Unable To Load Fortiguard Ddns Servers List On Fortigate Firewalls 2021 -
The last command directly attempts to fetch the DDNS server list. Look for HTTP status 200 or an error code.
Force the FortiGate to use a specific unicast server:
This report details the diagnosis and resolution of an issue where a FortiGate firewall fails to populate the Dynamic DNS (DDNS) server list provided by FortiGuard. This issue typically manifests in the Graphical User Interface (GUI) under , where the "DDNS Server" dropdown menu is empty or displays a loading error. Without this list, administrators cannot configure automatic DDNS updates for domains hosted on FortiGuard servers.
| Cause Category | Specific Issue | FortiOS Versions Affected | |----------------|----------------|----------------------------| | | Firewall policy blocking outbound HTTPS to FortiGuard | All | | DNS Resolution | Cannot resolve update.fortiguard.net or fortiguard.com | All | | SSL/TLS | Expired or untrusted FortiGate system certificate | 6.2+, 7.0+ | | FortiGuard Filtering | Web/DNS filter blocking FortiGuard itself | 6.4+ | | Service Availability | Regional FortiGuard outage or maintenance | Rare, but occurs | | Proxy Configuration | Explicit web proxy not configured or bypassed | All | | Licensing | Expired FortiGuard Unified or DDNS license | 7.2+ | | Bug/Firmware | Known bug in specific builds (e.g., 7.0.1–7.0.5) | See table below |
Inspect certificate/TLS issues
Open a CLI session and run a packet capture filtered for FortiGuard traffic to see if packets are leaving and returning: diagnose sniffer packet any "port 443 or port 8888" 4 100 a Use code with caution.
config system ddns edit 1 set ddns-server FortiGuardDDNS set ddns-domain "yourcustomname.fortiddns.com" set monitor-interface "wan1" set use-public-ip enable end Use code with caution. Network Diagnostics
Specific firmware releases (such as certain builds across FortiOS 6.2, 7.2, and 7.6) suffer from internal I/O thread terminates during TLS negotiations within the DDNS client daemon, requiring an update or a CLI workaround. Step 1: Disable "Override Internal DNS" on WAN Interfaces
Open your CLI terminal and execute the following command stack to explicitly assign the FortiGuard DDNS IP: The last command directly attempts to fetch the
Open your CLI console and enter the following commands based on your network architecture:
When attempting to configure a new Dynamic DNS entry, the FortiGate cannot retrieve the list of available DDNS service providers (e.g., FortiGuard DDNS, No-IP, DynDNS). This results in an inability to select a server type, blocking the configuration of DDNS services.
If the issue persists, ensure you are running the latest patched version of FortiOS. Bugs related to FQDN resolution are often resolved in maintenance releases. Alternative: Configuring DDNS via CLI
Ensure policy from FortiGate’s internal interface to WAN allows HTTPS (443) to *.fortiguard.net and *.fortiddns.com . This issue typically manifests in the Graphical User
Once enabled, navigate back to the page in the GUI to trigger a DDNS server list refresh. The CLI will output detailed logs. Look for specific errors such as SSL CA check failed , Connection timeout , or Authentication failed . To stop the debug stream, type: diagnose debug disable Use code with caution. Verifying the Solution
config system fortiguard set fortiguard-anycast disable set protocol udp set ddns-server-ip 173.243 . 138.225 # Force a specific DDNS server end Use code with caution. Copied to clipboard
Create a dedicated for management traffic that does not inspect Fortinet domains: