Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mateusguilherme
New Contributor III

Created on ‎02-25-2025 02:22 PM Edited on ‎02-25-2025 02:46 PM

Unable to connect to FortiGuard servers.

Hello

 

I am having problems connecting to the FortiGuard servers on a FortiGate 40f firmware v7.0.13 build0566 (Mature) (HA Cluster). I am also receiving the message "FortiGate time is out of sync.", I use an NTP server 200.160.0.8.

 

Images below
fortigate.pngfortigate2.png

From FortiGate, I can ping the servers service.fortiguard.net, update.fortiguard.net, guard.fortinet.net. I get a response time of approximately 150ms. And I can also ping the IP 200.160.0.8 with approximately 18ms of response time.

 

The output of the "diagnose debug rating" command is shown below:
fortigate4.png

 

I also tried changing from https to udp with port 8888 with the commands below and I was also unsuccessful.

config system fortiguard
set fortiguard-anycast disable
set protocol udp
set port 8888
set sdns-server-ip 208.91.112.220 <-- IMPORTANT TO ADD THIS OR ANY OTHER FDN SERVER TO PREVENT DOWNTIME!
end

I have two internet links and I can ping the Fortiguard servers from both links. Both internet links are PPPOE. I tried to change the tcp-mss to 1452 as described in this article (link) and I was also unsuccessful.

 

I am also attaching the debug output of the following command (link)

 

diagnose debug reset
diagnose debug application update -1
diagnose debug enable
execute update-now

 


I had to disable web filtering because without communication with the FortiGuard servers, all websites were being blocked.

Does anyone have any idea what might be happening? Is there any other test I should perform?

Labels:
375
0 Kudos
1 Solution
mateusguilherme
New Contributor III

Created on ‎02-25-2025 04:15 PM

I had to manually correct the fortigate date and then it started working again. The funny thing is that I need to set the correct date so that fortigate can communicate with the NTP server to retrieve the correct date.

View solution in original post

338
3 REPLIES 3
AEK
SuperUser
SuperUser

Created on ‎02-25-2025 02:34 PM

Hi Mateus

I see your date is 6/2024 and WAN IP is unknown.

Such behavior can happen if you have have 2 IP addresses on your WAN interface, the primary IP is private and the secondary IP is public. If so then it is expected behavior that you can't contact FortiGuard and can's time sync from public NTP server.

You can fix it from CLI by setting the source-ip in both NTP config and FortiGuard config.

AEK
AEK
366
0 Kudos
mateusguilherme
New Contributor III
In response to AEK

Created on ‎02-25-2025 03:09 PM

I do not have 2 IPs configured on my WAN interface. My two WAN interfaces are PPPOE and receive a public IP from the ISP. FortiGate should use the WAN IP of one of these interfaces to try to connect to the FortiGuard servers. This should be automatic.

I tried to define an IP through the CLI with "set source ip" in "config system fortiguard", but the problem persists.

352
0 Kudos
mateusguilherme
New Contributor III

Created on ‎02-25-2025 04:15 PM

I had to manually correct the fortigate date and then it started working again. The funny thing is that I need to set the correct date so that fortigate can communicate with the NTP server to retrieve the correct date.

339
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.