Setting up Dynamic DNS (DDNS) on a FortiGate firewall is essential for managing remote access via VPN or port forwarding when your ISP provides a dynamic public IP address. However, a common issue arises during configuration: the , showing an empty list or an error message instead of the available services like dyndns , no-ip , or fortiguard-ddns .
config system fortiguard set fortiguard-anycast disable set protocol udp set ddns-server-ip 173.243.138.225 end Use code with caution.
This comprehensive guide breaks down why this error happens and provides a step-by-step troubleshooting workflow to resolve it. Root Causes of the Error
Resolving the "Unable to load FortiGuard DDNS servers list" error requires a structured diagnostic approach. First, administrators should verify DNS settings under Network > DNS , ensuring valid public DNS servers (such as Google’s 8.8.8.8 or Fortinet’s 208.91.112.52) are configured. Second, the diagnose debug application forticldd -1 command can be utilized in the CLI (Command Line Interface) to view real-time debug logs regarding the connection attempt, often revealing time-out errors or DNS resolution failures. Setting up Dynamic DNS (DDNS) on a FortiGate
: If the server list loads but updates fail, restart the DDNS-specific daemon. fnsysctl killall ddnscd Manual CLI Configuration (Workaround)
By default, FortiOS utilizes HTTPS port 443 or UDP port 53/8888 for FortiGuard communications. Some ISPs block or heavily throttle these ports. Changing the management port often forces a clean connection. To switch FortiGuard communication to use HTTPS port 443:
Confirm the DDNS domain resolves: exec traceroute globalddns.fortinet.net . : If Port 53 is blocked, switch to 8888 or 443: config system fortiguard set port 8888 end Use code with caution. Copied to clipboard Restart the DDNS Process : Kill and restart the daemon to force a fresh update: fnsysctl killall ddnscd Use code with caution. Copied to clipboard Configure via CLI (Workaround) : This comprehensive guide breaks down why this error
execute ping fortiguard.com execute ping update.fortiddns.com
The firewall cannot call home if its baseline routing or account state is broken. Run validation checks to guarantee external connectivity:
Ensure your FortiGate is configured to use reliable DNS servers (like FortiGuard's own or public ones like Google 8.8.8.8) to fetch the server list. Second, the diagnose debug application forticldd -1 command
After running these commands, refresh your GUI and check the DDNS status. 2. Disable Anycast (FortiOS 7.0 and Higher)
Look for SYN packets leaving the WAN interface. If you do not see any matching SYN-ACK packets returning, an upstream provider or firewall is dropping the traffic. 2. Run Update Daemons Debug
If you are still experiencing trouble loading the list, please share:
If the FortiGate is part of an HA cluster, all members must have the same level of support licensing. A mismatch can cause one or more units to be unable to connect to FortiGuard.
Do you see any specific when running execute update-now ?