This article describes how to enable anycast in FortiManager/FortiAnalyzer to FortiGuard for an update. By default, anycast with FortiGuard update is disabled. The current anycast domain name for Global servers and US-Only servers are listed as follows and the domain is signed by a public CA, DigiCert.
FortiGuard Service | Global Servers | US-Only Servers |
AV-IPS package |
globalupdate.fortinet.net globalupdate2.fortinet.net |
usupdate.fortinet.net usupdate2.fortinet.net |
AV-IPS packages (FortiClient) | globalfctupdate.fortinet.net | fctusupdate.fortinet.net |
GeoIP |
globalupdate.fortinet.net globalupdate2.fortinet.net |
usupdate.fortinet.net usupdate2.fortinet.net |
Webfilter AntiSpam Outbreak Prevention Query Category File Query AntiVirus Query |
globalupdate.fortinet.net globalupdate2.fortinet.net |
usupdate.fortinet.net usupdate2.fortinet.net |
IoT Collect |
globalupdate.fortinet.net | usupdate.fortinet.net |
For the full Unicast and Anycast domain name comparison table, see this reference.
FortiManager/FortiAnalyzer.
config system global
set usg disable
end
config fmupdate fds-setting
set fortiguard-anycast enable
end
To verify the change for both FDS and FGD, the address will change the prefix globalupdate instead of usupdate.
diagnose fmupdate view-serverlist fds
Fortiguard Server Comm : Enabled
Server Override Mode : Loose
FDS server list :
Index Address Port TimeZone Distance Source
------------------------------------------------------------------------------------------------------
*0 globalupdate.fortinet.net 443 8 0 ANYCAST
FCT server list :
Index Address Port TimeZone Distance Source
------------------------------------------------------------------------------------------------------
*0 fctupdate.fortinet.net 443 8 0 ANYCAST
diagnose fmupdate view-serverlist fgd
Fortiguard Server Comm : Enabled
Server Override Mode : Loose
FGD server list :
Index Address Port TimeZone Distance Source
------------------------------------------------------------------------------------------------------
*0 globalupdate.fortinet.net 443 8 0 ANYCAST
GEOIP server list :
Index Address Port TimeZone Distance Source
------------------------------------------------------------------------------------------------------
*0 globalupdate.fortinet.net 443 8 0 ANYCAST
Debugging can also be run to determine if the connection to FortiGuard via anycast update is failing.
diagnose debug application fdssvrd 255
diagnose debug enable
Related article:
Technical Tip: Verifying FortiGuard connectivity on FortiManager.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.