Update – 10. November 2021: It seems that the server “220.127.116.11” is not in use anymore – it is “not reachable” at the moment. Please use “18.104.22.168” instead.
Blogpost – 3. November 2020:
From time to time customers noticed that the Fortigate cannot reach the Fortiguard Servers anymore.
This is displayed in the Dashboard or users are complaining that the Webfilter or DNS Filter Service is not working anymore.
In most cases the problem is caused by anycast issues. Anycast is used for the connection with the FortiGuard servers starting with FortiOS v6.2.
Fortinet is working on this issue but in the meantime following workaround can be used via the CLI:
config system fortiguard set fortiguard-anycast disable set protocol udp set port 53 (or 8888) set sdns-server-ip "22.214.171.124" end
It’s pretty important to configure a SDNS server when you disable the anycast setting – otherwise you cannot use the DNS filter feature of the Fortigate. The server “126.96.36.199” is located in the UK. Alternatively you can use “188.8.131.52” which is located in the US.
More information for Fortiguard Troubleshooting can be found in this KB article.
About Anycast – 11. November 2022
Anycast is an addressing mode and not a protocol: The FortiGate contacts an unicast address and the routing protocol (BGP) takes care that the traffic hits any of the FortiGuard servers accross the globe (hopefully a close one).
The FortiGate uses different FQDNs to access the FortiGuard Services in anycast mode (see Anycast and unicast service). In case of an issue, compare the hop count between the unicast and the anycast FQDNs by running “execute traceroute <FQDN>”.
FortiGuard DNS Servers – 11. November 2022
The parameter “set fortiguard-anycast enable/disable” doesn’t change the IPs for the FortiGuard DNS servers (the DNS servers and DNS Filter Rating servers are different ones!). These IPs are hardcoded in the firmware and they’ve recently changed in FortiOS 7.0.4.
21,075 total views, 11 views today