I have read multiple posts online and have tried several things but I cant get Fortigate to contact Fortiguard Servers.
The Netwrok/DNS page shows server either unreachable or high latency. On the System/Fortiguard page, when I open Filtering it cant contact the servers.
Any thoughts?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello @grod777 ,
Can you confirm what DNS settings you are using on the firewall? Also from firewall can you resolve the below addresses?
exec ping service.fortiguard.net
exec ping update.fortiguard.net
exec ping guard.fortinet.net
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Unable-to-connect-to-FortiGuard-serv...
I have seen that post. I can't ping from the CLI an I have tried those steps. I tested pinging from another FG thats in production at another site and I can't ping from it either, but, the Network/DNS page is able to contact DNS and the System/Fortiguard page is able to contact Fortiguard. So I'm at a loss.
Hi @grod777 ,
You need to make sure that fortigate is able to reach to DNS servers and resolve domain names
Please provide output of below commands:
show system dns
get router info routing details x.x.x.x <----replace x.x.x.x with DNS server IP address
execute ping www.google.com
show system fortiguard
diag debug rating
regards,
Ankit
set primary 8.8.8.8
set secondary 1.1.1.1
set protocol dot
set server-hostname "globalsdns.fortinet.net"
set interface-select-method sdwan
Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 1, metric 0, best
* via To_GR_LAN tunnel 10.0.0.16 vrf 0
* via To_GR_LAB_BkUP tunnel 10.0.0.18 vrf 0
* vrf 0 x.x.x.x, via wan1
* vrf 0 1x.x.x.x, via wan2
config system fortiguard
set auto-firmware-upgrade disable
set interface-select-method sdwan
onfig system fortiguard
set auto-firmware-upgrade disable
set interface-select-method sdwan
end
GR_Home_FortiGate-80E # diag debug rating
Locale : english
Service : Web-filter
Status : Enable
License : Contract
Service : Antispam
Status : Disable
Service : Virus Outbreak Prevention
Status : Disable
Num. of servers : 3
Protocol : https
Port : 443
Anycast : Enable
Default servers : Included
-=- Server List (Thu Aug 29 16:37:20 2024) -=-
IP Weight RTT Flags TZ FortiGuard-requests Curr Lost Total Lost Updated Time
2620:101:9000:140:173:243:140:16 0 0 DIF 0 3683 3682 3682
173.243.141.16 0 167 D F 0 644 629 639 Wed Aug 28 18:09:06 2024
173.243.140.16 0 180 D F 0 952 629 948 Wed Aug 28 18:09:06 2024
execute ping www.google.com
Unable to resolve hostname.
Hi @grod777 - In these results, it looks like you combined both the underlay and overlay into a single SD-WAN zone. My hunch is that the traffic might be getting routed through the IPSec tunnel instead of the WAN interface since the route for the IPSec tunnel is also set to 0.0.0.0. My suggestion is to create a specific route for your IPSec networks and set up a separate zone for your overlay networks.
Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 1, metric 0, best
* via To_GR_LAN tunnel 10.0.0.16 vrf 0--> IPSec1
* via To_GR_LAB_BkUP tunnel 10.0.0.18 vrf 0--> IPSec2
* vrf 0 x.x.x.x, via wan1
* vrf 0 1x.x.x.x, via wan2
My Underlay and Overlay are separate. I have one default route pointing to both Zones.
Hello @grod777 ,
Can you please confirm if you are able to:
1. Ping the gateway of each WAN interface from the Fortigate using ping-option source command? ( https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-PING-options-from-the-FortiGat...)
2. Ping the FortiGate WAN interface from another device(from outside network)?
Additionally, please modify the DNS configuration as follows:
- Disable DNS over TLS (DoT)
- Change the protocol to "cleartext" (instead of DoT)
config system dns
set primary 8.8.8.8
set secondary 1.1.1.1
set protocol cleartext
After making these changes, try pinging
exec ping google.com
exec ping service.fortiguard.net
exec ping update.fortiguard.net
exec ping guard.fortinet.net
Thank You,
Amandeep
I can ping each interface WAN IP from the FG cli.
If I source the icmp from the WAN interface to 8.8.8.8 it works.
I can ping both WAN interfaces from another device outside my LAN.
I tried the settings you mentioned but I still cant ping a DNS address ( won't resolve ). I'm sure it's a DNS issue but can't seem to figure it out.
Thank you
Created on 08-29-2024 04:05 PM Edited on 08-29-2024 04:06 PM
You can use these options to debug dnsproxy. But if you don't see much in those dump options, try option 99 to restart the process. That would generally fix any lockup issues. But if it keeps coming back, that would be a bug in your particular version on particular models.
xxx-fg1 # diag test application dnsproxy
worker idx: 0
1. Clear DNS cache
2. Show stats
3. Dump DNS setting
4. Reload FQDN
5. Requery FQDN
6. Dump FQDN
7. Dump DNS cache
8. Dump DNS DB
9. Reload DNS DB
10. Dump secure DNS policy/profile
11. Dump Botnet domain
12. Reload Secure DNS setting
13. Show Hostname cache
14. Clear Hostname cache
15. Show SDNS rating cache
16. Clear SDNS rating cache
17. DNS debug bit mask
18. DNS debug obj mem
99. Restart dnsproxy worker
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1518 | |
1018 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.