You don't need a rule for the fortigate to get to the fortiguard site(s)
1: did you try to ping them "execute ping x.x.x.x"
2: did you run any diag debug flow
3: are you 100% sure the unit is licensed and registered correctly
diag debug application update -1
diag debug enable
execute update-now
4: if you done all of the above and ensure that no upstream device is filtering you, open a ticket with support
Ken Felix
PCNSE
NSE
StrongSwan
Since you have support, open a ticket is probably the quickest to solve your problem. But I just wanted to add two more commands to Ken's debug commands to check the updates:
diag autoupdate status
diag autoupdate versions
Then, wanted to remind you that you need to have at least one policy using IPS to get the attack definitions or attack extended definitions updated. Otherwise, updates won't happen even it's enabled.
Then, wanted to remind you that you need to have at least one policy using IPS to get the attack definitions or attack extended definitions updated. Otherwise, updates won't happen even it's enabled.
I think that behavior have change over the last few years with IPS-ETDB will not update , but IPS-DB and IPS malicious URL Database will. Just wanted to point that out.
For the OP one more item to check is you logs
execute log filter category 1
execute log display
Wait like a few seconds for the display the logs after you do "execute update-now" and the logs will show you pass fail and what fortiguard server you hit. Depending where your at it's probably going to be 173.243.xxx.xxx
if your in a pinch , you can login find your IPS update and manually download and upload to the fortigate.
Ken Felix
PCNSE
NSE
StrongSwan
Hi,
I try to run your commands but those commands doesn't exist on my 6.2.6 firewall :
execute update-now
diag autoupdate status diag autoupdate versions
I'm very surprise that for the fortigate to get to the fortiguard site(s) I don't need a rule, because I saw the dropped packets on Fortianalyzer. And for solving my issue I had to create a new rule to allow the flow.
I do have some rules with IPS enabled.
Regards,
If you in a multi-vdom , you need to do those commands from global context. Not root-vdom
Also if your firewall is behind another device and DNS is broke you will get the following error
3: date=2020-12-31 time=07:47:23 logid="0100038404" type="event" subtype="system" level="error" vd="root" eventtime=1609429643716020201 tz="-0800" logdesc="FortiGuard hostname unresolvable" hostname="service.fortiguard.net" msg="unable to resolve FortiGuard hostname"
You either have bad dns, filters upstream, etc......Did you try my suggested pings to those fortiguard ipv4 address you posted earlier? service.fortiguard.net is geo-lb and will resolved back to one of the many address
Ken Felix
PCNSE
NSE
StrongSwan
User | Count |
---|---|
2677 | |
1412 | |
810 | |
703 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.