Unable To Load Fortiguard Ddns Servers List On Fortigate Firewalls May 2026
If Step 4.3 failed, ensure the following traffic is permitted outbound from the FortiGate's WAN IP:
Note: If the firewall is behind a proxy, you must configure the FortiGate to use the proxy via CLI:
config system fortiguard
set protocol https
set port 443
# If proxy is required:
set source-ip <interface_ip>
end
FortiGates treat their own generated traffic (DNS, DDNS, FortiGuard updates, NTP) differently from traffic passing through the device. This is called local-out traffic. A common oversight is failing to create a policy allowing the FortiGate’s management IP to reach the internet.
FortiGate management traffic (including FortiGuard updates) is governed by the local-out traffic path. You need an IPv4 policy that allows traffic from the FortiGate’s own interface (the management IP or default gateway) to the WAN.
Quick Test: Create a temporary policy with
from: any,to: wan1,source: all,destination: all,service: ALL,NAT: on. Test, then restrict. If Step 4
If you want, I can produce a version tailored to a specific FortiOS release, include exact FortiGuard domain/IP lists for firewall rules, or create a one-page runbook with the exact CLI sequence for your environment.
"Unable to load FortiGuard DDNS server list" on FortiGate firewalls typically indicates a breakdown in communication between the local device and Fortinet's FortiGuard Services
. This issue prevents the firewall from retrieving the necessary dynamic DNS (DDNS) server metadata required to maintain reachable hostnames for dynamic public IP addresses. BOLL Engineering AG Common Root Causes DNS Resolution Failures: If the FortiGate cannot resolve globalddns.fortinet.net
, it cannot reach the server list. This often occurs when WAN interfaces obtain DNS from an ISP via DHCP/PPPoE, which might overwrite internal FortiGuard-specific DNS settings. Anycast & Protocol Conflicts: Note: If the firewall is behind a proxy,
Modern FortiOS versions use Anycast (DNS over TLS) by default. Handshake failures or ISP blocking of port 8888 or 53 can prevent the server list from loading. Contractual & System Status: An expired FortiCare contract will disable access to these cloud-based services. Time Synchronization:
If the system time is significantly off, SSL handshake failures will occur, blocking secure communication with FortiGuard. Step-by-Step Troubleshooting and Resolution 1. Verify Basic Connectivity
Ensure the device can reach the internet and resolve Fortinet domains using the FortiGate CLI execute ping service.fortiguard.net execute ping update.fortiguard.net 2. Fix DNS Overwrites
If using DHCP/PPPoE on your WAN, disable the setting that allows the ISP to override your DNS, as this often breaks FortiGuard resolution: Network > Interfaces > Edit WAN > Unselect Override internal DNS config system interface
edit
Many connectivity issues are resolved by disabling the Anycast protocol and switching to standard UDP communication: config system fortiguard fortiguard-anycast disable protocol udp # or 8888 if 53 is blocked by ISP Use code with caution. Copied to clipboard 4. Manually Set the DDNS Server IP
If the list still won't load automatically, you can manually point the device to a known FortiGuard DDNS server IP: For Anycast disabled: 173.243.138.226 Alternative: 173.243.138.225 config system fortiguard ddns-server-ip Use code with caution. Copied to clipboard 5. Restart the DDNS Daemon
If the configuration is correct but the GUI remains stuck, force a restart of the DDNS client process: fnsysctl killall ddnscd Use code with caution. Copied to clipboard Advanced Debugging If the error persists, technicians can use the Fortinet Community Support debug tools to see real-time errors: diagnose debug application ddnscd -1 diagnose debug enable for a particular FortiOS version , or help checking your license status Unable to load FortiGuard DDNS server list