Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
grod777
New Contributor II

Fortigate Cant access Fortiguard

I have read multiple posts online and have tried several things but I cant get Fortigate to contact Fortiguard Servers.

The Netwrok/DNS page shows server either unreachable or high latency. On the System/Fortiguard page, when I open Filtering it cant contact the servers.

Any thoughts?

11 REPLIES 11
parthpatel
Staff
Staff

Hello @grod777 ,
Can you confirm what DNS settings you are using on the firewall? Also from firewall can you resolve the below addresses?

exec ping service.fortiguard.net

exec ping update.fortiguard.net

exec ping guard.fortinet.net

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Unable-to-connect-to-FortiGuard-serv...

~parth
grod777
New Contributor II

I have seen that post. I can't ping from the CLI an I have tried those steps. I tested pinging from another FG thats in production at another site and I can't ping from it either, but, the Network/DNS page is able to contact DNS and the System/Fortiguard page is able to contact Fortiguard. So I'm at a loss. 

ap
Staff
Staff

Hi @grod777 ,

 

You need to make sure that fortigate is able to reach to DNS servers and resolve domain names

 

Please provide output of below commands:

 

show system dns

get router info routing details x.x.x.x <----replace x.x.x.x with DNS server IP address

execute ping www.google.com

show system fortiguard

diag debug rating

 

regards,

Ankit

grod777
New Contributor II

set primary 8.8.8.8
set secondary 1.1.1.1
set protocol dot
set server-hostname "globalsdns.fortinet.net"
set interface-select-method sdwan

 

Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 1, metric 0, best
* via To_GR_LAN tunnel 10.0.0.16 vrf 0
* via To_GR_LAB_BkUP tunnel 10.0.0.18 vrf 0
* vrf 0 x.x.x.x, via wan1
* vrf 0 1x.x.x.x, via wan2

 

config system fortiguard
set auto-firmware-upgrade disable
set interface-select-method sdwan

onfig system fortiguard
set auto-firmware-upgrade disable
set interface-select-method sdwan
end

GR_Home_FortiGate-80E # diag debug rating
Locale : english

Service : Web-filter
Status : Enable
License : Contract

Service : Antispam
Status : Disable

Service : Virus Outbreak Prevention
Status : Disable

Num. of servers : 3
Protocol : https
Port : 443
Anycast : Enable
Default servers : Included

-=- Server List (Thu Aug 29 16:37:20 2024) -=-

IP Weight RTT Flags TZ FortiGuard-requests Curr Lost Total Lost Updated Time
2620:101:9000:140:173:243:140:16 0 0 DIF 0 3683 3682 3682
173.243.141.16 0 167 D F 0 644 629 639 Wed Aug 28 18:09:06 2024
173.243.140.16 0 180 D F 0 952 629 948 Wed Aug 28 18:09:06 2024

 

 

execute ping www.google.com
Unable to resolve hostname.

rtanagras

Hi @grod777 - In these results, it looks like you combined both the underlay and overlay into a single SD-WAN zone. My hunch is that the traffic might be getting routed through the IPSec tunnel instead of the WAN interface since the route for the IPSec tunnel is also set to 0.0.0.0. My suggestion is to create a specific route for your IPSec networks and set up a separate zone for your overlay networks.

Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 1, metric 0, best
* via To_GR_LAN tunnel 10.0.0.16 vrf 0--> IPSec1
* via To_GR_LAB_BkUP tunnel 10.0.0.18 vrf 0--> IPSec2
* vrf 0 x.x.x.x, via wan1
* vrf 0 1x.x.x.x, via wan2

 

Best,
Ricky
grod777
New Contributor II

Screenshot 2024-08-29 202504.png

My Underlay and Overlay are separate. I have one default route pointing to both Zones.

samandeep
Staff
Staff

Hello @grod777 ,

 

Can you please confirm if you are able to:

1. Ping the gateway of each WAN interface from the Fortigate using ping-option source command? ( https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-PING-options-from-the-FortiGat...)
2. Ping the FortiGate WAN interface from another device(from outside network)?

 

Additionally, please modify the DNS configuration as follows:

- Disable DNS over TLS (DoT)
- Change the protocol to "cleartext" (instead of DoT)

 

config system dns
set primary 8.8.8.8
set secondary 1.1.1.1
set protocol cleartext

 

 

After making these changes, try pinging

 

exec ping google.com

exec ping service.fortiguard.net

exec ping update.fortiguard.net

exec ping guard.fortinet.net

 

 

Thank You,

Amandeep

 

grod777
New Contributor II

I can ping each interface WAN IP from the FG cli.

If I source the icmp from the WAN interface to 8.8.8.8 it works.

I can ping both WAN interfaces from another device outside my LAN.

I tried the settings you mentioned but I still cant ping a DNS address ( won't resolve ). I'm sure it's a DNS issue but can't seem to figure it out.

Thank you

Toshi_Esumi

You can use these options to debug dnsproxy. But if you don't see much in those dump options, try option 99 to restart the process. That would generally fix any lockup issues. But if it keeps coming back, that would be a bug in your particular version on particular models.

xxx-fg1 # diag test application dnsproxy
worker idx: 0
1. Clear DNS cache
2. Show stats
3. Dump DNS setting
4. Reload FQDN
5. Requery FQDN
6. Dump FQDN
7. Dump DNS cache
8. Dump DNS DB
9. Reload DNS DB
10. Dump secure DNS policy/profile
11. Dump Botnet domain
12. Reload Secure DNS setting
13. Show Hostname cache
14. Clear Hostname cache
15. Show SDNS rating cache
16. Clear SDNS rating cache
17. DNS debug bit mask
18. DNS debug obj mem
99. Restart dnsproxy worker

Toshi

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors