Description
This article describes how to address FortiGuard when the Anycast default method does not work.
Scope
FortiGate v6.4.3 and above.
Solution
Per default, v6.4.3 and above are using the Anycast method to address the Fortiguard servers. Relying on Fortinet DNS servers, the FortiGate will get a single IP address for the domain name of each FortiGuard service.
In some circumstances, Anycast does not work:
This can be verified with the debug command 'diagnose debug rating':
diagnose debug rating
Locale : english
Service : Web-filter
Status : Enable
License : Contract
Service : Antispam
Status : Disable
Service : Virus Outbreak Prevention
Status : Disable
Num. of servers : 1
Protocol : https
Port : 443
Anycast : Enable
Default servers : Included
-=- Server List (Tue Nov 3 17:47:32 2020) -=-
IP Weight RTT Flags TZ Packets Curr Lost Total Lost Updated Time
173.243.140.16 0 0 DIF 0 14 11 11
If a high value of the current loss is noticed, run 'execute traceroute X.X.X.X' to see if the FortiGuard server can be reached (while X.X.X.X is the failing IP of 'diagnose debug rating').
Another method to see if FortiGate can reach FortiGuard is to manually run an update and examine the debug output.
di de res
di de app update -1
di de en
exec upate-now
Disable debug after around 5 to 10 minutes:
di de res
If the Server cannot be reached, choose between the following options to solve this issue:
- Switch to other Anycast servers:
config system fortiguard
set fortiguard-anycast-source aws
end
-
Disable Anycast and use HTTPS with port 8888.
config system fortiguard
set fortiguard-anycast disable
set protocol https
set port 8888
set sdns-server-ip 208.91.112.220 173.243.140.53 210.7.96.53
end
-
Disable Anycast and use UDP with Port 53.
config system fortiguard
set fortiguard-anycast disable
set protocol udp
set port 53
set sdns-server-ip 208.91.112.220 173.243.140.53 210.7.96.53
end
-
Disable Anycast and use UDP with Port 8888.
config system fortiguard
set fortiguard-anycast disable
set protocol udp
set port 8888
set sdns-server-ip 208.91.112.220 173.243.140.53 210.7.96.53
end
After:
set fortiguard-anycast disable
This can be verified with the debug command 'diagnose debug rating':
Note: