From time to time customers noticed that the Fortigate cannot reach the Fortiguard Servers anymore.
This is displayed in the Dashboard or users are complaining that the Webfilter or DNS Filter Service is not working anymore.
In most cases the problem is caused by anycast issues. Anycast is used for the connection with the FortiGuard servers starting with FortiOS v6.2.
Fortinet is working on this issue but in the meantime following workaround can be used via the CLI:
config system fortiguard
set fortiguard-anycast disable
set protocol udp
set port 53 (or 8888)
set sdns-server-ip "22.214.171.124"
It’s pretty important to configure a SDNS server when you disable the anycast setting – otherwise you cannot use the DNS filter feature of the Fortigate. The server „126.96.36.199“ is located in the UK. Alternatively you can use „188.8.131.52“ which is located in the US.
More information for Fortiguard Troubleshooting can be found in this KB article.
1,355 total views, 1 views today