| Description |
This article describes why in some cases, the error 'unable to connect to FortiGuard server' will not show up but traffic denied by UTM.
There is no error in the system dashboard and the license status shows correct.
Issue identified from Logs & Monitor -> Forward traffic and there are logs displayed with UTM denied with the error 'All FortiGuard servers failed to respond.'
|
| Scope | Any FortiOS version. |
| Solution |
In this case, the issue shall not be displayed with FortiGuard from GUI as it did not show any error on the dashboard or FortiGuard section.
Verify from the update daemon debug and it can be possible to see the error below:
di de reset diagnose debug application update -1 diagnose debug enable
upd_comm_connect_fds[474]-Failed TCP connect
To identify the issue, check the dia debug rating output and it will show as below:
dia deb rating Locale : spanish Service : Web-filter Status : Enable License : Contract
Service : Antispam Status : Enable License : Contract
Service : Virus Outbreak Prevention Status : Disable
Num. of servers : 1 Protocol : https Port : 443 Anycast : Enable Default servers : Included
-=- Server List (Mon Jun 26 17:31:57 2023) -=-
IP Weight RTT Flags TZ FortiGuard-requests Curr Lost Total Lost Updated Time 2620:101:9000:140:173:243:140:16 0 0 DIF 0 49408 49407 49407
As seen from the above output, it displays only one server which shows the flag DIF. It means the above server is down and FortiGate is not able to connect to the FortiGuard server.
It means there is an issue with the filtering service availability:
or FortiGuard anycast can be disabled and the protocol UDP with port 53 or 8888 can be chosen:
config system fortiguard set fortiguard-anycast disable set protocol udp set port 8888 set sdns-server-ip 208.91.112.220 end
If the di de rating output shows the DIF flag and upon restarting the URL daemon it changes to DIFT flag that means the server is not replying to FortiGate queries. Server remains in this state for 15 seconds (default) before being considered as failed.
This could be related to a routing issue if there are multiple default routes on the firewall. If there are multiple WAN connections, specifying the outbound interface in the FortiGuard configuration may help. Alternatively, if the device makes use of SD-WAN, utilizing the SD-WAN method for outbound interface selection may be beneficial.
For a non SD-WAN setup with multiple WAN connections, change the interface method to specify and select the desired WAN connection for FortiGuard connectivity.
config sys fortiguard set interface-select-method specify set interface port1 <- Specify the active WAN interface. end
For an SDWAN setup, change the interface method to SDWAN under FortiGuard setting and it will make use of SD-WAN rules to determine the correct interface for FortiGuard connectivity.
config sys fortiguard set interface-select-method sdwan end
After the above changes, verify the rating servers are reachable. Example output:
diagnose debug rating Locale : english
Service : Web-filter Status : Enable License : Contract
Service : Antispam Status : Disable
Service : Virus Outbreak Prevention Status : Disable
Num. of servers : 30 Protocol : udp Port : 8888 Anycast : Disable Default servers : Included
-=- Server List (Wed Aug 16 23:02:28 2023) -=-
IP Weight RTT Flags TZ FortiGuard-requests Curr Lost Total Lost Updated Time 208.184.237.61 35 321 D FT -8 230 224 224 W ed Aug 16 22:39:53 2023 208.184.237.62 40 284 FT -8 92 84 84 W ed Aug 16 22:39:53 2023 208.184.237.64 40 286 FT -8 86 84 84 W
|
