Unable To Load Fortiguard Ddns Servers List On Fortigate Firewalls Fix May 2026
firewall is "Unable to load FortiGuard DDNS servers list," it typically indicates a communication failure between the device and FortiGuard
services. This prevents the GUI from populating the drop-down menu with available DDNS domains. Primary Causes and Solutions DNS Override Issues
: If the WAN interface uses DHCP or PPPoE, it may be inheriting ISP DNS servers that cannot resolve FortiGuard domains. Network > Interfaces , edit the WAN interface, and disable Override internal DNS Anycast Incompatibility
: Newer FortiOS versions use Anycast by default, which can sometimes fail due to ISP filtering or TLS handshake issues (e.g., TLSv1.3 failures). : Disable Anycast and switch to a dedicated IP via CLI: config system fortiguard fortiguard-anycast disable ddns-server-ip protocol udp end Use code with caution. Copied to clipboard FortiGuard Subscription Status
: An expired FortiCare contract can block access to these service lists. Verify your license status in the Upstream Filtering
: Firewalls or ISPs may block ports 53 (UDP), 443 (HTTPS), or 8888 (UDP) used for FortiGuard communication. Try switching the FortiGuard port to 8888 in the CLI if 53 is blocked. Troubleshooting Steps Verify Connectivity
: Ensure the FortiGate can resolve and reach Fortinet domains. execute ping service.fortiguard.net execute ping update.fortiguard.net Check DDNS Daemon
: Use the CLI to check the actual status returned by the DDNS client. diagnose test application ddnscd 3 (Shows server IP and domain counts). Restart Services
: If the GUI remains stuck, force a restart of the update and DDNS daemons. fnsysctl killall updated fnsysctl killall ddnscd System Time
: Ensure the system time and date are correct, as large discrepancies can cause SSL/TLS handshake failures with FortiGuard. Unable to load FortiGuard DDNS server list 16 Aug 2020 —
Title: Troubleshooting Connectivity: Resolving the "Unable to Load FortiGuard DDNS Servers List" Error on FortiGate Firewalls
Introduction
In the landscape of enterprise network security, Fortinet’s FortiGate firewalls act as the first line of defense against cyber threats. To maintain robust security postures, these devices rely heavily on real-time communication with Fortinet’s backend infrastructure, known as FortiGuard services. One critical feature often utilized by administrators is Dynamic DNS (DDNS), which allows the firewall to maintain a consistent domain name despite changes in its dynamic WAN IP address. However, administrators frequently encounter a perplexing error message during configuration: "Unable to load FortiGuard DDNS servers list." This essay explores the technical roots of this error, analyzing the roles of DNS resolution, routing logic, and protocol dependencies, and provides a systematic approach to resolving the issue.
The Role of FortiGuard Connectivity
To understand why the DDNS list fails to load, one must first understand how the FortiGate retrieves this data. The drop-down menu in the graphical user interface (GUI) is not a static list hardcoded into the device; rather, it is dynamically generated by querying Fortinet’s servers. When an administrator attempts to configure DDNS, the firewall initiates a secure connection to Fortinet to fetch the available DDNS service providers (such as FortiDDNS, DynDNS, or No-IP). Consequently, an inability to load this list is symptomatic of a broader connectivity issue between the firewall and the FortiGuard infrastructure.
Primary Causes: DNS and Routing Issues
The most common culprit behind this error is Domain Name System (DNS) failure. FortiGate firewalls require a valid DNS configuration to resolve the hostnames of FortiGuard servers. If the firewall is configured to use internal DNS servers that are unreachable or misconfigured, or if the firewall itself lacks internet access, the query to Fortinet will fail. This is particularly common in "air-gapped" or isolated lab environments where the firewall has no path to the public internet.
Furthermore, routing issues often coincide with DNS failures. If the firewall’s management interface is on a dedicated management VDOM (Virtual Domain) or VLAN that has restricted access to the internet, the DNS queries may be blocked by the firewall’s own policies. The firewall must have a valid route to the internet and an allowing firewall policy (typically from the management interface or the source interface to the WAN) to facilitate these updates.
Protocol Dependencies: Port UDP 53 and TCP 8888
While DNS resolution is a prerequisite, the specific mechanism used by FortiGate to communicate with FortiGuard servers adds another layer of complexity. Historically, FortiGate devices utilized UDP port 53 for FortiGuard queries. However, modern FortiOS versions increasingly rely on TCP port 8888 for secure communication with FortiGuard servers.
If the network topology includes upstream routers or firewalls, or if strict local firewall policies are in place, these ports may be inadvertently blocked. A misconfigured Access Control List (ACL) blocking TCP/8888 on the WAN interface will prevent the firewall from retrieving the DDNS list, even if standard DNS resolution for general browsing is working correctly. Therefore, administrators must verify that the firewall can initiate outbound connections on these specific ports.
License and VDOM Considerations
Although less common, licensing and Virtual Domain (VDOM) configurations can also trigger this error. If the FortiGate’s support contract has expired, certain FortiGuard services may become unavailable, potentially affecting dynamic content fetching. Additionally, in environments utilizing VDOMs, the "Global" settings for management traffic must be carefully examined. If the management traffic is pinned to a specific VDOM that lacks internet access, the "root" VDOM (or whichever VDOM is attempting the fetch) will fail to retrieve the list.
Troubleshooting Methodology
Resolving the "Unable to load FortiGuard DDNS servers list" error requires a structured diagnostic approach. First, administrators should verify DNS settings under Network > DNS, ensuring valid public DNS servers (such as Google’s 8.8.8.8 or Fortinet’s 208.91.112.52) are configured. Second, the diagnose debug application forticldd -1 command can be utilized in the CLI (Command Line Interface) to view real-time debug logs regarding the connection attempt, often revealing time-out errors or DNS resolution failures.
Furthermore, the exec ping command should be used to test basic internet connectivity, and diagnose firewall auth list can help verify routing paths. Finally, administrators should check firewall policies to ensure that traffic originating from the firewall’s interface (management or WAN) is permitted to reach the internet on the necessary ports.
Conclusion
The error "Unable to load FortiGuard DDNS servers list" serves as an indicator of a breakdown in the essential communication link between a FortiGate firewall and the Fortinet security fabric. While the error appears superficially as a UI glitch, it is rooted in fundamental networking principles: DNS resolution, proper routing, and open transmission channels via specific TCP ports. By methodically verifying DNS configurations, checking routing tables, and ensuring required ports are open, network administrators can swiftly restore functionality. Ultimately, resolving this issue not only enables the DDNS feature but also validates the overall health of the firewall’s connectivity, ensuring it can continue to receive vital security updates and threat intelligence.
The "Unable to load FortiGuard DDNS servers list" error is a common issue typically caused by DNS configuration conflicts, communication protocol mismatches, or firmware-specific bugs. It generally occurs when the FortiGate firewall cannot reach the FortiGuard servers to retrieve available domain options. Core Causes and Solutions 1. DNS Override Conflict
On interfaces using DHCP or PPPoE, the ISP may push its own DNS servers. If the firewall is set to "Override internal DNS," it might use ISP servers that cannot resolve FortiGuard's specific DDNS domains. Fix: Disable "Override internal DNS" on the WAN interface.
GUI: Network -> Interfaces -> Edit WAN -> Uncheck 'Override internal DNS'. CLI:
config system interface edit "wan1" set dns-server-override disable end Use code with caution. Copied to clipboard 2. Communication Protocol & Anycast Issues
Newer versions of FortiOS often use Anycast for FortiGuard services, which can sometimes fail depending on your ISP or network path. Fix: Disable Anycast and force the use of UDP/Unicast. CLI:
config system fortiguard set fortiguard-anycast disable set protocol udp set port 8888 # Optional: Try port 8888 if 53 is blocked end Use code with caution. Copied to clipboard 3. DNS Server Selection
FortiGuard DDNS services often require the firewall itself to be configured to use FortiGuard DNS servers.
Fix: In Network -> DNS, ensure "Use FortiGuard Servers" is selected. If this fails, temporarily switch to a public DNS (like Google 8.8.8.8) to verify if the issue is with the FortiGuard servers themselves. 4. Firmware & Service Status
Known Bugs: Version 7.0.0 had documented issues with DDNS loading that were largely resolved in later patches like 7.0.1.
License Validation: Ensure your FortiCare contract is valid, as DDNS is a subscription-linked service. Troubleshooting Checklist Command/Path Verify Connection Ping FortiGuard servers from CLI exec ping service.fortiguard.net Check DDNS Status Run a diagnostic test diagnose test application ddnscd 3 Restart Service Force the DDNS daemon to restart fnsysctl killall ddnscd Manual Reconfig Delete and recreate the DDNS entry config system ddns -> delete 1 Technical Tip: Unable to load FortiGuard DDNS server list
Troubleshooting: "Unable to Load FortiGuard DDNS Server List" on FortiGate
If you are trying to configure Dynamic DNS and seeing the frustrating "Unable to load FortiGuard DDNS server list" error in your FortiGate GUI, you are not alone. This common issue usually stems from the firewall’s inability to resolve or reach the FortiGuard DDNS infrastructure, often due to DNS conflicts or stuck background processes.
Here is a step-by-step guide to fixing the issue and getting your DDNS back online. 1. Disable "Override Internal DNS"
The most frequent cause is a WAN interface (DHCP or PPPoE) that is automatically pulling DNS settings from your ISP. These ISP servers often fail to resolve the required globalddns.fortinet.net domain.
GUI Fix: Navigate to Network > Interfaces, edit your WAN interface, and uncheck Override internal DNS. CLI Fix:
config system interface edit "wan1" # Replace with your actual WAN interface name set dns-server-override disable next end Use code with caution. Copied to clipboard 2. Verify Core Connectivity
Ensure your FortiGate can actually communicate with Fortinet's servers.
Check DNS Resolution: Run execute ping www.fortinet.com in the CLI. If it fails, your general DNS settings under Network > DNS need correction.
Check FortiCare Status: DDNS is a licensed feature. Verify your FortiCare contract is active in the Dashboard. firewall is "Unable to load FortiGuard DDNS servers
Check Port 53: Ensure no local firewall policies are blocking UDP port 53 traffic from the FortiGate itself. 3. Restart the DDNS Client Daemon
Sometimes the internal client process (ddnscd) becomes unresponsive, especially after a firmware upgrade or IP change. You can force it to restart and refresh the server list with this command: fnsysctl killall ddnscd Use code with caution. Copied to clipboard
The system will automatically restart this process immediately after it is terminated. 4. Advanced CLI Configuration (Workaround)
If the GUI still won't populate the list, you can bypass the visual menu and configure DDNS directly via the CLI.
config system ddns edit 1 set monitor-interface "wan1" set ddns-server FortiGuardDDNS set ddns-domain "your-chosen-subdomain" next end Use code with caution. Copied to clipboard
Available domains typically include fortiddns.com, fortidyndns.com, and float-zone.com. 5. Final Checks
Firmware: If you are on an older version of FortiOS, consider upgrading to the latest stable release, as many DDNS resolution bugs were patched in recent builds.
SSL Version: In rare cases, a protocol mismatch can cause issues. Setting the minimum SSL version to TLS 1.2 or higher is recommended.
For more detailed technical documentation, you can visit the official Fortinet Document Library. AI responses may include mistakes. Learn more Unable to load FortiGuard DDNS server list
5. Diagnostic Steps (CLI-based)
7. Conclusion
The failure to load the DDNS servers list is typically a symptom of a broader connectivity or licensing issue rather than a defect in the DDNS feature itself. By ensuring the FortiGate has valid DNS resolution, valid licensing, and unrestricted outbound access to fortinet.net domains on port 443, the list will populate successfully.
The error "Unable to load FortiGuard DDNS server list" typically occurs when the FortiGate firewall cannot reach FortiGuard services to retrieve the list of available Dynamic DNS servers Common Fixes Disable DNS Overrides on WAN
: If your WAN interface uses DHCP or PPPoE, it may be receiving ISP-provided DNS servers that cannot resolve FortiGuard domains like globalddns.fortinet.net Interfaces , edit your WAN interface, and unselect Override internal DNS config system interface edit dns-server-override disable end Use code with caution. Copied to clipboard Switch to Unicast & UDP
: FortiGuard services sometimes fail when using the default Anycast protocol. Forcing UDP can bypass handshake issues. config system fortiguard fortiguard-anycast disable protocol udp # Optional: Try port 53 if 8888 is blocked Use code with caution. Copied to clipboard Restart the DDNS Daemon
: If the service is stuck, killing the process will force a refresh. fnsysctl killall ddnscd Verification Steps Check License Status : Ensure your FortiCare contract is active under Test Connectivity
: Confirm the firewall can resolve and ping Fortinet servers via CLI: exec ping update.fortiguard.net Validate System Time
: Incorrect time/date can cause SSL certificate errors that block communication. Sync with an NTP server if needed. BOLL Engineering AG CLI debug commands
to see the exact error occurring during the server list retrieval?
To fix the "Unable to load FortiGuard DDNS server list" error on a FortiGate firewall, you must ensure the device can properly resolve and reach Fortinet's global DDNS domain. This error usually stems from DNS resolution conflicts or blocked management traffic. 1. Disable DNS Server Overrides
If your WAN interface receives its IP via DHCP or PPPoE, it may be automatically using ISP-provided DNS servers that cannot resolve FortiGuard domains like globalddns.fortinet.net.
GUI Method: Navigate to Network > Interfaces, edit your WAN interface, and unselect Override internal DNS. CLI Method:
config system interface edit "wan1" # Or your specific WAN interface set dns-server-override disable end Use code with caution. Copied to clipboard 2. Verify System DNS Settings
Ensure your FortiGate is configured to use reliable DNS servers (like FortiGuard's own or public ones like Google 8.8.8.8) to fetch the server list.
Go to Network > DNS and confirm Use FortiGuard Servers is selected.
Test connectivity in the CLI: execute ping www.fortinet.com. 3. Restart the DDNS Daemon
If the configuration is correct but the list still won't populate, the internal DDNS client process (ddnscd) may be stuck.
Run the following CLI command to force a restart of the service: fnsysctl killall ddnscd Use code with caution. Copied to clipboard
The system will automatically restart this process immediately. 4. Adjust FortiGuard Connectivity
Network restrictions or ISP interference on standard ports (like 53 or 443) can prevent the server list from loading.
Disable Anycast: Sometimes Anycast routing causes connection failures. Try switching to a static communication port:
config system fortiguard set fortiguard-anycast disable set protocol udp set port 8888 # Or 53 end Use code with caution. Copied to clipboard 5. Check Support Contract & Firmware
License: Verify your FortiCare contract is valid under System > FortiGuard; expired licenses can disable certain FortiGuard services.
Firmware: Buggy older versions of FortiOS sometimes fail to load these lists; ensure you are on a current, stable firmware release.
✅ ResultThe FortiGuard DDNS server list should now populate in the dropdown menu under Network > DNS, allowing you to select a server and configure your hostname. Unable to load FortiGuard DDNS server list
"Unable to load FortiGuard DDNS server list" on FortiGate firewalls typically indicates a breakdown in communication between the local device and Fortinet's FortiGuard Services
. This issue prevents the firewall from retrieving the necessary dynamic DNS (DDNS) server metadata required to maintain reachable hostnames for dynamic public IP addresses. BOLL Engineering AG Common Root Causes DNS Resolution Failures: If the FortiGate cannot resolve globalddns.fortinet.net
, it cannot reach the server list. This often occurs when WAN interfaces obtain DNS from an ISP via DHCP/PPPoE, which might overwrite internal FortiGuard-specific DNS settings. Anycast & Protocol Conflicts:
Modern FortiOS versions use Anycast (DNS over TLS) by default. Handshake failures or ISP blocking of port 8888 or 53 can prevent the server list from loading. Contractual & System Status: An expired FortiCare contract will disable access to these cloud-based services. Time Synchronization:
If the system time is significantly off, SSL handshake failures will occur, blocking secure communication with FortiGuard. Step-by-Step Troubleshooting and Resolution 1. Verify Basic Connectivity
Ensure the device can reach the internet and resolve Fortinet domains using the FortiGate CLI execute ping service.fortiguard.net execute ping update.fortiguard.net 2. Fix DNS Overwrites
If using DHCP/PPPoE on your WAN, disable the setting that allows the ISP to override your DNS, as this often breaks FortiGuard resolution: Network > Interfaces > Edit WAN > Unselect Override internal DNS config system interface
edit
Many connectivity issues are resolved by disabling the Anycast protocol and switching to standard UDP communication: config system fortiguard fortiguard-anycast disable protocol udp # or 8888 if 53 is blocked by ISP Use code with caution. Copied to clipboard 4. Manually Set the DDNS Server IP
If the list still won't load automatically, you can manually point the device to a known FortiGuard DDNS server IP: For Anycast disabled: 173.243.138.226 Alternative: 173.243.138.225 config system fortiguard ddns-server-ip Use code with caution. Copied to clipboard 5. Restart the DDNS Daemon
If the configuration is correct but the GUI remains stuck, force a restart of the DDNS client process: fnsysctl killall ddnscd Use code with caution. Copied to clipboard Advanced Debugging If the error persists, technicians can use the Fortinet Community Support debug tools to see real-time errors: diagnose debug application ddnscd -1 diagnose debug enable for a particular FortiOS version , or help checking your license status Unable to load FortiGuard DDNS server list
Subject: Unable to Load FortiGuard DDNS Servers List on FortiGate Firewalls
Issue Description: Are you experiencing issues with loading the FortiGuard DDNS (Dynamic DNS) servers list on your FortiGate firewalls? If you're seeing an error message or the list is not populating, you're not alone. This post aims to provide troubleshooting steps and potential solutions to resolve the issue.
Possible Causes:
- FortiGuard Service Status: Ensure that the FortiGuard service is up and running. You can check the service status on the FortiGate by going to System > FortiGuard.
- Internet Connectivity: Verify that your FortiGate has a stable internet connection. A loss of connectivity can prevent the DDNS server list from loading.
- DNS Resolution: Ensure that your FortiGate can resolve the FortiGuard DDNS server names. You can test DNS resolution using the execute ping command.
- Firewall Policies: Review your firewall policies to ensure that they are not blocking the FortiGuard DDNS server list.
Troubleshooting Steps:
- Check FortiGuard Service Status:
- Go to System > FortiGuard.
- Verify that the FortiGuard Service Status is Up.
- If the status is Down, try restarting the service or contacting Fortinet Support.
- Verify Internet Connectivity:
- Check your internet connection and ensure that it's stable.
- Test connectivity using execute ping .
- Test DNS Resolution:
- Use the execute ping command to test DNS resolution for the FortiGuard DDNS server names (e.g., execute ping ddns.fortiguard.com).
- If DNS resolution fails, check your DNS settings.
- Update FortiGate Firmware:
- Ensure that your FortiGate is running the latest firmware.
- Outdated firmware might cause compatibility issues with the FortiGuard DDNS server list.
Additional Solutions:
- Manually Update DDNS Server List:
- If the issue persists, try manually updating the DDNS server list by going to System > FortiGuard and clicking Update.
- Reset FortiGuard Configuration:
- If all else fails, try resetting the FortiGuard configuration to its default settings.
Still Stuck? If none of these steps resolve the issue, please provide more details about your setup, including:
- FortiGate model and firmware version
- FortiGuard service status
- Any error messages
I'll do my best to help you troubleshoot the issue or point you in the right direction for further assistance.
If your FortiGate GUI displays the error "Unable to load FortiGuard DDNS server list," you are likely unable to select a domain for your dynamic DNS configuration. This common issue typically stems from DNS resolution conflicts, Anycast protocol interference, or specific interface settings that block communication with FortiGuard. 1. Disable "Override Internal DNS"
The most common cause is a WAN interface obtaining DNS settings via DHCP or PPPoE that override the system's ability to reach FortiGuard services.
GUI Method: Navigate to Network > Interfaces, edit your WAN interface, and uncheck Override internal DNS. CLI Method:
config system interface edit "wan1" set dns-server-override disable next end Use code with caution. 2. Disable Anycast for FortiGuard
FortiOS versions 6.4 and later use Anycast by default to connect to FortiGuard. If your network environment has trouble routing Anycast traffic, disabling it often forces a successful connection via standard Unicast.
Run the following commands to switch to the Fortinet-preferred UDP protocol:
config system fortiguard set fortiguard-anycast disable set protocol udp set port 8888 # Optional: Try port 443 or 53 if 8888 is blocked end Use code with caution.
Wait 1–2 minutes after applying this before refreshing the DDNS page. 3. Verify Basic Connectivity
If the server list still won't load, ensure the firewall itself can reach the internet and resolve Fortinet's service domains.
Check DNS Resolution: Run execute ping update.fortiguard.net in the CLI.
Check License Status: The FortiGuard DDNS list requires a valid FortiCare contract. Check the License Information widget on your dashboard to ensure "FortiGuard Support" is green.
Check VDOM Management: If using VDOMs, ensure the Management VDOM has a valid route to the internet, as it handles these service requests. 4. Advanced Debugging
If the GUI remains empty, use the following CLI commands to see the real-time interaction between your firewall and the DDNS servers:
Unable to load FortiGuard DDNS server list - Fortinet Community
The issue "Unable to load FortiGuard DDNS server list" on FortiGate firewalls typically prevents you from selecting a DDNS server in the GUI, often occurring after firmware upgrades or due to DNS/network configuration conflicts. Common Root Causes
DNS Server Overrides: If your WAN interface uses DHCP or PPPoE, it may be overriding your internal DNS settings with ISP-provided servers that cannot resolve globalddns.fortinet.net.
FortiGuard Port Blocking: ISPs or upstream firewalls may block traffic on Port 53 (proprietary UDP) or Port 8888, which FortiGuard uses for communication.
Expired Licenses: A valid FortiCare contract is often required to communicate with FortiGuard servers for DDNS services.
Service Daemon Glitches: The internal DDNS client daemon (ddnscd) may become unresponsive. Troubleshooting Steps Disable DNS Overrides:
GUI: Go to Network -> Interfaces, edit your WAN interface, and ensure Override internal DNS is disabled. CLI:
config system interface edit "wan1" set dns-server-override disable next end Use code with caution. Copied to clipboard Verify Connectivity & DNS:
Test if the firewall can reach the internet: exec ping www.fortinet.com.
Confirm the DDNS domain resolves: exec traceroute globalddns.fortinet.net. Adjust FortiGuard Communication Port: If Port 53 is blocked, switch to 8888 or 443: config system fortiguard set port 8888 end Use code with caution. Copied to clipboard Restart the DDNS Process: Kill and restart the daemon to force a fresh update: fnsysctl killall ddnscd Use code with caution. Copied to clipboard Configure via CLI (Workaround):
If the GUI list remains empty, you can manually set the server in the CLI:
config system ddns edit 1 set ddns-server FortiGuardDDNS set ddns-domain "yourname.fortiddns.com" set monitor-interface "wan1" next end Use code with caution. Copied to clipboard Verification
Check the status of your DDNS configuration and the server IP resolved by the FortiGate using the Fortinet Community Guide for detailed command outputs.
"Unable to load FortiGuard DDNS server list" on a FortiGate firewall typically occurs due to a communication failure between the device and the FortiGuard network, often caused by DNS overrides, protocol mismatches, or Anycast issues. Immediate Fixes Disable DNS Server Override
: If your WAN interface uses DHCP or PPPoE, the ISP's DNS might be overriding FortiGuard's internal DNS, preventing proper resolution. Interfaces , edit your WAN interface, and uncheck Override internal DNS config system interface edit dns-server-override disable end Use code with caution. Copied to clipboard Disable Anycast & Use UDP
: Anycast can sometimes fail to find a valid server path. Disabling it and switching to standard UDP often restores the list. config system fortiguard fortiguard-anycast disable protocol udp end Use code with caution. Copied to clipboard Manually Set DDNS Server IP
: If the list still won't load, manually specifying a known FortiGuard DDNS server IP can bypass the discovery process. Common IPs 173.243.138.225 173.243.138.226 config system fortiguard ddns-server-ip Use code with caution. Copied to clipboard Advanced Troubleshooting Verify Connectivity
: Ensure the firewall can reach the FortiGuard domains. From the CLI, try to ping update.fortiguard.net service.fortiguard.net Restart the DDNS Daemon
: If the service is stuck, killing the process will force a restart and a fresh attempt to fetch the list. fnsysctl killall ddnscd Check SSL Versions
: A handshake failure (common in older versions like v7.0) may require you to lower the minimum SSL version if there is a protocol mismatch. config system global ssl-min-proto-version TLS1.0 end Use code with caution. Copied to clipboard Hardware/Firmware Limitations
: Note that the DDNS menu is automatically hidden in the GUI if you are using custom DNS servers instead of FortiGuard Servers
. It is also unavailable on high-end appliances, FortiGate-VMs, or when in transparent mode. For persistent issues, you can review detailed logs using diagnose debug application ddnscd -1 diagnose debug enable for your particular FortiOS version to ensure the syntax matches? Unable to load FortiGuard DDNS server list
Troubleshooting: "Unable to Load FortiGuard DDNS Servers List" on FortiGate
If you’re trying to set up Dynamic DNS (DDNS) on your FortiGate and hitting the error "Unable to load FortiGuard DDNS server list," you aren’t alone. This common issue usually stems from a breakdown in communication between your firewall and FortiGuard services. 1. Disable "Override Internal DNS"
The most frequent cause is when your WAN interface (set to DHCP or PPPoE) is configured to use the ISP's DNS servers instead of FortiGuard's. If the ISP's DNS cannot resolve globalddns.fortinet.net, the server list will fail to load.
GUI Fix: Navigate to Network > Interfaces, edit your WAN interface, and uncheck Override internal DNS. CLI Fix:
config system interface edit "wan1" set dns-server-override disable end Use code with caution. Copied to clipboard 2. Verify Basic Connectivity and DNS
If the firewall cannot reach the internet or resolve domains, it won't fetch the server list.
Test Resolution: Run execute ping www.fortinet.com from the CLI. Go to System >
Check FortiGuard Connectivity: Go to System > FortiGuard and verify that your licenses are active and the FortiGate can reach FortiGuard servers. 3. Adjust Protocol and Ports
Sometimes, SSL negotiation fails or a specific port is blocked.
Change Communication Port: Try switching the FortiGuard communication port between 53, 443, or 8888.
Disable Anycast: Some users find success by switching from Anycast to Unicast.
config system fortiguard set fortiguard-anycast disable set protocol udp set port 8888 end Use code with caution. Copied to clipboard 4. Enable Cloud Communication
If you recently upgraded firmware, certain cloud communication settings might have been disabled by default. Enable Settings: config system global set cloud-communication enable end Use code with caution. Copied to clipboard 5. Restart the DDNS Client
If the configuration looks correct but the list still won't load, the internal DDNS daemon (ddnscd) might be stuck. Restart Daemon: fnsysctl killall ddnscd Use code with caution. Copied to clipboard
The system will automatically restart the process, forcing a fresh attempt to fetch the server list. Summary Checklist
Technical Tip: How to check FortiGuard Server status on FortiGate
If your FortiGate GUI displays "Unable to load FortiGuard DDNS server list," it typically indicates the firewall cannot reach or resolve FortiGuard's registration servers. This guide covers the common fixes, ranging from DNS configuration to CLI workarounds. 1. Disable "Override Internal DNS"
If your WAN interface receives its IP via DHCP or PPPoE, the ISP may be pushing DNS servers that cannot resolve Fortinet's internal DDNS domains.
GUI: Go to Network > Interfaces, edit your WAN interface, and uncheck Override internal DNS. CLI:
config system interface edit "wan1" # Replace with your actual WAN interface set dns-server-override disable end Use code with caution. Copied to clipboard 2. Adjust FortiGuard Anycast Settings (Recommended)
Modern FortiOS versions (6.4.2+) use Anycast for FortiGuard communication. Handshake failures or routing issues often block these connections. Disabling anycast and switching to UDP is a common fix. CLI Fix:
config system fortiguard set fortiguard-anycast disable set protocol udp set ddns-server-ip 173.243.138.225 # Force a specific DDNS server end Use code with caution. Copied to clipboard
Note: If you disable anycast, use IP 173.243.138.226 for the server list to work in some environments. 3. Verify DNS and Connectivity
The FortiGate must be able to resolve and reach globalddns.fortinet.net.
Test Resolution: Run execute ping service.fortiguard.net or execute ping www.fortinet.com from the CLI.
Check DNS Settings: Ensure you are using FortiGuard DNS servers or reliable public ones (e.g., 8.8.8.8). 4. Restart the DDNS Process
If the list still won't load, the internal DDNS daemon (ddnscd) may be stuck. CLI: fnsysctl killall ddnscd Use code with caution. Copied to clipboard
The system will automatically restart the process, forcing a fresh connection attempt. 5. Advanced Troubleshooting Commands
If the issue persists, use these debug commands to see the exact point of failure: Check Status: diagnose test application ddnscd 3. Real-time Debug: diagnose debug application ddnscd -1 diagnose debug enable Use code with caution. Copied to clipboard Wait 5-10 minutes to see output.
Are you seeing a specific error code like "SSL handshake failure" in your debug output, or is the server list completely blank? Unable to load FortiGuard DDNS server list
The error message "Unable to load FortiGuard DDNS server list" on a FortiGate firewall typically indicates a connectivity or configuration issue between the device and Fortinet's FortiGuard services. This prevents the dropdown menu in the GUI from displaying available server locations for Dynamic DNS registration. Primary Causes and Solutions
DNS Settings Overwritten by ISP: If your WAN interface uses DHCP or PPPoE, it may automatically adopt the ISP's DNS servers, which might not resolve FortiGuard internal domains properly.
Fix: Go to Network > Interfaces, edit the WAN interface, and ensure Override internal DNS is disabled.
FortiGuard Anycast Issues: Modern FortiOS versions use "Anycast" by default. Network environments or ISPs sometimes block this traffic or experience SSL handshake failures with the Anycast IP addresses.
Fix: Disable Anycast and manually specify a DDNS server IP via the CLI:
config system fortiguard set fortiguard-anycast disable set ddns-server-ip 173.243.138.226 set protocol udp end Use code with caution. Copied to clipboard
Note: If Anycast is disabled, you must use IP 173.243.138.226. If Anycast is enabled, the IP is typically 173.243.138.225.
Contract or License Status: The DDNS feature requires a valid FortiCare support contract. If the license is expired or not yet synchronized, the server list will not load.
Fix: Verify your license status in the Dashboard > Status widget.
SSL/TLS Handshake Failures: In some versions (e.g., FortiOS 7.0), a handshake failure for TLS v1.3 can prevent the server list from loading. Disabling Anycast as shown above often resolves this. Step-by-Step Troubleshooting Checklist
Verify General DNS Resolution: Ensure the FortiGate itself can resolve external domains. execute ping www.fortinet.com
Verify FortiGuard Reachability: Test connectivity to specific FortiGuard service domains. execute ping service.fortiguard.net execute ping update.fortiguard.net
Check Management VDOM: If VDOMs are enabled, ensure the management VDOM (usually 'root') has a valid route to the internet, as FortiGuard communication typically originates from there.
Restart the Update Daemon: If settings are correct but the list remains empty, force a restart of the update process. fnsysctl killall updated
Restart the DDNS Client (ddnscd): If the server list loads but updates fail, restart the DDNS-specific daemon. fnsysctl killall ddnscd Manual CLI Configuration (Workaround)
If the GUI list still fails to load, you can often bypass the requirement by configuring DDNS directly through the CLI:
config system ddns edit 1 set ddns-server FortiGuardDDNS set ddns-domain yourname.fortiddns.com set monitor-interface wan1 next end Use code with caution. Copied to clipboard Unable to load FortiGuard DDNS server list
5. Refresh DDNS Server List Manually (CLI)
config system ddns
edit 1
set ddns-server fortiguard.com
next
end
If fortiguard.com isn’t recognized, use the IP-based workaround (temporary):
set ddns-server update.fortiddns.com
set ddns-domain <yourdomain>.fortiddns.com
3. Inspect Firewall Policies
Ensure an outbound policy allows HTTPS (TCP 443) and DNS (UDP 53) from the FortiGate’s management IP to any destination (or specific FortiGuard subnets). Example policy:
- Source Interface: management (or the interface with default route)
- Source Address: FortiGate’s management IP
- Destination: all
- Service: DNS, HTTPS
- Action: ACCEPT
Step 6: Check for Proxy or Explicit Web Proxy Configuration
If your FortiGate connects to the internet via an upstream proxy:
- Go to System > Network > Explicit Proxy.
- Enable "Use explicit proxy for FortiGuard services" under FortiGuard settings.
- Configure the proxy IP, port, and authentication if required.
Alternatively, test bypassing the proxy by temporarily connecting the FortiGate directly to a clean internet link.
Test Specific DDNS Endpoint
execute curl -k "https://service.fortinet.com/api/v1/ddns/servers"
A valid response returns a JSON array of providers. An error here indicates API-level blocking.