FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes the issue when FortiGate was able to communicate with the FortiGuard Servers on Port 53/Port 8888 and lost connectivity.
Scope
FortiGate v7.0 and above.
Solution
This issue may be caused by downstream blocking. There are two potential causes:
DNS Compliance Checking: FortiGate's default traffic port is port 53. While the traffic is DNS-like, it is not DNS and does not look like DNS. If DNS compliance checking is enabled on a device downstream from the FortiGate, it may block this traffic.
Source Port Blocking: The service may restart and use a random source port within the range of 1024-25000. Some ISPs block traffic in the source port range of 1025-1030. If the service chooses a port in this blocked range, connectivity issues may occur.
Solution:
Switch the service back to port 53. If it fails, DNS compliance checking is likely the cause. Switch back to port 8888.
If it does not fail, the issue was likely due to source port blocking. To prevent recurrence, alter the source port range for management traffic:
config sys global set ip-src-port-range 1035-25000 end
