Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Dannу
Contributor

FortiGate verify update server restriction?

I configured my FortiGate to use EU update servers:

image.png

The status dashboard still shows an US flag and IP for the update server:

image.png

How do I verify my update server restriction for EU update servers?

1 Solution
Dannу

Issue was fixed by enabling public FortiGuard servers and disabling anycast:

 

 

config system fortiguard
set fortiguard-anycast disable
end

 

image.png

View solution in original post

6 REPLIES 6
abarushka
Staff
Staff

Hello,

 

You may consider to run the commands below and check which IP addresses/domains FortiGate is trying to reach.

 

diagnose debug application update -1

diagnose debug enable

execute update-now

 

Here is the list of domains:

 

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/326523/use-only-eu-servers-for-forti...

FortiGate
Dannу

Thanks for your quick response.
I pasted the CLI output below confirming that my FortiGate is still connecting to an US update server (173.243.142.6) while I restricted it to connect to EU only update servers:

 

# diagnose debug application update -1
Debug messages will be on for 30 minutes.
# diagnose debug enable
# execute update-now

# upd_daemon[1844]-Received update request from pid=1015
upd_daemon[1658]-Found cached action=00000002
do_update[644]-Starting now UPDATE
upd_fds_load_default_server6[1046]-Resolve and add fds euupdate.fortinet.net ipv6 address failed.
upd_comm_connect_fds[459]-Trying FDS 173.243.142.6:443
[114] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
[482] ssl_ctx_use_builtin_store: Loaded Fortinet Trusted Certs
[488] ssl_ctx_use_builtin_store: Enable CRL checking.
[495] ssl_ctx_use_builtin_store: Enable OCSP Stapling.
[766] ssl_ctx_create_new_ex: SSL CTX is created
[793] ssl_new: SSL object is created
[187] ssl_add_ftgd_hostname_check: Add hostname checking 'euupdate.fortinet.net'
[345] __ssl_crl_verify_cb: CRL not found. Depth 0
__upd_peer_vfy[334]-Server certificate OK.
[385] __bio_mem_dump: OCSP status good
[360] __ssl_crl_verify_cb: Cert error 20, unable to get local issuer certificate. Depth 0
update_status_obj[713]-#### contract expiry=Tue Dec  3 01:00:00 2024
upd_status_extract_contract_info[1220]-Extracting contract...(SupportLevelDesc=05:Advanced HW*06:Web/Online*10:8x5*20:Premium)
doInstallUpdatePackage[1031]-Full obj found for ALCI000
doInstallUpdatePackage[1041]-Updating obj ####
installUpdObjRest[789]-Step 5:Backup /data2/alci.dat->/tmp/update.backup
installUpdObjRest[817]-Step 6:Copy new object /tmp/upd9zzk8x->/data2/alci.dat
installUpdObjRest[896]-Step 7:Validate object
installUpdObjRest[920]-Step 8:Re-initialize using new obj file
upd_status_extract_alci_info[1337]-Extracting account contracts...()
upd_status_extract_alci_info[1359]-Finished reading account contracts
upd_install_pkg[1432]-FCNI000(fcni) installed successfully
upd_install_pkg[1432]-FDNI000(fdslist) installed successfully
upd_install_pkg[1432]-FSCI000(contract) installed successfully
upd_install_pkg[1406]-CIDB000 is up-to-date
upd_install_pkg[1406]-IPGO000 is up-to-date
upd_install_pkg[1406]-FFDB019 is up-to-date
upd_install_pkg[1406]-UWDB001 is up-to-date
upd_install_pkg[1406]-CRDB000 is up-to-date
upd_install_pkg[1406]-DBDB001 is up-to-date
upd_install_pkg[1412]-SFAS000 is unauthorized
upd_install_pkg[1406]-MCDB001 is up-to-date
upd_install_pkg[1432]-ALCI000(alci) installed successfully
upd_install_pkg[1406]-MADB001 is up-to-date
upd_install_pkg[1406]-AFDB001 is up-to-date
upd_install_pkg[1406]-ICDB001 is up-to-date
upd_status_save_status[132]-try to save on status file
upd_status_save_status[198]-Wrote status file
__upd_act_update[325]-Package installed successfully
upd_comm_disconnect_fds[500]-Disconnecting FDS 173.243.142.6:443
[1067] ssl_ctx_free: Done
[1048] ssl_disconnect: Shutdown
do_update[675]-UPDATE successful

 

abarushka
Staff
Staff

Hello,

 

DNS entry (euupdate.fortinet.net) looks good. I would recommend to reboot the unit and check IP address/es again.

 

In case the issue persists after the reboot you may consider to contact Fortinet:

https://www.fortiguard.com/faq/general-contact

FortiGate
Dannу

I disabled Override FortiGuard Servers to stop my FortiGate from connection to non-EU update servers. Now it can't connect to any update servers at all. I opened a service ticket with Fortinet Support (Ticket # 7995547).

image.png

abarushka
Staff
Staff

Hello,

 

I would recommend to run the commands below in order to verify whether DNS entry is resolved and check which IP addresses FortiGate is trying to reach:

 

diagnose debug application update -1
diagnose debug enable
execute update-now

 

After that you may consider to sniff (diagnose sniffer packet any 'host <destination IP address>' 6 0 a) traffic towards the server and check whether TCP/TLS sessions are established successfully.

 

Please find the details below how to convert text file to pcap:


https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-the-FortiOS-built-in-packet-sn...

FortiGate
Dannу

Issue was fixed by enabling public FortiGuard servers and disabling anycast:

 

 

config system fortiguard
set fortiguard-anycast disable
end

 

image.png

Labels
Top Kudoed Authors