Go to Network > Interfaces , edit your active WAN interface, and uncheck Override internal DNS . Via the CLI:
The FortiGate firewall relies on DNS to resolve the FortiGuard DDNS server names. If the DNS settings are incorrect or the firewall cannot reach the DNS servers, it will be unable to retrieve the server list. This is often the primary culprit, especially if the firewall obtains DNS servers via DHCP or PPPoE and overrides the manually configured ones.
Use the following commands:
A: 173.243.138.225 is the IP for globalddns.fortinet.net , used when anycast is enabled. 173.243.138.226 is the IP for ddns.fortinet.net , used when anycast is disabled. Using the wrong IP for your anycast setting will break the connection. Go to Network > Interfaces , edit your
The FortiGate GUI restricts DDNS configuration on virtual machines (VMs), hardware models within the 1000-series or higher, and deployments running in Transparent Mode. 🚀 Step-by-Step Fixes to Restore the Server List
Whether you are running legacy FortiOS 6.x or the latest FortiOS 7.x deployments, resolving this bug requires fixing DNS conflicts, modifying anycast settings, or overriding interface protocols. 🛠️ Root Causes of the DDNS Server Loading Failure
A: Yes, but you need to check the option in the DDNS configuration. This forces the DDNS client to register the public IP address of your upstream router instead of the FortiGate's internal WAN IP. This is often the primary culprit, especially if
: Newer FortiOS versions use Anycast for communication, which can sometimes experience TLS handshake failures (TLSv1.3).
Ensure there is a valid route (usually a default route) that allows the FortiGate to reach the FortiGuard servers. Also, inspect any firewall policies that might be blocking outbound traffic on the required ports (UDP 53, TCP 443, etc.).
Alternatively, temporarily set the policy to for testing. Using the wrong IP for your anycast setting
In this deep-dive article, we will explore the root causes of this error, provide step-by-step diagnostic commands, and walk through permanent fixes—from DNS configuration to FortiGuard web filtering overrides.
: If the pings fail, navigate to System > Network > DNS in the GUI or use the CLI to verify your DNS server settings are correct. You can manually set known-good public DNS servers, such as Google's ( 8.8.8.8 and 8.8.4.4 ) or Fortinet's own ( 96.45.45.45 , 96.45.46.46 ).
Here’s a complete, detailed article on the topic:
If FortiGuard is unreachable, try:
execute update-now