Technical Tip: How to enable anycast in FortiManager/FortiAnalyzer for FortiGuard update

heng · ‎10-24-2023

Description

This article describes how to enable anycast in FortiManager/FortiAnalyzer to FortiGuard for an update. By default, anycast with FortiGuard update is disabled. The current anycast domain name for Global servers and US-Only servers are listed as follows and the domain is signed by a public CA, DigiCert.

FortiGuard Service	Global Servers	US-Only Servers
AV-IPS package	globalupdate.fortinet.net globalupdate2.fortinet.net	usupdate.fortinet.net usupdate2.fortinet.net
AV-IPS packages  (FortiClient)	globalfctupdate.fortinet.net	fctusupdate.fortinet.net
GeoIP	globalupdate.fortinet.net globalupdate2.fortinet.net	usupdate.fortinet.net usupdate2.fortinet.net
Webfilter AntiSpam Outbreak Prevention Query Category File Query AntiVirus Query	globalupdate.fortinet.net globalupdate2.fortinet.net	usupdate.fortinet.net usupdate2.fortinet.net
IoT Collect	globalupdate.fortinet.net	usupdate.fortinet.net

For the full Unicast and Anycast domain name comparison table, see this reference.

Scope

FortiManager/FortiAnalyzer.

Solution

In this example, enable anycast to use FortiGuard global servers.

config system global
set usg disable
end

config fmupdate fds-setting
set fortiguard-anycast enable
end

To verify the change for both FDS and FGD, the address will change the prefix globalupdate instead of usupdate.

diagnose fmupdate view-serverlist fds
Fortiguard Server Comm : Enabled
Server Override Mode : Loose
FDS server list :
Index Address Port TimeZone Distance Source
------------------------------------------------------------------------------------------------------
*0 globalupdate.fortinet.net 443 8 0 ANYCAST

FCT server list :
Index Address Port TimeZone Distance Source
------------------------------------------------------------------------------------------------------
*0 fctupdate.fortinet.net 443 8 0 ANYCAST

diagnose fmupdate view-serverlist fgd
Fortiguard Server Comm : Enabled
Server Override Mode : Loose
FGD server list :
Index Address Port TimeZone Distance Source
------------------------------------------------------------------------------------------------------
*0 globalupdate.fortinet.net 443 8 0 ANYCAST

GEOIP server list :
Index Address Port TimeZone Distance Source
------------------------------------------------------------------------------------------------------
*0 globalupdate.fortinet.net 443 8 0 ANYCAST

Debugging can also be run to determine if the connection to FortiGuard via anycast update is failing.

diagnose debug application fdssvrd 255

diagnose debug enable

Related article:

Technical Tip: Verifying FortiGuard connectivity on FortiManager.