Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortiDave
New Contributor III

Failing to Connect to Fortiguard Services

Hi all,

 

Ive just setup two new FGTs and getting the below errors on both when trying to update IPS etc.

 

Would anyone have any guidance here? is it most likely the account, which Im pretty sure is correct?

 

Is there a cut and dry command which will tell you what exactly the issue is here?

 

image.png

5 REPLIES 5
sjoshi
Staff
Staff

Dear

 

Thank you for posting to the Fortinet Community Forum.

 

Problem Description:-

Failing to Connect to Fortiguard Services
 
Please share me the below output:-

get sys status
get hardware status
get sys performance status >>>>>> (run it 3 times)
diag sys top 5 30 >>>>>> (let it run 20 seconds and then press "q" to quit)
diag sys top-summary >>>>>> (let it run 20 seconds and then press "q" to quit)
diag debug crashlog read
diagnose autoupdate version
diagnose autoupdate status

get router info routing-table all

show full system fortiguard
show full system setting
show full system dns

execute ping service.fortiguard.net
execute ping update.fortiguard.net

diag test update info

diag debug application update -1
diag debug enable
execute time
exec update-now

espere 15 min,

diagnose debug rating

get system status
get system perf status
get hardware status


execute ping 8.8.8.8
execute ping update.fortiguard.net
execute ping service.fortiguard.net
execute ping directregistration.fortinet.com
show full system fortiguard
show full system central-management

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGuard-Web-Filtering-problems/ta...

Let us know if this helps.

Thanks

Salon Raj Joshi
JonathanTorian_FTNT

Do not necessarily have a "cut and dry" command to tell you what the issue is, but definitely have a recommendation.  Try disabling the "anycast" feature as documented in the following post:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGuard-is-not-reachable-via-Anycast-de...

 

Let us know if this solves the issue for you.

Yurisk

BTW on few FGTs I checked, it was not enough to just disable anycast (as the document shows) - the FGT would lose connection to Fortiguard altogether, and I had to supply any valid Fortiguard IP from which it would then get the list of the rest of the FDN servers. 

 

config system fortiguard
set fortiguard-anycast disable
set protocol udp
set port 8888
set sdns-server-ip 208.91.112.220
Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Yurisk
Valued Contributor

After you've made sure inside your account on https://support.fortinet.com that this Fortigate is registered and has valid entitlement/subscription to the Fortiguard services, check the following:

 

  • Check that FortiGuard license on the Fortigate is in green.
  • Make sure Fortigate can DNS resolve update.fortinet.net, service.fortinet.net
  • Make sure Fortigate can ping service.fortinet.net
  • Try changing communication with FortiGuard port between 53, 8888, 443
  • Make sure (if VDOMs are enabled) that management VDOM has access to the Internet
  • Disable anycast and enable unicast for FortiGuard services.

Some additional details (and my rant) at  Failed to connect to Fortiguard servers verification and debug 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
FortiDave
New Contributor III

Thanks guys. I can ping 8.8.8.8. But not google.com, so seems to be DNS related.

Ive specified various different DNS configs, and still no success.

I will work through some of the recommendations here later today.

Im connected to my home broadband, its a LAB build. Are there any obvious concerns here?

Labels
Top Kudoed Authors