Description
This article describes how to fix the issue when FortiGate cannot get the proper license.
When the debugging is run, it shows the message 'Failed getting WAN IP'.
Solution
- When a FortiGate with VDOM setting cannot get the proper license, run the debugging with CLI commands as below to investigate the issue.
From CLI.
# diagnose debug reset
# diagnose debug disable
# diagnose debug application update -1
# diagnose debug console timestamp enable
# diagnose debug enable
After that, it can show the debugging message as below including 'Failed getting WAN IP'.
Debugging log.
upd_daemon[1669]-Received update now request
upd_daemon[1455]-Found cached action=00000002
do_update[473]-Starting now UPDATE (final try)
upd_fds_load_default_server[935]-Resolve fds ip address failed.
upd_fds_load_default_server6[4554]-Resolve fds ipv6 address failed.
upd_fds_create_list[1234]-No server found for update[00000002]
do_update[495]-UPDATE failed
do_check_wanip[631]-Starting getting wan ip
upd_fds_load_default_server[935]-Resolve fds ip address failed.
upd_fds_load_default_server6[4554]-Resolve fds ipv6 address failed.
upd_fds_create_list[6456]-No server found for update[00000040]
do_check_wanip[635]-Failed getting wan ip
The solution to fix the issue:
- In case the FortiGate has a VDOM setting, make sure that one VDOM which can access to the internet properly is present.
- Go to System -> VDOM, select the VDOM which can access to the internet, and select 'Switch Management'.
- Test and update the license again.
If this does not work:
Try to change the anycast server: it is recommended to disable anycast and switch back to unicast servers.
# config system fortiguard
set fortiguard-anycast disable
set protocol udp
set port 8888
set sdns-server-ip 208.91.112.220
end
Other possible cause can be that, in cases when the FortiGate is managed by a FortiManager, under config system central-management the setting include-default-servers is set to disable.
enable |
Enable inclusion of public FortiGuard servers in the override server list. |
disable |
Disable inclusion of public FortiGuard servers in the override server list. |
#config system central-management
set include-default-servers enable
In many cases, problems related to FortiGuard are caused by ISPs. Some ISPs block traffic on port 53 that is not DNS or that contains large packets. In those cases, the solution is to use port 8888.
Other ISPs block traffic to HTTPS port 8888. In those cases, the solution is to use UDP port 53.
Related port information:
- Encrypted Virus Samples auto-submitted to FortiGuard – 25.
- DNS lookups – 53 UDP.
- FortiGuard Server List requests to FortiGuard – 53 UDP.
- AntiSpam or Web Filtering rating lookup queries to FortiGuard – 53 UDP or 8888 UDP.
- URL/AS rating lookup queries to FortiGuard – 53 UDP.
- Real-time Black List (RBL) lookup requests to RBL services – 53 UDP.
- Fortinet Device Registration to FortiGuard – 80 HTTP.
- Firmware and Signature Downloads from FortiGuard – 443 HTTPS.
- FortiGuard Server List requests to FortiGuard – 1027 UDP / 1031 UDP.
- AntiSpam and Web Filtering rating lookup requests – 1027 UDP / 1031 UDP.
- AntiVirus/IPS Push / FortiGuard to FortiGate – 9443 UDP.
- Try to connect to FortiGuard Servers.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.