Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
FortiArt
Staff
Staff

Created on ‎02-07-2025 06:31 AM Edited on ‎02-17-2025 10:53 PM By Community Manager

Article Id 374442

Technical Tip: Connection to FortiGuard Services when Internet Traffic is routed via SD-WAN IPSec VPN Remote Site

Description This article explains how to connect to FortiGuard Services when Internet traffic is routed via SD-WAN IPSec VPN remote site B. Error message 'Unable to Connect to FortiGuard Servers' shows on the FortiGate Dashboard of site A.
Scope FortiGate.
Solution

Scenario:

 

In cases where the Internet access is routed to an SD-WAN IPSec VPN tunnel interfaces to a remote site B when BGP is used as the routing protocol and it advertises the default route to site A, with site A having the public circuits over which the tunnels are attached, sometimes there's a requirement to split FortiGuard traffic at site A to locally update licenses and security databases, rather than going to the remote site B.

 

Solution:

 

In the above cases, at site A create a static route using a public interface with a low distance, lower than the 200 distance of the BGP default route, set the destination to the FortiGuard FQDNs (see relevant article below), and adjust the FortiGuard configuration.

 

Relevant configuration excerpts from FortiGate at site A (port1 is the public interface): 

 

config  firewall address

    edit "service.fortiguard.net"

        set type fqdn

        set associated-interface "port1"

        set allow-routing enable

        set fqdn "service.fortiguard.net"

    next

    edit "securewf.fortiguard.net"

        set type fqdn

        set associated-interface "port1"

        set allow-routing enable

        set fqdn "securewf.fortiguard.net"

    next

    edit "update.fortiguard.net"

        set type fqdn

        set associated-interface "port1"

        set allow-routing enable

        set fqdn "update.fortiguard.net"

    next
    ...   <---- Other FortiGuard FQDNs.

    end

end

 

config firewall addrgrp

    edit "FortiGuard_FQDNs"

        set allow-routing enable

        set member "service.fortiguard.net" "securewf.fortiguard.net" "update.fortiguard.net"

        "usupdate.fortinet.net" "usservice.fortiguard.net" "ussecurewf.fortiguard.net" <fqdn>

        <fqdn>............."

    next

end

config router static

    set gateway 10.9.15.254

    set device "port1"

    set dstaddr "FortiGuard_FQDNs"

    next

end

 

Routing table for VRF=0
B*      0.0.0.0/0 [200/0] via 10.8.8.1 (recursive via ipsec tunnel 10.10.10.35), 00:14:48, [1/0]
S       12.34.97.16/32 [10/0] via 10.9.15.254, port1, [1/0] <----FortiGuard FQDN
S       12.34.97.18/32 [10/0] via 10.9.15.254, port1, [1/0] <----FortiGuard FQDN
S       12.34.97.71/32 [10/0] via 10.9.15.254, port1, [1/0] <----FortiGuard FQDN
.

.

 

On configuring the above, the error message at site A 'Unable to Connect to Fortiguard Servers' will disappear from the dashboard, and the licenses and security databases will be updated locally at site A rather than via site B.

 

Note: It is necessary to use the relevant FortiGuard FQDNs from the link below to match the geolocation configuration and requirements.

 

Related articles: 

Troubleshooting Tip: FortiGate FortiGuard Servers
Technical Tip: Communicating with FortiGuard Servers when FortiGate has no internet access or limite...
540
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.