Unable To Load Fortiguard Ddns Servers List On Fortigate Firewalls -

If your FortiGate GUI displays "Unable to load FortiGuard DDNS server list," it typically indicates the firewall cannot reach or resolve FortiGuard's registration servers. This guide covers the common fixes, ranging from DNS configuration to CLI workarounds. 1. Disable "Override Internal DNS"

If your WAN interface receives its IP via DHCP or PPPoE, the ISP may be pushing DNS servers that cannot resolve Fortinet's internal DDNS domains.

GUI: Go to Network > Interfaces, edit your WAN interface, and uncheck Override internal DNS. CLI:

config system interface edit "wan1" # Replace with your actual WAN interface set dns-server-override disable end Use code with caution. Copied to clipboard 2. Adjust FortiGuard Anycast Settings (Recommended)

Modern FortiOS versions (6.4.2+) use Anycast for FortiGuard communication. Handshake failures or routing issues often block these connections. Disabling anycast and switching to UDP is a common fix. CLI Fix: If your FortiGate GUI displays "Unable to load

config system fortiguard set fortiguard-anycast disable set protocol udp set ddns-server-ip 173.243.138.225 # Force a specific DDNS server end Use code with caution. Copied to clipboard

Note: If you disable anycast, use IP 173.243.138.226 for the server list to work in some environments. 3. Verify DNS and Connectivity

The FortiGate must be able to resolve and reach globalddns.fortinet.net.

Test Resolution: Run execute ping service.fortiguard.net or execute ping www.fortinet.com from the CLI. Common fixes

Check DNS Settings: Ensure you are using FortiGuard DNS servers or reliable public ones (e.g., 8.8.8.8). 4. Restart the DDNS Process

If the list still won't load, the internal DDNS daemon (ddnscd) may be stuck. CLI: fnsysctl killall ddnscd Use code with caution. Copied to clipboard

The system will automatically restart the process, forcing a fresh connection attempt. 5. Advanced Troubleshooting Commands

If the issue persists, use these debug commands to see the exact point of failure: Check Status: diagnose test application ddnscd 3. Real-time Debug: diagnose debug application ddnscd -1 diagnose debug enable Use code with caution. Copied to clipboard Wait 5-10 minutes to see output. Ensure DNS servers are reachable and correct; switch

Are you seeing a specific error code like "SSL handshake failure" in your debug output, or is the server list completely blank? Unable to load FortiGuard DDNS server list

Common fixes

  • Ensure DNS servers are reachable and correct; switch to reliable resolvers (e.g., 1.1.1.1, 8.8.8.8) for testing.
  • Fix system time via NTP so TLS certificates validate.
  • Bypass or disable SSL/TLS interception for FortiGuard endpoints; add proxy CA to trusted store if interception is required.
  • Open outbound HTTPS and DNS in policies and allow traffic to FortiGuard IP ranges/domains.
  • If using an outbound proxy, configure FortiGate to use it correctly or create an exception for FortiGuard traffic.
  • Upgrade FortiOS to a version that addresses known FortiGuard/DDNS bugs; consult Fortinet release notes.
  • If changes don’t help, perform a factory-default test in a lab or run in debug mode and collect logs.

8. Related Fortinet KB Articles

  • FD46806 – Unable to load FortiGuard DDNS server list
  • FD43219 – FortiGuard DDNS communication fails after 7.0.1 upgrade
  • FD37502 – How to configure custom DDNS provider on FortiGate

3. Root Cause Analysis

The inability to load the list is almost exclusively caused by connectivity issues between the FortiGate and Fortinet’s backend infrastructure (FortiGuard servers). The firewall requires a valid FortiGuard license and specific outbound network access to fetch this dynamic list.

Common root causes include:

  1. Expired or Invalid FortiGuard License: The entitlement for FortiGuard services has expired or is not synchronized.
  2. DNS Resolution Failure: The FortiGate cannot resolve the hostnames of the FortiGuard servers.
  3. Firewall/ISP Blocking: Outbound traffic on required ports is blocked by an upstream device or the ISP.
  4. Management Interface Routing: The interface designated for management traffic lacks internet access.