FortiGate and FortiGuard connectivity can be checked with the command 'diagnose debug rating' or 'get webfilter status'.

For each IP address, the output of the commands shows the following:

• RTT: Round-trip delay.
• Flags
• TZ: Server time zone.
• Curr Lost: The number of recent and consecutive queries without reply.
• Total lost: The historical total number of queries without reply, these values reset when the device restarts.
  
  

This is how FortiGate selects the server to send the rating requests to:

• FortiGate initially uses the delta between the server time zone and the FortiGate system time zone multiplied
  by 10.
• This is the initial weight of the server. To lower the possibility of using a remote server, the weight is
  not allowed to drop below the initial weight.
• The weight goes up with each packet lost.
• The weight goes down over time if there are no packets lost.
• FortiGate uses the server with the lowest weight as the one for the rating queries. If two or more servers have
  the same weight, FortiGate uses the server with the lowest round-trip time (RTT).

The output of this command shows flags beside some servers, and below is the explanation for each flag value.

• I=Initial: The server was initially contacted to validate the license and get the server list. Usually, there is only one server with this flag.
• D=Default: The IP address FortiGate got when resolving the name 'service.fortiguard.net'.
• S=Serving: IP address of servers received from FortiManager.
• T=Timing: The server is not replying to FortiGate queries. The server remains in this state for 15 seconds (default) before being considered as failed.
• F=Failed: The server is down. The server has not responded and is considered to have failed.

Related articles:

Troubleshooting Tip: Resolving FDS Communication Issues (FortiGuard Distribution Servers)

Troubleshooting Tip: Unable to connect to FortiGuard servers

Technical Tip: FortiGuard Overview and Troubleshooting