Hi Ken,

It seems connection fails to 209.222.136.7:443. Here the ouput from cli:

__upd_act_update[279]-Trying FDS 209.222.136.7-443 with AcceptDelta=0 tcp_connect_fds[233]-select() timed out upd_comm_connect_fds[585]-Failed TCP connect __upd_act_update[284]-Failed connecting to 209.222.136.7-443 upd_act_HA_contract_info[878]-Error updating FSCI -1 do_update[373]-UPDATE failed do_setup[217]-Starting SETUP upd_act_setup[191]-Trying FDS 209.222.136.7-443 tcp_connect_fds[233]-select() timed out upd_comm_connect_fds[585]-Failed TCP connect upd_act_setup[195]-Failed connecting to 209.222.136.7-443 do_setup[235]-Failed setup __upd_act_update[279]-Trying FDS 209.222.136.7-443 with AcceptDelta=0 tcp_connect_fds[233]-select() timed out upd_comm_connect_fds[585]-Failed TCP connect __upd_act_update[284]-Failed connecting to 209.222.136.7-443

I can't ping this IP form the global conf.

Is try to reach this IP from my Vdom root ? Do you have an idea how can I check this ?

Thanks again

nslookup update.fortiguard.net Server:        127.0.0.1 Address:    127.0.0.1#53 Non-authoritative answer: update.fortiguard.net    canonical name = fds1.fortinet.com. Name:    fds1.fortinet.com Address: 96.45.33.89 Name:    fds1.fortinet.com Address: 173.243.138.66 Name:    fds1.fortinet.com Address: 173.243.138.68 Name:    fds1.fortinet.com Address: 209.222.136.7

I have no problem pinging 209.222.136.7. Can you try the other 3 above? If they work, set one of them to "Override Fortiguard Server" for "AV & IPS Updates" and try again.

I can't ping from the global conf. (I thing this is normal).

Fortigate-primary (global) # execute ping 96.45.33.89 command parse error before 'ping' Command fail. Return code -61

From the root vdom ping is working.

Yes global context has no   interfaces. trace  a execute  traceroute to all of the FortiGrd servers? What network path do  they  take ?

Do you have any upstream filters? or any SNAT  involved?

Is root your management-vdom for updates?

can you telnet to a FDS  server and port 443? or use some other tool from a host within

e.g

gnutls-cli -p 443 209.222.136.7

  - subject `EMAIL=support@fortinet.com,CN=PFDN,OU=FDS,O=Fortinet,L=Sunnyvale,ST=California,C=US', issuer `EMAIL=support@fortinet.com,CN=support,OU=Certificate Authority,O=Fortinet,L=Sunnyvale,ST=California,C=US', serial 0x411dd7, RSA key 2048 bits, signed using RSA-SHA256, activated `2017-04-21 18:00:17 UTC', expires `2038-01-19 03:14:07 UTC', pin-sha256="Y9EUPfG4qRejY3b3A4506t7EQZmjYBASx1qc47hIUWw="     Public Key ID:         sha1:0771d8ea29e43cd40d4e61074078c39d930a432d         sha256:63d1143df1b8a917a36376f7038e74eadec44199a3601012c75a9ce3b848516c     Public Key PIN:         pin-sha256:Y9EUPfG4qRejY3b3A4506t7EQZmjYBASx1qc47hIUWw=     Public key's random art:         +--[ RSA 2048]----+         |   ..=oo=Bo      |         |    E =.O+.      |         |     = *.=       |         |      + +..      |         |     = .S..      |         |      = o.       |         |       o         |         |                 |         |                 |         +-----------------+ - Certificate[1] info:  - subject `EMAIL=support@fortinet.com,CN=support,OU=Certificate Authority,O=Fortinet,L=Sunnyvale,ST=California,C=US', issuer `EMAIL=support@fortinet.com,CN=support,OU=Certificate Authority,O=Fortinet,L=Sunnyvale,ST=California,C=US', serial 0x00daf636b443d4a58b, RSA key 2048 bits, signed using RSA-SHA256, activated `2015-07-16 22:34:39 UTC', expires `2038-01-19 22:34:39 UTC', pin-sha256="Kn69GCKg9OZXkMA8TmA+fWa3o34QDMKjuZUKOwfXeEI=" - Status: The certificate is NOT trusted. The certificate issuer is unknown. The certificate chain uses insecure algorithm. The name in the certificate does not match the expected. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. *** handshake has failed: Error in the certificate.

Ken

Let me clarify

1: in global context ( assuming you have vdom ) you might have change the  management vdom to another one

2: run  "show system global" and see if the vdom was set as root or something else. Whatever vdom that's define has TO HAVE AN ADDRESS  and  be able to reach the update servers

My management-vdom is the vdom "root". To be sure I configured on my Fortigates this :

From my vdom root I can ping the update server.

(root) # execute ping fds1.fortinet.com PING fds1.fortinet.com (173.243.138.66): 56 data bytes 64 bytes from 173.243.138.66: icmp_seq=0 ttl=49 time=159.8 ms 64 bytes from 173.243.138.66: icmp_seq=1 ttl=49 time=159.7 ms 64 bytes from 173.243.138.66: icmp_seq=2 ttl=49 time=159.9 ms 64 bytes from 173.243.138.66: icmp_seq=3 ttl=49 time=159.7 ms 64 bytes from 173.243.138.66: icmp_seq=4 ttl=49 time=159.8 ms --- fds1.fortinet.com ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 159.7/159.7/159.9 ms

did you rerun the    execute  update and monitor? Also are you sure nothing between you fortiguard server.

Yes, but same situation.

IPS Attack Engine --------- Version: 3.00430 Contract Expiry Date: Sun Apr 29 2018 Last Updated using manual update on Thu Sep 14 11:55:16 2017 Last Update Attempt: Sun Jun 18 14:56:24 2017 Result: No Updates

I'm sure between my firewalls and fortguard server has nothing. The second cluster that I have is working correctly.