Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Dannу
Contributor

FortiGate verify update server restriction?

I configured my FortiGate to use EU update servers:

image.png

The status dashboard still shows an US flag and IP for the update server:

image.png

How do I verify my update server restriction for EU update servers?

1 Solution
Dannу

Issue was fixed by enabling public FortiGuard servers and disabling anycast:

 

 

config system fortiguard
set fortiguard-anycast disable
end

 

image.png

View solution in original post

8 REPLIES 8
abarushka
Staff
Staff

Hello,

 

You may consider to run the commands below and check which IP addresses/domains FortiGate is trying to reach.

 

diagnose debug application update -1

diagnose debug enable

execute update-now

 

Here is the list of domains:

 

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/326523/use-only-eu-servers-for-forti...

FortiGate
Dannу

Thanks for your quick response.
I pasted the CLI output below confirming that my FortiGate is still connecting to an US update server (173.243.142.6) while I restricted it to connect to EU only update servers:

 

# diagnose debug application update -1
Debug messages will be on for 30 minutes.
# diagnose debug enable
# execute update-now

# upd_daemon[1844]-Received update request from pid=1015
upd_daemon[1658]-Found cached action=00000002
do_update[644]-Starting now UPDATE
upd_fds_load_default_server6[1046]-Resolve and add fds euupdate.fortinet.net ipv6 address failed.
upd_comm_connect_fds[459]-Trying FDS 173.243.142.6:443
[114] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
[482] ssl_ctx_use_builtin_store: Loaded Fortinet Trusted Certs
[488] ssl_ctx_use_builtin_store: Enable CRL checking.
[495] ssl_ctx_use_builtin_store: Enable OCSP Stapling.
[766] ssl_ctx_create_new_ex: SSL CTX is created
[793] ssl_new: SSL object is created
[187] ssl_add_ftgd_hostname_check: Add hostname checking 'euupdate.fortinet.net'
[345] __ssl_crl_verify_cb: CRL not found. Depth 0
__upd_peer_vfy[334]-Server certificate OK.
[385] __bio_mem_dump: OCSP status good
[360] __ssl_crl_verify_cb: Cert error 20, unable to get local issuer certificate. Depth 0
update_status_obj[713]-#### contract expiry=Tue Dec  3 01:00:00 2024
upd_status_extract_contract_info[1220]-Extracting contract...(SupportLevelDesc=05:Advanced HW*06:Web/Online*10:8x5*20:Premium)
doInstallUpdatePackage[1031]-Full obj found for ALCI000
doInstallUpdatePackage[1041]-Updating obj ####
installUpdObjRest[789]-Step 5:Backup /data2/alci.dat->/tmp/update.backup
installUpdObjRest[817]-Step 6:Copy new object /tmp/upd9zzk8x->/data2/alci.dat
installUpdObjRest[896]-Step 7:Validate object
installUpdObjRest[920]-Step 8:Re-initialize using new obj file
upd_status_extract_alci_info[1337]-Extracting account contracts...()
upd_status_extract_alci_info[1359]-Finished reading account contracts
upd_install_pkg[1432]-FCNI000(fcni) installed successfully
upd_install_pkg[1432]-FDNI000(fdslist) installed successfully
upd_install_pkg[1432]-FSCI000(contract) installed successfully
upd_install_pkg[1406]-CIDB000 is up-to-date
upd_install_pkg[1406]-IPGO000 is up-to-date
upd_install_pkg[1406]-FFDB019 is up-to-date
upd_install_pkg[1406]-UWDB001 is up-to-date
upd_install_pkg[1406]-CRDB000 is up-to-date
upd_install_pkg[1406]-DBDB001 is up-to-date
upd_install_pkg[1412]-SFAS000 is unauthorized
upd_install_pkg[1406]-MCDB001 is up-to-date
upd_install_pkg[1432]-ALCI000(alci) installed successfully
upd_install_pkg[1406]-MADB001 is up-to-date
upd_install_pkg[1406]-AFDB001 is up-to-date
upd_install_pkg[1406]-ICDB001 is up-to-date
upd_status_save_status[132]-try to save on status file
upd_status_save_status[198]-Wrote status file
__upd_act_update[325]-Package installed successfully
upd_comm_disconnect_fds[500]-Disconnecting FDS 173.243.142.6:443
[1067] ssl_ctx_free: Done
[1048] ssl_disconnect: Shutdown
do_update[675]-UPDATE successful

 

abarushka
Staff
Staff

Hello,

 

DNS entry (euupdate.fortinet.net) looks good. I would recommend to reboot the unit and check IP address/es again.

 

In case the issue persists after the reboot you may consider to contact Fortinet:

https://www.fortiguard.com/faq/general-contact

FortiGate
Dannу

I disabled Override FortiGuard Servers to stop my FortiGate from connection to non-EU update servers. Now it can't connect to any update servers at all. I opened a service ticket with Fortinet Support (Ticket # 7995547).

image.png

abarushka
Staff
Staff

Hello,

 

I would recommend to run the commands below in order to verify whether DNS entry is resolved and check which IP addresses FortiGate is trying to reach:

 

diagnose debug application update -1
diagnose debug enable
execute update-now

 

After that you may consider to sniff (diagnose sniffer packet any 'host <destination IP address>' 6 0 a) traffic towards the server and check whether TCP/TLS sessions are established successfully.

 

Please find the details below how to convert text file to pcap:


https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-the-FortiOS-built-in-packet-sn...

FortiGate
Dannу

Issue was fixed by enabling public FortiGuard servers and disabling anycast:

 

 

config system fortiguard
set fortiguard-anycast disable
end

 

image.png

JulienFirminy

Hi 

I see that the issue is still there, I got this after upgrading the firmware

Thanks, you save me.

DevOps should check this ASAP

 

I've opened a ticket, and say them this, I'll let you know what will be their answer.

Bye

JulienFirminy

Hi All,

Here the answer of the Fortinet support team :

"

At random times the anycast will not resolve anything and the web filtering will start blocking connections.

Anycast can be ISP/region specific and may not always work. This is why the old unicast option is available.

Unicast was the original method of communicating with Fortiguard servers. Anycast was added since FOS 6.4.0
https://docs.fortinet.com/document/fortigate/6.4.0/new-features/925541/use-anycast-to-communicate-wi...

https://docs.fortinet.com/document/fortigate/6.4.12/administration-guide/042459/fortiguard#Anycast

"

 

So, hope you'll be lucky when you do an upgrade firmware.

I've done an upgrade from V7.4.2 to V7.4.4

 

Hope that help

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors