FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes an issue where FortiGate devices are unable to reach the FortiGuard servers, impacting the functionality of firewall policies due to outdated dynamic objects.
Scope
FortiGate.
Solution
A FortiGate device was unable to establish communication with the FortiGuard servers. While the DNS resolution and other network path checks were verified and found to be operational, FortiGate still reported the FortiGuard server's unreachability.
Troubleshooting Steps:
Initial Assessment.
Gathered the latest firewall configuration.
Checked if any changes were made prior to the onset of the issue.
Reviewed the pings and connectivity checks, as suggested by the troubleshooting steps.
Analyzed the configuration files and debug logs shared.
Identified that under 'config system central-management', the setting 'set include-default-servers' was set to 'disable'.
Solution Implementation.
After a scheduled remote session, compared the configurations with two other firewalls that were working correctly.
Found that the setting 'set include-default-servers' was set to 'enable' on the operational firewalls.
Enabling the "set include-default-servers" on the problematic FortiGate resolved the issue.
Solution:
For FortiGate devices facing a similar issue of FortiGuard server unreachability, it is crucial to check the 'include-default-servers' setting under the 'config system central-management' section. If it is set to 'disable', consider enabling it and verify connectivity to the FortiGuard servers.
Note:
It is always a good practice to consult with Fortinet support or IT administrators before making configuration changes, especially in production environments.
