I configured my FortiGate to use EU update servers:
The status dashboard still shows an US flag and IP for the update server:
How do I verify my update server restriction for EU update servers?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Created on 01-23-2023 01:38 AM Edited on 01-23-2023 01:43 AM
Issue was fixed by enabling public FortiGuard servers and disabling anycast:
config system fortiguard
set fortiguard-anycast disable
end
Hello,
You may consider to run the commands below and check which IP addresses/domains FortiGate is trying to reach.
diagnose debug application update -1
diagnose debug enable
execute update-now
Here is the list of domains:
Created on 01-20-2023 07:55 AM Edited on 01-20-2023 07:59 AM
# diagnose debug application update -1
Debug messages will be on for 30 minutes.
# diagnose debug enable
# execute update-now
# upd_daemon[1844]-Received update request from pid=1015
upd_daemon[1658]-Found cached action=00000002
do_update[644]-Starting now UPDATE
upd_fds_load_default_server6[1046]-Resolve and add fds euupdate.fortinet.net ipv6 address failed.
upd_comm_connect_fds[459]-Trying FDS 173.243.142.6:443
[114] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
[482] ssl_ctx_use_builtin_store: Loaded Fortinet Trusted Certs
[488] ssl_ctx_use_builtin_store: Enable CRL checking.
[495] ssl_ctx_use_builtin_store: Enable OCSP Stapling.
[766] ssl_ctx_create_new_ex: SSL CTX is created
[793] ssl_new: SSL object is created
[187] ssl_add_ftgd_hostname_check: Add hostname checking 'euupdate.fortinet.net'
[345] __ssl_crl_verify_cb: CRL not found. Depth 0
__upd_peer_vfy[334]-Server certificate OK.
[385] __bio_mem_dump: OCSP status good
[360] __ssl_crl_verify_cb: Cert error 20, unable to get local issuer certificate. Depth 0
update_status_obj[713]-#### contract expiry=Tue Dec 3 01:00:00 2024
upd_status_extract_contract_info[1220]-Extracting contract...(SupportLevelDesc=05:Advanced HW*06:Web/Online*10:8x5*20:Premium)
doInstallUpdatePackage[1031]-Full obj found for ALCI000
doInstallUpdatePackage[1041]-Updating obj ####
installUpdObjRest[789]-Step 5:Backup /data2/alci.dat->/tmp/update.backup
installUpdObjRest[817]-Step 6:Copy new object /tmp/upd9zzk8x->/data2/alci.dat
installUpdObjRest[896]-Step 7:Validate object
installUpdObjRest[920]-Step 8:Re-initialize using new obj file
upd_status_extract_alci_info[1337]-Extracting account contracts...()
upd_status_extract_alci_info[1359]-Finished reading account contracts
upd_install_pkg[1432]-FCNI000(fcni) installed successfully
upd_install_pkg[1432]-FDNI000(fdslist) installed successfully
upd_install_pkg[1432]-FSCI000(contract) installed successfully
upd_install_pkg[1406]-CIDB000 is up-to-date
upd_install_pkg[1406]-IPGO000 is up-to-date
upd_install_pkg[1406]-FFDB019 is up-to-date
upd_install_pkg[1406]-UWDB001 is up-to-date
upd_install_pkg[1406]-CRDB000 is up-to-date
upd_install_pkg[1406]-DBDB001 is up-to-date
upd_install_pkg[1412]-SFAS000 is unauthorized
upd_install_pkg[1406]-MCDB001 is up-to-date
upd_install_pkg[1432]-ALCI000(alci) installed successfully
upd_install_pkg[1406]-MADB001 is up-to-date
upd_install_pkg[1406]-AFDB001 is up-to-date
upd_install_pkg[1406]-ICDB001 is up-to-date
upd_status_save_status[132]-try to save on status file
upd_status_save_status[198]-Wrote status file
__upd_act_update[325]-Package installed successfully
upd_comm_disconnect_fds[500]-Disconnecting FDS 173.243.142.6:443
[1067] ssl_ctx_free: Done
[1048] ssl_disconnect: Shutdown
do_update[675]-UPDATE successful
Hello,
DNS entry (euupdate.fortinet.net) looks good. I would recommend to reboot the unit and check IP address/es again.
In case the issue persists after the reboot you may consider to contact Fortinet:
https://www.fortiguard.com/faq/general-contact
Created on 01-20-2023 09:49 AM Edited on 01-20-2023 09:56 AM
I disabled Override FortiGuard Servers to stop my FortiGate from connection to non-EU update servers. Now it can't connect to any update servers at all. I opened a service ticket with Fortinet Support (Ticket # 7995547).
Hello,
I would recommend to run the commands below in order to verify whether DNS entry is resolved and check which IP addresses FortiGate is trying to reach:
diagnose debug application update -1
diagnose debug enable
execute update-now
After that you may consider to sniff (diagnose sniffer packet any 'host <destination IP address>' 6 0 a) traffic towards the server and check whether TCP/TLS sessions are established successfully.
Please find the details below how to convert text file to pcap:
Created on 01-23-2023 01:38 AM Edited on 01-23-2023 01:43 AM
Issue was fixed by enabling public FortiGuard servers and disabling anycast:
config system fortiguard
set fortiguard-anycast disable
end
Hi
I see that the issue is still there, I got this after upgrading the firmware
Thanks, you save me.
DevOps should check this ASAP
I've opened a ticket, and say them this, I'll let you know what will be their answer.
Bye
Hi All,
Here the answer of the Fortinet support team :
"
At random times the anycast will not resolve anything and the web filtering will start blocking connections.
Anycast can be ISP/region specific and may not always work. This is why the old unicast option is available.
Unicast was the original method of communicating with Fortiguard servers. Anycast was added since FOS 6.4.0
https://docs.fortinet.com/document/fortigate/6.4.0/new-features/925541/use-anycast-to-communicate-wi...
https://docs.fortinet.com/document/fortigate/6.4.12/administration-guide/042459/fortiguard#Anycast
"
So, hope you'll be lucky when you do an upgrade firmware.
I've done an upgrade from V7.4.2 to V7.4.4
Hope that help
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.