FortiGates running v7.4.7 or earlier that use FortiGuard Web Filtering services may experience limited redundancy when communicating with FortiGuard servers using the anycast method.
In certain scenarios, a FortiGate may be configured with only a single FortiGuard anycast server IP address, which can lead to potential service disruptions in the event of a FortiGuard outage or other service interruptions.

To detect and use a secondary redundant FortiGuard Anycast server IP, the urlfilter daemon must be manually restarted. This allows the FortiGate to learn additional FortiGuard server addresses and maintain redundancy in case of service interruptions.

Verification steps:

1. Check the current FortiGuard rating IPs. Run the following command to review the current FortiGuard rating server connections.
   
   

diagnose debug rating

For FortiGates with their location set to the USA, the presence of only a single IP indicates that the unit has not yet discovered additional FortiGuard IP addresses

2. Restart URLFilter or FortiOS to get the updated list of IPs.
   
   

diagnose test application urlfilter 99

Expected output after the restart:
When the set update-server-location is configured as USA under FortiGuard configurations. It will resolve to two US Anycast IPs.

When update-server-location is set to automatic under FortiGuard configurations for US customers, it resolves to the global Anycast IP along with the two US Anycast IPs.

3. For any future FortiGuard IP additions or changes, repeat step 2. This issue is addressed in FortiOS v7.4.8 (1119595). Refer to the FortiOS 7.4.8 Release Notes