Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anonymous
Not applicable

Created on ‎11-13-2020 04:25 AM Edited on ‎08-25-2025 03:46 AM By Moderator

Article Id 190041

Technical Tip: FortiGuard is not reachable via Anycast default method

Description


This article describes how to address FortiGuard when the Anycast default method does not work.


Scope


FortiGate v6.4.3 and above.


Solution


By default, v6.4.3 and above are using the Anycast method to address the FortiGuard servers. Relying on Fortinet DNS servers, the FortiGate will get a single IP address for the domain name of each FortiGuard service.

In some circumstances, Anycast does not work:

 
This can be verified with the debug command 'diagnose debug rating':
 
diagnose debug rating
Locale       : english
Service      : Web-filter
Status       : Enable
License      : Contract 
Service      : Antispam
Status       : Disable 
Service      : Virus Outbreak Prevention
Status       : Disable 
Num. of servers : 1
Protocol        : https
Port            : 443
Anycast         : Enable
Default servers : Included
-=- Server List (Tue Nov  3 17:47:32 2020) -=-
 IP                                             Weight    RTT Flags   TZ    Packets  Curr Lost Total Lost             Updated Time
173.243.140.16                                      0      0 DIF      0         14         11         11
 
If a high value of the current loss is noticed, run 'execute traceroute X.X.X.X' to see if the FortiGuard server can be reached (while X.X.X.X is the failing IP of 'diagnose debug rating').
 
Another method to see if FortiGate can reach FortiGuard is to manually run an update and examine the debug output.
 
diagnose debug disable
diagnose debug reset
diagnose debug app update -1
diagnose debug enable
execute update-now
 
Disable debug after around 5 to 10 minutes:
 
diagnose debug disable
diagnose debug reset
 
If the Server cannot be reached, choose between the following options to solve this issue:
 
  1. Switch to other Anycast servers:
 
config system fortiguard                                   
    set fortiguard-anycast-source aws                           
end                         
 
  1. Disable Anycast and use HTTPS with port 8888.

config system fortiguard
    set fortiguard-anycast disable
    set protocol https 
    set port 8888
    set sdns-server-ip 208.91.112.220 173.243.140.53 210.7.96.53
end
fortiguard_port8888.png

 

  1. Disable Anycast and use UDP with Port 53.
 
config system fortiguard
    set fortiguard-anycast disable
    set protocol udp
    set port 53

    set sdns-server-ip 208.91.112.220 173.243.140.53 210.7.96.53
end

 

  1. Disable Anycast and use UDP with Port 8888.


config system fortiguard
    set fortiguard-anycast disable
    set protocol udp
    set port 8888

 set sdns-server-ip 208.91.112.220 173.243.140.53 210.7.96.53
end
 
After:
 
    set fortiguard-anycast disable

 

 This can be verified with the debug command 'diagnose debug rating':

After anyvast disable .png

 

Notes:

 

Related articles:

Troubleshooting Tip: Unable to connect to FortiGuard servers

Technical Tip: FortiGuard Overview and Troubleshooting

104003
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.