Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
Anonymous
Not applicable

Created on ‎12-30-2022 02:08 AM Edited on ‎08-10-2024 06:12 AM By Moderator

Article Id 241487

Troubleshooting Tip: Troubleshooting service unavailability when using FortiManager as a local FortiGuard Distribution Server

Description

This article describes how to troubleshoot an issue where the local FortiGate shows that the FortiGuard service is unavailable. This issue only occurs when FortiManager is configured as a Local FortiGuard Distribution Server (FDS).
Scope FortiManager & FortiGate.
Solution
  1. When the following error displays on the local FortiGate, it means that the FortiGate is unable to connect to FortiManager to get FDS updates:

 

lingky88_0-1672384017949.png

 

  1. Run the following CLI debug commands to check the error:

     

    diagnose debug application update -1

    diagnose debug enable

    execute update-now

     

    Sample error message:

     

    [359] __ssl_crl_verify_cb: Cert error 20, unable to get local issuer certificate. Depth 0

    pack_obj[202]-Packing obj=Protocol=3.0|Command=Setup

    get_fcpr_response[348]-Wan ip=[103.105.215.2]

    upd_comm_disconnect_fds[499]-Disconnecting FDS 173.243.140.6:443

     

     

  2. The configuration on FortiGate includes the following:

     

    config system central-management

        config server-list

            edit 1

                set server-type update rating

                set addr-type ipv4

                set server-address 10.10.10.1

            next

        end

        set include-default-servers enable

    end

     

     

  3. From the output, it can be seen that the FortiGate is configured to use FortiManager for FortiGuard services. Furthermore, FortiGate uses FortiManager to query ratings of filtering, antispam, etc as well as query updates of antivirus, IPS, etc. The 'include-default-servers' parameter has been enabled, which allows the FortiGate to poll from the public FortiGuard servers when the FortiManager is unavailable.

     

     

  4. Run 'diagnose debug rating' on the FortiGate and check the results to see if the FortiManager IP and the IP of the Public FortiGuard Server are shown.

     

    lingky88_3-1672384456631.png

     

     

  5. FortiGate can use several ports for communication for FortiGuard entries. If HTTPS Port 443 isn’t working, anycast must be disabled before changing the port. After disabling anycast, change it to UDP Port 8888.

     

    config system fortiguard
        set fortiguard-anycast disable
        set protocol udp
        set port 8888

    end

     

     

  6. Once the changes have been made, check the availability again. The service availability should now show as 'available'.

     

    lingky88_0-1672387340444.png

     

     

Related articles: 

Technical Tip: Configure FortiManager as a local FDN server for FortiGates

Technical Tip: Verifying FortiGuard connectivity on FortiManager

Technical Tip: Configure FortiManager as a local FDN server for FortiGates

 

2697
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.