In FortiGate, webfilter does the real-time lookup for the Web Filter rating query. If Fortigate cannot get the answer to what category the website belongs to, access to this website will be blocked by default. In case for any reason Fortigate cannot reach Fortiguard servers rules where webfilter is called will start blocking the sites.
Below are a few points to check for the proper Fortiguard connectivity:- >> Please check the Fortiguard license status >> Confirm that on FGT DNS is getting resolved for update.fortinet.net, service.fortinet.net >> From Fortigate service.fortinet.net should be pingable >> Fortigate can use ports 53,8888,443 to talk to Fortiguard servers >> Make sure that using the above ports firewall can reach the Fortiguard servers
If connectivity is down from 443 with anycast enable you can try to disable the anycast and use port 53 or 8888.
"dia debug rating" will be helpful to check the server connectivity status
The error "all FortiGuard servers failed to respond" indicates that your Fortinet device was unable to communicate with the FortiGuard servers. FortiGuard is Fortinet's threat intelligence and research division, and their servers provide real-time updates for security ratings, web filtering, antivirus definitions, and other services.
When your Fortinet device can't communicate with the FortiGuard servers, it can't get the updates or make real-time checks for web filtering, leading to the blockage of internet access.
Here are the potential reasons for this error:
1. **Network Connectivity Issues**: The FortiGate may not have a proper connection to the internet or might be experiencing intermittent connectivity issues. 2. **DNS Resolution**: FortiGate uses DNS to resolve the FortiGuard server addresses. If there's a DNS issue, the resolution will fail. 3. **Web Proxy or Firewall**: If there's an upstream proxy or firewall, it might be blocking the FortiGate from accessing the FortiGuard servers. 4. **License Expiration**: If the FortiGuard services license has expired on the FortiGate, it may not be able to connect to the FortiGuard servers. 5. **FortiGuard Outages**: While rare, there might be an outage or issue on Fortinet's end.
### How to Prevent or Resolve this Error:
1. **Check Network Connectivity**: Ensure that the FortiGate has a stable internet connection. You can try pinging external servers or doing trace routes to identify any network bottlenecks. 2. **Check DNS Settings**: Ensure the FortiGate's DNS settings are correctly configured. You might want to try using public DNS servers, like 184.108.40.206 (Google) or 220.127.116.11 (Cloudflare), as a test. 3. **Review Proxy or Firewall Settings**: If there's a web proxy or firewall upstream, ensure that they are not blocking or filtering the FortiGate's attempts to reach the FortiGuard servers. 4. **Validate Licenses**: Check the status of the FortiGuard licenses on the FortiGate and ensure they are active. 5. **Contact Fortinet Support**: If you're unable to identify the issue, reaching out to Fortinet's support can be beneficial. They might have insights if there are any widespread issues or specific regional outages. 6. **Manual Update**: As a temporary measure, you can download the latest FortiGuard database and manually update the FortiGate. 7. **Review FortiGate Logs**: The logs might provide more details on the failure or any attempts to connect to the FortiGuard servers.
Regular monitoring, setting up alerts for license expirations, and ensuring DNS health checks can help in preventing such issues in the future.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.