Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
6sITdept
New Contributor III

New ISP causes subscriptions to become unavailable

We have a Fortigate 100D, firmware 5.4.6.

We are in the process of changing our ISP.  Our older ISP is plugged into WAN1.  We set up the new ISP to WAN2.  Everything was working correctly so we unplugged the ISP from WAN1 so everything would go through WAN2. The next day all the internal users were having problems getting to the internet.  When we checked the firewall, our subscriptions (support contract, IPS & Application control, Antivirus, webfilter, anti-spam) were all "unavailable".   

So we ended up putting the older ISP back and after a while, the licenses started reappearing. and the FW worked normally.

 

It seems like the FW is trying to go out WAN1 to determine if the licenses are valid.  But I don't know what else it can be.

Anyone have this problem?  and is there a solution?

Thank you.

2 REPLIES 2
Hosemacht
Contributor II

Hey there,

 

first try to set the Fortiguard filtering port from 53 to 8888 (Maybe you new isp is Blocking the dns port)

if that doesnt work set the ip of self originated traffic for FortiGuard Services to the ip from WAN2.

 

https://help.fortinet.com...iginated%20traffic.htm

sudo apt-get-rekt

sudo apt-get-rekt
Dave_Hall
Honored Contributor

Changing ISPs and/or rebooting the fgt will sometimes cause a delay in the fgt contacting the Fortiguard servers.  As an age-old remedy there use to be an old KB article detailing the steps to take, similar to this one. - assuming you are either using public DNS servers or use the DNS settings for the new ISP, I would attempt to force update the AV/IPS definitions then check the System log to see if an update went through - then check to see if the fgt successfully contacted the fortiguard servers.  Failing that, I would try (as Robert above suggested) changing the connection port (53 or 8888).

 

Remember that the fgt needs a successfully working DNS for it to reach the Fortiguard servers.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Labels
Top Kudoed Authors