FortiGuard Servers are not reachable

Author: sy Category: Fortinet

Update – 30. Oktober 2023: We received feedback from our partners that the issue probably occurred again today. Fortinet confirmed the issue, here is their response:

Few cases have been reported to us with this issue during the weekend, this seems to be issue with Fortiguard anycast when Daylight Saving Time (DST) changes and mostly Web Filtering service was affected.

Time change would cause FortiGate’s Urlfilter daemon to re-do the DNS query. If it is possible you can get output from “dia debug rating” to see how the webfilter server list is populating. If this is returing only an IPv6 ip, then Urlfilter can only use this IPv6 address to communicate to the rating server. If Ipv6 server is not configured or not available for some region, urlfilter will fail to talk to rating server.

Some workarounds you can use are :

1. Disable and re-enable anycast :
https://community.fortinet.com/t5/FortiGate/Technical-Tip-All-FortiGuard-servers-failed-to-respond-Error-and/ta-p/270794
2. Restart the URL filter daemon ( filter will do DNS query again):
“diagnose test application urlfilter 99”
3. Reboot FortiGate

—————————

Fortinet Support

Update – 10. November 2021: It seems that the server “45.75.200.89” is not in use anymore – it is “not reachable” at the moment. Please use “194.69.172.53” instead.

Blogpost – 3. November 2020:

From time to time customers noticed that the Fortigate cannot reach the Fortiguard Servers anymore.

This is displayed in the Dashboard or users are complaining that the Webfilter or DNS Filter Service is not working anymore.

In most cases the problem is caused by anycast issues. Anycast is used for the connection with the FortiGuard servers starting with FortiOS v6.2.

Fortinet is working on this issue but in the meantime following workaround can be used via the CLI:

config system fortiguard
  set fortiguard-anycast disable
  set protocol udp
  set port 53 (or 8888)
  set sdns-server-ip "194.69.172.53"
end

It’s pretty important to configure a SDNS server when you disable the anycast setting – otherwise you cannot use the DNS filter feature of the Fortigate. The server “45.75.200.89” is located in the UK. Alternatively you can use “208.91.112.220” which is located in the US.

More information for Fortiguard Troubleshooting can be found in this KB article.

About Anycast – 11. November 2022

Anycast is an addressing mode and not a protocol: The FortiGate contacts an unicast address and the routing protocol (BGP) takes care that the traffic hits any of the FortiGuard servers accross the globe (hopefully a close one).

The FortiGate uses different FQDNs to access the FortiGuard Services in anycast mode (see Anycast and unicast service). In case of an issue, compare the hop count between the unicast and the anycast FQDNs by running “execute traceroute <FQDN>”.

FortiGuard DNS Servers – 11. November 2022

The parameter “set fortiguard-anycast enable/disable” doesn’t change the IPs for the FortiGuard DNS servers (the DNS servers and DNS Filter Rating servers are different ones!). These IPs are hardcoded in the firmware and they’ve recently changed in FortiOS 7.0.4.

Loading

One thought on “FortiGuard Servers are not reachable

  1. Jay Reply

    Experienced the same issue. However Fortinet would not explain root cause. Have several tickets with support documenting this issue

Leave a Reply

Your email address will not be published. Required fields are marked *