagnose debug application update -1 diagnose debug enable execute update-now

 


I had to disable web filtering because without communication with the FortiGuard servers, all websites were being blocked.

Does anyone have any idea what might be happening? Is there any other test I should perform?

Best answer by mateusguilherme

I had to manually correct the fortigate date and then it started working again. The funny thing is that I need to set the correct date so that fortigate can communicate with the NTP server to retrieve the correct date.

2 replies

AEK
SuperUser
AEK
SuperUser
February 25, 2025

Hi Mateus

I see your date is 6/2024 and WAN IP is unknown.

Such behavior can happen if you have have 2 IP addresses on your WAN interface, the primary IP is private and the secondary IP is public. If so then it is expected behavior that you can't contact FortiGuard and can's time sync from public NTP server.

You can fix it from CLI by setting the source-ip in both NTP config and FortiGuard config.

AEK
mateusguilherme
mateusguilhermeAuthor
Explorer II
February 25, 2025

I do not have 2 IPs configured on my WAN interface. My two WAN interfaces are PPPOE and receive a public IP from the ISP. FortiGate should use the WAN IP of one of these interfaces to try to connect to the FortiGuard servers. This should be automatic.

I tried to define an IP through the CLI with "set source ip" in "config system fortiguard", but the problem persists.

mateusguilherme
mateusguilhermeAuthorAnswer
Explorer II
February 26, 2025

I had to manually correct the fortigate date and then it started working again. The funny thing is that I need to set the correct date so that fortigate can communicate with the NTP server to retrieve the correct date.

    Terms & ConditionsAccessibility statement