Description |
This article explains possible reasons why FortiGate is unable to connect FortiGuard servers and offers steps to troubleshoot the problem.
The 'Unable to connect to FortiGuard servers' error message can be seen in two places:
|
Scope | FortiGate, FortiWeb. |
Solution |
The communication between FortiGate and FortiGuard for web filtering and antispam is different from the communication for antivirus and IPS.
exec ping service.fortiguard.net exec ping update.fortiguard.net exec ping guard.fortinet.net
If the DNS resolves, move to Step 2:
2. Run 'diagnose debug rating' in the CLI:
diagnose debug rating
The output of the command 'di de rating' displays flags next to servers:
The IP address FortiGate received when resolving the name service.fortiguard.net. If the administrator has not overwritten the FortiGuard FQDN or IP address in the FortiGuard configuration, there are usually two or three servers with this flag. S: The IP address FortiGate received from FortiManager. T: The server is not replying to FortiGate queries. F: The server is down.
If all servers in the list have F(ailed), this may mean either all FortiGuard servers on the Fortinet side are down (unlikely), or that this FortiGate has a problem reaching them at the network level.
3. Under global settings make sure that set cloud-communication is set to enable.
FGT # config sys global FGT (global) # set cloud-communication ? enable Allow cloud communication. disable Disable all cloud-related settings. FGT (global) #set cloud-communication enable FGT (global) #end
config sys global
However, from firmware v7.2 onwards in multi-VDOM mode, users can choose from which VDOM FortiGuard services and updates are initiated, instead of being locked to the management VDOM.
config global config system fortiguard set vdom "root" end end
The VDOM specified should be able to reach the internet and should be able to resolve DNS queries.
To set up FortiGuard services on a non-management VDOM:
Check Antivirus & IPS Definition under System -> FortiGuard -> AntiVirus & IPS Updates -> Update AV and IPS Definitions.
Check Filtering Services under System -> FortiGuard -> Filtering.
Anycast servers: It is recommended to disable anycast and switch back to unicast servers.(Anycast communication)
config system fortiguard set fortiguard-anycast disable set protocol udp set port 8888 set sdns-server-ip 208.91.112.220 173.243.140.53 210.7.96.53 end
For FortiGuard's SDNS rating service, there are two modes in FortiOS:
Mode 1: Use of unicast network, which uses DNS over UDP protocol for FortiGate and FortiGuard transactions. Mode 2: Use of anycast network (default), which uses DNS over TLS protocol for FortiGate and FortiGuard transactions.
config system fortiguard set fortiguard-anycast disable set sdns-server-ip 208.91.112.220 173.243.140.53 210.7.96.53 end
config system fortiguard set fortiguard-anycast enable end
With Anycast, FortiGate is only aware of one single server IP. This is a floating IP address that will connect to the closest server geographically, and if this server is down, it will point to another server instead. With Unicast, the FortiGate must maintain a list of servers that it tries and if one stops working it then switches over to another.
In many cases, problems related to FortiGuard are caused by ISPs. Some ISPs block traffic on port 53 that is not DNS or that contains large packets. In those cases, the solution is to use port 8888.
Other ISPs block traffic to HTTPS port 8888. In those cases, the solution is to use UDP port 53.
Related port information:
5. To configure FortiGate to use worldwide servers or only servers located in the USA, run the following command in the CLI:
set update-server-location [usa/any] end
This can also be done under System -> FortiGuard -> FortiGuard Update in the GUI.
Some debug commands for FortiGuard:
di de reset diagnose debug application update -1 diagnose debug enable
The following command can also fix various issues with FortiGuard servers. In this example, 212.48.23.12 is used as the IP for the interface to the ISP router.
config system fortiguard set fortiguard-anycast disable set protocol udp set port 8888 set sdns-server-ip 208.91.112.220 173.243.140.53 210.7.96.53 set ddns-server-ip 173.243.138.225 set source-ip 212.48.23.12 end
config system dns
set primary 8.8.8.8
set source-ip 212.48.23.12
end
Source IP should match the IP address on the Wan port of FortiGate (ISP port), if Source IP is changed, DNS and FortiGuard settings should be changed as well.
Note:
Despite changing the FortiGuard settings to anycast disable and configuring UDP protocol to reach the FortiGuard servers, the connection still fails because the DNS servers will still use the 'DNS over TLS' settings which is a default setting, in this case, public IPs will be reachable, but DNS resolution fails.
Changing the DNS settings to use 'DNS over UDP' will help in resolving the domain names properly.
Suppose connectivity to FortiGuard is required through one of the outgoing interfaces. In that case, it is possible to use 'interface-select-method' with the 'specify' action and then select the outgoing interface under the FortiGuard configuration. See Technical Tip: Functionality of 'set interface-select-method' for local-traffic with SD-WAN for more information.
config system fortiguard set interface-select-method {auto|sdwan|specify} set interface WAN Interface
di de app update -1 di de en In this case, the output of the debugs looks like:
Try to use 'interface-select-method' with the 'specify' action and then select the outgoing interface under the FortiGuard configuration as mentioned above.
License errors may be found in two places as shown below:
di de application fds 7 di de enable
To disable the debug:
di de di
FortiGuard licenses and the communication to FortiGuard are viewable via GUI through System -> FortiGuard as well as through the CLI using the following commands:
di autoupdate versions
The output is quite long, but it is possible to pipe the output to grep:
di autoupdate versions | grep -A6 "IPS Attack Engine"
diag debug rating
The Web Filter should be licensed:
Check the firewall policy. If there is no Web Filter Profile configured in the firewall policy, the web filter will be shown as disabled in the 'diag debug rating' output.
Note: If the error persists after applying changes, try accessing the same page in another browser or a private window, as the browser might be displaying a cached version of the page.
Related article: Technical Tip : FortiGuard Flags and Meanings |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.