Description |
This article explains how to troubleshoot an issue where the local FortiGate shows that the FortiGuard service is unavailable. This issue only occurs when FortiManager is configured as a Local FortiGuard Distribution Server (FDS). |
Scope | FortiManager & FortiGate. |
Solution |
1) When the following error displays on the local FortiGate, it means that the FortiGate is unable to connect to FortiManager to get FDS updates:
2) Run the following CLI debug commands to check the error:
# diagnose debug application update -1 diagnose debug enable execute update-now
Sample error message:
[359] __ssl_crl_verify_cb: Cert error 20, unable to get local issuer certificate. Depth 0 pack_obj[202]-Packing obj=Protocol=3.0|Command=Setup get_fcpr_response[348]-Wan ip=[103.105.215.2] upd_comm_disconnect_fds[499]-Disconnecting FDS 173.243.140.6:443
3) The configuration on FortiGate includes the following:
# config system central-management config server-list edit 1 set server-type update rating set addr-type ipv4 set server-address 10.10.10.1 next end set include-default-servers enable end
4) From the output, it can be seen that the FortiGate is configured to use FortiManager for FortiGuard services. Furthermore, FortiGate uses FortiManager to query ratings of filtering, antispam etc as well as query updates of antivirus, IPS etc. The 'include-default-servers' parameter has been enabled, which allows the FortiGate to poll from the public FortiGuard servers when the FortiManager is unavailable.
5) Run 'diagnose debug rating' on the FortiGate and check the results to see if the FortiManager IP and the IP of the Public FortiGuard Server are shown.
6) FortiGate can use several ports for communication for FortiGuard entries. If HTTPS Port 443 isn’t working, anycast must be disabled before changing the port. After disabling anycast, change it to UDP Port 8888.
# config system fortiguard set fortiguard-anycast disable set protocol udp set port 8888 end
7) Once the changes have been made, check the availability again. The service availability should now show as 'available'.
Related link: Technical Tip: Configure FortiManager as a local FDN server for FortiGates |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.