Unable To Load Fortiguard Ddns Servers List On Fortigate Firewalls Now

The error "Unable to load FortiGuard DDNS server list" typically occurs when the FortiGate firewall cannot reach FortiGuard services to retrieve the list of available Dynamic DNS servers Common Fixes Disable DNS Overrides on WAN

: If your WAN interface uses DHCP or PPPoE, it may be receiving ISP-provided DNS servers that cannot resolve FortiGuard domains like globalddns.fortinet.net Interfaces , edit your WAN interface, and unselect Override internal DNS config system interface edit dns-server-override disable end Use code with caution. Copied to clipboard Switch to Unicast & UDP

: FortiGuard services sometimes fail when using the default Anycast protocol. Forcing UDP can bypass handshake issues. config system fortiguard fortiguard-anycast disable protocol udp # Optional: Try port 53 if 8888 is blocked Use code with caution. Copied to clipboard Restart the DDNS Daemon

: If the service is stuck, killing the process will force a refresh. fnsysctl killall ddnscd Verification Steps Check License Status : Ensure your FortiCare contract is active under Test Connectivity

: Confirm the firewall can resolve and ping Fortinet servers via CLI: exec ping update.fortiguard.net Validate System Time

: Incorrect time/date can cause SSL certificate errors that block communication. Sync with an NTP server if needed. BOLL Engineering AG CLI debug commands

to see the exact error occurring during the server list retrieval?

The issue "Unable to load FortiGuard DDNS server list" on FortiGate firewalls typically prevents you from selecting a DDNS server in the GUI, often occurring after firmware upgrades or due to DNS/network configuration conflicts. Common Root Causes

DNS Server Overrides: If your WAN interface uses DHCP or PPPoE, it may be overriding your internal DNS settings with ISP-provided servers that cannot resolve globalddns.fortinet.net.

FortiGuard Port Blocking: ISPs or upstream firewalls may block traffic on Port 53 (proprietary UDP) or Port 8888, which FortiGuard uses for communication.

Expired Licenses: A valid FortiCare contract is often required to communicate with FortiGuard servers for DDNS services.

Service Daemon Glitches: The internal DDNS client daemon (ddnscd) may become unresponsive. Troubleshooting Steps Disable DNS Overrides:

GUI: Go to Network -> Interfaces, edit your WAN interface, and ensure Override internal DNS is disabled. CLI:

config system interface edit "wan1" set dns-server-override disable next end Use code with caution. Copied to clipboard Verify Connectivity & DNS: The error "Unable to load FortiGuard DDNS server

Test if the firewall can reach the internet: exec ping www.fortinet.com.

Confirm the DDNS domain resolves: exec traceroute globalddns.fortinet.net. Adjust FortiGuard Communication Port: If Port 53 is blocked, switch to 8888 or 443: config system fortiguard set port 8888 end Use code with caution. Copied to clipboard Restart the DDNS Process: Kill and restart the daemon to force a fresh update: fnsysctl killall ddnscd Use code with caution. Copied to clipboard Configure via CLI (Workaround):

If the GUI list remains empty, you can manually set the server in the CLI:

config system ddns edit 1 set ddns-server FortiGuardDDNS set ddns-domain "yourname.fortiddns.com" set monitor-interface "wan1" next end Use code with caution. Copied to clipboard Verification

Check the status of your DDNS configuration and the server IP resolved by the FortiGate using the Fortinet Community Guide for detailed command outputs.

The error message "Unable to load FortiGuard DDNS server list" on a FortiGate firewall typically indicates a connectivity or configuration issue between the device and Fortinet's FortiGuard services. This prevents the dropdown menu in the GUI from displaying available server locations for Dynamic DNS registration. Primary Causes and Solutions

DNS Settings Overwritten by ISP: If your WAN interface uses DHCP or PPPoE, it may automatically adopt the ISP's DNS servers, which might not resolve FortiGuard internal domains properly.

Fix: Go to Network > Interfaces, edit the WAN interface, and ensure Override internal DNS is disabled.

FortiGuard Anycast Issues: Modern FortiOS versions use "Anycast" by default. Network environments or ISPs sometimes block this traffic or experience SSL handshake failures with the Anycast IP addresses.

Fix: Disable Anycast and manually specify a DDNS server IP via the CLI:

config system fortiguard set fortiguard-anycast disable set ddns-server-ip 173.243.138.226 set protocol udp end Use code with caution. Copied to clipboard

Note: If Anycast is disabled, you must use IP 173.243.138.226. If Anycast is enabled, the IP is typically 173.243.138.225.

Contract or License Status: The DDNS feature requires a valid FortiCare support contract. If the license is expired or not yet synchronized, the server list will not load. config system ddns edit 1 set ddns-server genericDDNS

Fix: Verify your license status in the Dashboard > Status widget.

SSL/TLS Handshake Failures: In some versions (e.g., FortiOS 7.0), a handshake failure for TLS v1.3 can prevent the server list from loading. Disabling Anycast as shown above often resolves this. Step-by-Step Troubleshooting Checklist

Verify General DNS Resolution: Ensure the FortiGate itself can resolve external domains. execute ping www.fortinet.com

Verify FortiGuard Reachability: Test connectivity to specific FortiGuard service domains. execute ping service.fortiguard.net execute ping update.fortiguard.net

Check Management VDOM: If VDOMs are enabled, ensure the management VDOM (usually 'root') has a valid route to the internet, as FortiGuard communication typically originates from there.

Restart the Update Daemon: If settings are correct but the list remains empty, force a restart of the update process. fnsysctl killall updated

Restart the DDNS Client (ddnscd): If the server list loads but updates fail, restart the DDNS-specific daemon. fnsysctl killall ddnscd Manual CLI Configuration (Workaround)

If the GUI list still fails to load, you can often bypass the requirement by configuring DDNS directly through the CLI:

config system ddns edit 1 set ddns-server FortiGuardDDNS set ddns-domain yourname.fortiddns.com set monitor-interface wan1 next end Use code with caution. Copied to clipboard Unable to load FortiGuard DDNS server list

firewall is "Unable to load FortiGuard DDNS servers list," it typically indicates a communication failure between the device and FortiGuard

services. This prevents the GUI from populating the drop-down menu with available DDNS domains. Primary Causes and Solutions DNS Override Issues

: If the WAN interface uses DHCP or PPPoE, it may be inheriting ISP DNS servers that cannot resolve FortiGuard domains. Network > Interfaces , edit the WAN interface, and disable Override internal DNS Anycast Incompatibility

: Newer FortiOS versions use Anycast by default, which can sometimes fail due to ISP filtering or TLS handshake issues (e.g., TLSv1.3 failures). : Disable Anycast and switch to a dedicated IP via CLI: config system fortiguard fortiguard-anycast disable ddns-server-ip protocol udp end Use code with caution. Copied to clipboard FortiGuard Subscription Status Before calling Fortinet TAC, run this final checklist

: An expired FortiCare contract can block access to these service lists. Verify your license status in the Upstream Filtering

: Firewalls or ISPs may block ports 53 (UDP), 443 (HTTPS), or 8888 (UDP) used for FortiGuard communication. Try switching the FortiGuard port to 8888 in the CLI if 53 is blocked. Troubleshooting Steps Verify Connectivity

: Ensure the FortiGate can resolve and reach Fortinet domains. execute ping service.fortiguard.net execute ping update.fortiguard.net Check DDNS Daemon

: Use the CLI to check the actual status returned by the DDNS client. diagnose test application ddnscd 3 (Shows server IP and domain counts). Restart Services

: If the GUI remains stuck, force a restart of the update and DDNS daemons. fnsysctl killall updated fnsysctl killall ddnscd System Time

: Ensure the system time and date are correct, as large discrepancies can cause SSL/TLS handshake failures with FortiGuard. Unable to load FortiGuard DDNS server list 16 Aug 2020 —

config system ddns
    edit 1
        set ddns-server genericDDNS
        set ddns-domain "yourdomain.duckdns.org"
        set ddns-username "token"
        set ddns-password "your-api-token"
        set interface "wan1"
        set use-public-ip enable
    next
end

Before calling Fortinet TAC, run this final checklist and have the outputs ready:

Dynamic DNS (DDNS) is a critical service for organizations operating without static public IP addresses. It allows remote users, site-to-site VPNs, and external services to connect to a FortiGate firewall using a fully qualified domain name (FQDN) that automatically updates whenever the ISP changes the public IP.

However, a notoriously frustrating error message often appears when administrators attempt to configure or refresh the DDNS provider list on a FortiGate appliance:

"Unable to load FortiGuard DDNS servers list. Please check your internet connection and FortiGuard settings."

This error can halt deployment, break existing DDNS configurations, and lead to significant downtime if not resolved quickly. This article provides a deep-dive diagnosis, root cause analysis, and step-by-step remediation for this exact issue.

Report Date: October 26, 2023 Subject: Troubleshooting "Unable to Load DDNS Servers" Error Device Affected: FortiGate Firewalls (FortiOS)

diagnose test application ddns 1
execute ddns list