Description |
This article provides steps to configure FortiGate so it can still communicate with FortiGuard servers when it has no internet access or limited internet access. |
Scope | FortiOS 7.0, 7.2. |
Solution |
1st Method: Use FortiManager as a local FDN server for FortiGate.
Technical Tip: Configure FortiManager as a local FDN server for FortiGates
2nd Method: Update FortiGuard with a proxy server.
Operating FortiManager as a FDS in a closed network.
3rd Method: Create Static routes to FortiGuard Server FQDNs or ISDB.
First, check whether FortiGuard anycast is enabled or disabled. Use the following command:
config system fortiguard get | grep fortiguard-anycast end
If fortiguard-anycast is DISABLED:
Create FQDN type address objects for the below FQDNs and ensure static route configuration is enabled:
update.fortiguard.net usupdate.fortiguard.net service.fortiguard.net securewf.fortiguard.net usservice.fortiguard.net ussecurewf.fortiguard.net globaldevquery.fortinet.net globaldevcollect.fortinet.net usdevquery.fortinet.net usdevcollect.fortinet.net
Below is one example of an FQDN-type address object:
config firewall address edit "update.fortiguard.net" set type fqdn set allow-routing enable set fqdn "update.fortiguard.net" next end
Next, create a static route for the FQDNs outside of the WAN interface:
config router static set gateway 10.9.15.254 set device "wan” set dstaddr "update.fortiguard.net" next
If FortiGuard-Anycast is enabled:
Create FQDN type address objects for the below FQDNs and ensure static route configuration is enabled. Next, create a static route for the below FQDNs out of the WAN interface. For ease of creating the static route, optionally group these address objects into one group and use that group in the static route.
globalupdate.fortinet.net globalupdate2.fortinet.net usupdate.fortinet.net usupdate2.fortinet.net euupdate.fortiguard.net euupdate.fortinet.net euupdate2.fortinet.net fctupdate.fortinet.net fctusupdate.fortinet.net fcteuupdate.fortinet.net fctguard.fortinet.net fctusguard.fortinet.net fcteuguard.fortinet.net globalguardservice.fortinet.net globalguard.fortinet.net globalguard2.fortinet.net usguardservice.fortinet.net usguard2.fortinet.net euservice.fortiguard.net eusecurewf.fortiguard.net euguardservice.fortinet.net euguard2.fortinet.net globaldevquery.fortinet.net globaldevcollect.fortinet.net usdevquery.fortinet.net usdevcollect.fortinet.net globaldevquery2.fortinet.net globaldevcollect2.fortinet.net usdevquery2.fortinet.net usdevcollect2.fortinet.net eudevquery.fortinet.net eudevcollect.fortinet.net eudevquery2.fortinet.net eudevcollect2.fortinet.net qaupdate.fortinet.net qafctupdate.fortinet.net qaguard.fortinet.net qafctguard.fortinet.net
Or create a static route with the destination ISDB - Fortinet-FortiGuard:
config router static edit 2 set gateway 10.1.1.254 next end
Detail IP address list of the Internet Service Database ID : 1245324(Fortinet-FortiGuard).
diag internet-service id 1245324 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.