Description
This article indicates potential causes for FortiProxy's failure to connect to FortiGuard servers and provides how to resolve the issue.
FortiProxy v7.4.x:
- Go under Dashboard -> Status -> Licenses.
- Go under System -> FortiGuard -> License Information.
Scope
FortiProxy.
Solution
The way FortiProxy communicates to FortiGuard for web filtering and antispam is different from its communication for antivirus and IPS.
- Ensure that FortiProxy DNS resolution functions correctly by testing the following FortiGuard server hostnames.
execute ping service.fortiguard.net
execute ping update.fortiguard.net
execute ping guard.fortinet.net
If DNS resolution is successful, proceed to Step 2. If not, review and correct the DNS configuration.
One of the most possible causes is when the 'Use FortiGuard Servers' option is changed to 'Specify' for use with an internal DNS server, without switching the DNS protocols or validating if the new DNS Server supports DoT (default setting of FortiGuard servers) which uses TCP 853 or DoH that uses TCP 443.
In that case, the DNS server will be unreachable, preventing DNS resolution from working. After switching to UDP port 53, the DNS server should become reachable, and resolution should function properly.
The following are the commands to change the protocol via CLI:
config system DNS
set protocol cleartext <----- DoT is for using TCP/853, and cleartext is used for UDP/53.
end
In some cases, verify the system DNS config. Check any source-ip config and make sure the IP configured is public-facing and not an internal IP address. This is because the DNS needs to communicate with the public WAN to be able to reach the FortiGuard servers.
If there are any internal 'source-ip' configured, unset to default (0.0.0.0) or configure a public-facing IP.
config system DNS
set source-ip 0.0.0.0 <- default
end
- Run 'diagnose debug rating' in the CLI:
diagnose debug rating
If all servers in the list show F (failed), it could indicate either a rare FortiGuard server outage or a network connectivity issue on this FortiProxy.
Check Filtering Services under System -> FortiGuard -> Filtering.
In many cases, problems related to FortiGuard are caused by ISPs. Some ISPs block traffic on port 53 that is not DNS or that contains large packets. In those cases, the solution is to use port 8888.
Some ISPs block traffic on HTTPS port 8888; in such cases, switching to UDP port 53 provides a solution.
Important debug commands for FortiGuard:
diagnose debug reset
diagnose debug application update -1
diagnose debug console timestamp enable
diagnose debug enable
Force FortiGuard update after running debug application update -1:
execute update-now
To stop the debugging, run the following commands:
diagnose debug disable
diagnose debug reset
The following command can also fix various issues with FortiGuard servers. In this example, 212.48.23.12 is used as the IP for the interface to the ISP router.
config system fortiguard
set fortiguard-anycast disable
set protocol udp
set port 8888
set sdns-server-ip 208.91.112.220 173.243.140.53 210.7.96.53
set ddns-server-ip 173.243.138.225
set source-ip 212.48.23.12
end
config system DNS
set primary 8.8.8.8
set source-ip 212.48.23.12
end
Source IP should match the IP address on the WAN port of FortiProxy (ISP port); if the source IP is changed, DNS and FortiGuard settings should be changed as well.
In case of multiple gateways, leave the settings to the default auto mode. Under DNS settings, specify that the interface can also be used instead of source-ip.
Some useful commands for troubleshooting:
show full system setting
show full system dns
diagnose autoupdate version
diagnose autoupdate status
show full system fortiguard
show full system central-management
