Unable To Load Fortiguard Ddns Servers List On Fortigate Firewalls -
Your Personal Dictionary, Flashcard Maker, and Word Coach — All in One!
How to Learn New Words 3× Faster
Learn Your Own Words. Memorize What Matters.
Effective Vocabulary Learning
Flashcards – Online And Offline
Listen and Learn Vocabulary on the Go — Even While Driving
Smart Tests with Spaced Repetition
Topic-Based Vocabulary Sets
Vocabulary for Exams and Test Prep
English Vocabulary for IELTS, TOEFL, and TOEIC
Spanish Vocabulary for DELE
Korean Vocabulary for TOPIK
French Vocabulary for DELF
Travel Vocabulary Sets
English Word Lists by Topic
Irregular Verbs with All Forms
Phrasal Verbs and Verb Prepositions
English for IT
Business and Professional Vocabulary
Supported Languages for Learning
With Listening and Pronunciation Modes
With Flashcards and Quiz Modes
App Tutorial
Like Anki — only easier. Like Quizlet — just smarter.
Make Your Own Flashcards, Import from Excel
Create Custom Lists, Import from Excel
Customize Pronunciation Settings
“Learned” and “Difficult” Word Statuses
Share Your Flashcard Sets with Friends
Built-in AI-Powered Translation
Flexible Learning and Test Modes
Listen While Moving with Repetition
Learn Words While Driving
Spelling and Writing Test Support
Blog
Vocabulary Memorization Tips
How to Learn Words Faster – Real Hacks
Top 10 Apps for Vocabulary Learning
English, Spanish, French, Italian, German, Czech, Turkish, Portuguese,
Chinese (traditional), Chinese (simplified), Polish, Irish, Hebrew, Greek,
Korean, Danish, Icelandic, Dutch, Norwegian, Finnish, Croatian, Swedish,
Scottish (Gaelic), Slovenian, Slovak, Persian, Arab, Albanian, Bosnian, Catalan,
Latin, Bulgarian, Hungarian, Luxembourgish, Romanian, Serbian, Azerbaijani,
Georgian, Latvian, Lithuanian, Estonian, Armenian, Kazakh, Ukrainian, Uzbek,
Tajik, Macedonian, Kyrgyz, Belarusian, Malayan, Filipino, Indonesian,
Vietnamese, Hindi, Burmese, Japanese, Thai, Mongolian, Corsican, Khmer,
Creole (Haiti), Xhosa, Laotian, Kurmanji, Kannada, Yoruba, Igbo, Maori, Zulu,
Gujarati, Galician, Hawaiian, Welsh, Bengalese, Basque, Afrikaans, Yiddish,
Somali, Javanese, Esperanto, Shona, Chicheŵa, Hmong, Hausa, Frisian, Urdu,
Telugu, Tamil, Malayalam, Swahili, Malagasy, Sindhi, Sinhalese, Sotho,
Cebuano, Samoan, Pashto, Punjabi, Nepalese, Marathi, Maltese,
Amharic, Sudanese.
Unable To Load Fortiguard Ddns Servers List On Fortigate Firewalls -
"Unable to load FortiGuard DDNS server list" on a FortiGate firewall typically occurs due to a communication failure between the device and the FortiGuard network, often caused by DNS overrides, protocol mismatches, or Anycast issues. Immediate Fixes Disable DNS Server Override
: If your WAN interface uses DHCP or PPPoE, the ISP's DNS might be overriding FortiGuard's internal DNS, preventing proper resolution. Interfaces , edit your WAN interface, and uncheck Override internal DNS config system interface
edit dns-server-override disable
end Use code with caution. Copied to clipboard Disable Anycast & Use UDP
: Anycast can sometimes fail to find a valid server path. Disabling it and switching to standard UDP often restores the list. config system fortiguard fortiguard-anycast disable protocol udp
end Use code with caution. Copied to clipboard Manually Set DDNS Server IP
: If the list still won't load, manually specifying a known FortiGuard DDNS server IP can bypass the discovery process. Common IPs 173.243.138.225 173.243.138.226 config system fortiguard ddns-server-ip Use code with caution. Copied to clipboard Advanced Troubleshooting Verify Connectivity
: Ensure the firewall can reach the FortiGuard domains. From the CLI, try to ping update.fortiguard.net service.fortiguard.net Restart the DDNS Daemon
: If the service is stuck, killing the process will force a restart and a fresh attempt to fetch the list. fnsysctl killall ddnscd Check SSL Versions
: A handshake failure (common in older versions like v7.0) may require you to lower the minimum SSL version if there is a protocol mismatch. config system global ssl-min-proto-version TLS1.0
end Use code with caution. Copied to clipboard Hardware/Firmware Limitations
: Note that the DDNS menu is automatically hidden in the GUI if you are using custom DNS servers instead of FortiGuard Servers
. It is also unavailable on high-end appliances, FortiGate-VMs, or when in transparent mode. For persistent issues, you can review detailed logs using diagnose debug application ddnscd -1 diagnose debug enable for your particular FortiOS version to ensure the syntax matches? Unable to load FortiGuard DDNS server list
Troubleshooting "Unable to Load FortiGuard DDNS Server List" on FortiGate
Encountering the error "Unable to load FortiGuard DDNS server list" is a common hurdle when setting up dynamic DNS on a FortiGate firewall. This issue prevents the server drop-down menu from appearing in the GUI, effectively blocking you from completing your DDNS configuration. BOLL Engineering AG Here is a breakdown of why this happens and how to fix it. 1. The Most Common Fix: Disable DNS Server Override If your WAN interface is configured via
, it often receives DNS settings from your ISP. If the "Override internal DNS" option is enabled, these ISP-provided servers might fail to resolve FortiGuard’s specific DDNS domains. Navigate to Network > Interfaces , edit your WAN interface, and uncheck Override internal DNS config system interface
edit dns-server-override disable
end Use code with caution. Copied to clipboard 2. Solve Anycast Connectivity Issues "Unable to load FortiGuard DDNS server list" on
Recent FortiOS versions use Anycast to connect to FortiGuard services. If your network or ISP has trouble with Anycast or the required TLS handshake, the server list won't load. Switching to the legacy UDP protocol often resolves this. CLI Command: config system fortiguard fortiguard-anycast disable protocol udp # Optional: switch from port 53 to 8888 if blocked by ISP Use code with caution. Copied to clipboard 3. Manually Set the DDNS Server IP
If the automatic discovery fails, you can force the FortiGate to talk to a specific FortiGuard DDNS server. BOLL Engineering AG CLI Command: config system fortiguard ddns-server-ip Use code with caution. Copied to clipboard Note: If Anycast is disabled, use 173.243.138.226 4. Basic Connectivity & License Checks
Before diving deeper, verify these fundamental requirements: Valid License:
Ensure your FortiCare contract is active. Without it, FortiGuard services like DDNS are often restricted. BOLL Engineering AG DNS Resolution: Can the firewall resolve external domains? Test with execute ping www.google.com from the CLI. BOLL Engineering AG System Time:
If your firewall's date and time are incorrect, SSL handshakes with FortiGuard will fail. Ensure NTP is syncing correctly. 5. Advanced: Management Settings & Interface Selection
In complex setups (like those using SD-WAN or VDOMs), the FortiGate might be trying to send FortiGuard traffic out the wrong interface.
Error message: “Unable to load FortiGuard DDNS server list” 22 Sept 2021 —
The issue "Unable to load FortiGuard DDNS server list" on FortiGate firewalls typically prevents you from selecting a DDNS server in the GUI, often occurring after firmware upgrades or due to DNS/network configuration conflicts. Common Root Causes
DNS Server Overrides: If your WAN interface uses DHCP or PPPoE, it may be overriding your internal DNS settings with ISP-provided servers that cannot resolve globalddns.fortinet.net.
FortiGuard Port Blocking: ISPs or upstream firewalls may block traffic on Port 53 (proprietary UDP) or Port 8888, which FortiGuard uses for communication.
Expired Licenses: A valid FortiCare contract is often required to communicate with FortiGuard servers for DDNS services. The DDNS server dropdown in the GUI remains
Service Daemon Glitches: The internal DDNS client daemon (ddnscd) may become unresponsive. Troubleshooting Steps Disable DNS Overrides:
GUI: Go to Network -> Interfaces, edit your WAN interface, and ensure Override internal DNS is disabled. CLI:
config system interface edit "wan1" set dns-server-override disable next end Use code with caution. Copied to clipboard Verify Connectivity & DNS:
Test if the firewall can reach the internet: exec ping www.fortinet.com.
Confirm the DDNS domain resolves: exec traceroute globalddns.fortinet.net. Adjust FortiGuard Communication Port: If Port 53 is blocked, switch to 8888 or 443: config system fortiguard set port 8888 end Use code with caution. Copied to clipboard Restart the DDNS Process: Kill and restart the daemon to force a fresh update: fnsysctl killall ddnscd Use code with caution. Copied to clipboard Configure via CLI (Workaround):
If the GUI list remains empty, you can manually set the server in the CLI:
config system ddns edit 1 set ddns-server FortiGuardDDNS set ddns-domain "yourname.fortiddns.com" set monitor-interface "wan1" next end Use code with caution. Copied to clipboard Verification
Check the status of your DDNS configuration and the server IP resolved by the FortiGate using the Fortinet Community Guide for detailed command outputs.
Here’s a complete, detailed article on the topic:
Title: Troubleshooting "Unable to Load FortiGuard DDNS Servers List" on FortiGate Firewalls
Introduction
FortiGate firewalls offer built-in Dynamic DNS (DDNS) support through FortiGuard’s DDNS service. Administrators sometimes encounter the error message: "Unable to load FortiGuard DDNS servers list" when trying to configure or update DDNS settings. This article explains the root causes and provides step-by-step solutions.
Common Symptoms
- The DDNS server dropdown in the GUI remains empty or shows an error.
- CLI commands related to
config system ddns return errors when fetching server lists.
- Debug logs show failed HTTP/HTTPS connections to FortiGuard servers.
Primary Causes
- DNS Resolution Failure – The FortiGate cannot resolve
fortiguard.com or related DDNS service domains.
- Connectivity Issues – Firewall policies or routing block outbound access to FortiGuard servers.
- FortiGuard License Expiry – An expired or invalid FortiGuard contract may restrict DDNS services.
- Firmware Bug – Specific FortiOS versions have known issues with the DDNS server list retrieval.
- Custom DNS Settings – Using non-default DNS servers that fail to resolve FortiGuard domains.
Step-by-Step Troubleshooting
Summary of probable causes
- Outbound connectivity to FortiGuard service endpoints is blocked (firewall rules, proxy, NAT).
- DNS resolution failures on the FortiGate (misconfigured DNS servers, DNS blocking).
- TLS/SSL interception or proxy altering HTTPS traffic to FortiGuard.
- System time or date skew causing certificate validation failures.
- Firmware bugs or mismatched firmware + FortiGuard protocol compatibility.
- Expired/invalid local certificates or local CA trust issues.
- FortiGuard service outage (rare) or regional routing problems.
- Misconfigured explicit web-proxy settings on the FortiGate.
Solution B: Opening Required Ports
If Step 4.3 failed, ensure the following traffic is permitted outbound from the FortiGate's WAN IP:
- Protocol: UDP/TCP
- Port: 443 (HTTPS) and 53 (DNS).
- Destination:
guard.fortinet.net, update.fortinet.net, service.fortiguard.net.
Note: If the firewall is behind a proxy, you must configure the FortiGate to use the proxy via CLI:
config system fortiguard
set protocol https
set port 443
# If proxy is required:
set source-ip <interface_ip>
end
Solution C: Updating FortiGuard Firmware/Cache
Occasionally, the local cache of the FortiGuard data is corrupted. Force an update:
- GUI: Navigate to Security Fabric > External Connectors > FortiGuard. Click Update Now.
- CLI:
execute update-bridge-fortiguard now
Example checklist to perform (ordered)
- Check system date/time and NTP — fix if wrong.
- Test DNS resolution for services.fortiguard.net — change DNS if failing.
- Ping/traceroute FortiGuard hosts — verify routing.
- Verify outbound policies allow TCP/443 and UDP/TCP/53.
- Check for SSL inspection or intercepting proxy — bypass for FortiGuard or import proxy CA.
- Temporarily point FortiGate's DNS to a public resolver and retest DDNS load.
- Upgrade FortiOS if device is on a release with known issues.
- If unresolved, capture debug logs and open a Fortinet support case including logs and steps performed.
5. Resolution Procedures
Based on the troubleshooting findings, apply one of the following solutions.
3. Inspect Firewall Policies
Ensure an outbound policy allows HTTPS (TCP 443) and DNS (UDP 53) from the FortiGate’s management IP to any destination (or specific FortiGuard subnets). Example policy:
- Source Interface: management (or the interface with default route)
- Source Address: FortiGate’s management IP
- Destination: all
- Service: DNS, HTTPS
- Action: ACCEPT
5.3 Verify license & FortiGuard status
get system status | grep License
diagnose autoupdate versions
diagnose test application update 1
3. Root Cause Analysis
The inability to load the list is almost exclusively caused by connectivity issues between the FortiGate and Fortinet’s backend infrastructure (FortiGuard servers). The firewall requires a valid FortiGuard license and specific outbound network access to fetch this dynamic list.
Common root causes include:
- Expired or Invalid FortiGuard License: The entitlement for FortiGuard services has expired or is not synchronized.
- DNS Resolution Failure: The FortiGate cannot resolve the hostnames of the FortiGuard servers.
- Firewall/ISP Blocking: Outbound traffic on required ports is blocked by an upstream device or the ISP.
- Management Interface Routing: The interface designated for management traffic lacks internet access.
