If Step 4.3 failed, ensure the following traffic is permitted outbound from the FortiGate's WAN IP:
Note: If the firewall is behind a proxy, you must configure the FortiGate to use the proxy via CLI:
config system fortiguard
set protocol https
set port 443
# If proxy is required:
set source-ip <interface_ip>
end
Create a dedicated SSL/SSH Inspection profile for management traffic that does not inspect Fortinet domains:
Alternatively, temporarily set the policy to No Inspection for testing.
Open a support ticket if:
config system ddns
edit 1
set ddns-server genericDDNS
set ddns-domain "yourdomain.duckdns.org"
set ddns-username "token"
set ddns-password "your-api-token"
set interface "wan1"
set use-public-ip enable
next
end
Ensure an outbound policy allows HTTPS (TCP 443) and DNS (UDP 53) from the FortiGate’s management IP to any destination (or specific FortiGuard subnets). Example policy:
Run from CLI:
execute ping fortiguard.com
execute ping update.fortiddns.com
If pings fail, check:
When attempting to configure a new Dynamic DNS entry, the FortiGate cannot retrieve the list of available DDNS service providers (e.g., FortiGuard DDNS, No-IP, DynDNS). This results in an inability to select a server type, blocking the configuration of DDNS services.
Troubleshooting: "Unable to Load FortiGuard DDNS Servers List" on FortiGate
If you’re trying to set up Dynamic DNS (DDNS) on your FortiGate and hitting the error "Unable to load FortiGuard DDNS server list," you aren’t alone. This common issue usually stems from a breakdown in communication between your firewall and FortiGuard services. 1. Disable "Override Internal DNS"
The most frequent cause is when your WAN interface (set to DHCP or PPPoE) is configured to use the ISP's DNS servers instead of FortiGuard's. If the ISP's DNS cannot resolve globalddns.fortinet.net, the server list will fail to load.
GUI Fix: Navigate to Network > Interfaces, edit your WAN interface, and uncheck Override internal DNS. CLI Fix:
config system interface edit "wan1" set dns-server-override disable end Use code with caution. Copied to clipboard 2. Verify Basic Connectivity and DNS
If the firewall cannot reach the internet or resolve domains, it won't fetch the server list. If Step 4
Test Resolution: Run execute ping www.fortinet.com from the CLI.
Check FortiGuard Connectivity: Go to System > FortiGuard and verify that your licenses are active and the FortiGate can reach FortiGuard servers. 3. Adjust Protocol and Ports
Sometimes, SSL negotiation fails or a specific port is blocked.
Change Communication Port: Try switching the FortiGuard communication port between 53, 443, or 8888.
Disable Anycast: Some users find success by switching from Anycast to Unicast.
config system fortiguard set fortiguard-anycast disable set protocol udp set port 8888 end Use code with caution. Copied to clipboard 4. Enable Cloud Communication
If you recently upgraded firmware, certain cloud communication settings might have been disabled by default. Enable Settings: config system global set cloud-communication enable end Use code with caution. Copied to clipboard 5. Restart the DDNS Client
If the configuration looks correct but the list still won't load, the internal DDNS daemon (ddnscd) might be stuck. Restart Daemon: fnsysctl killall ddnscd Use code with caution. Copied to clipboard
The system will automatically restart the process, forcing a fresh attempt to fetch the server list. Summary Checklist
Technical Tip: How to check FortiGuard Server status on FortiGate
"Unable to load FortiGuard DDNS server list" on FortiGate firewalls typically indicates a breakdown in communication between the local device and Fortinet's FortiGuard Services
. This issue prevents the firewall from retrieving the necessary dynamic DNS (DDNS) server metadata required to maintain reachable hostnames for dynamic public IP addresses. BOLL Engineering AG Common Root Causes DNS Resolution Failures: If the FortiGate cannot resolve globalddns.fortinet.net
, it cannot reach the server list. This often occurs when WAN interfaces obtain DNS from an ISP via DHCP/PPPoE, which might overwrite internal FortiGuard-specific DNS settings. Anycast & Protocol Conflicts:
Modern FortiOS versions use Anycast (DNS over TLS) by default. Handshake failures or ISP blocking of port 8888 or 53 can prevent the server list from loading. Contractual & System Status: An expired FortiCare contract will disable access to these cloud-based services. Time Synchronization: Note: If the firewall is behind a proxy,
If the system time is significantly off, SSL handshake failures will occur, blocking secure communication with FortiGuard. Step-by-Step Troubleshooting and Resolution 1. Verify Basic Connectivity
Ensure the device can reach the internet and resolve Fortinet domains using the FortiGate CLI execute ping service.fortiguard.net execute ping update.fortiguard.net 2. Fix DNS Overwrites
If using DHCP/PPPoE on your WAN, disable the setting that allows the ISP to override your DNS, as this often breaks FortiGuard resolution: Network > Interfaces > Edit WAN > Unselect Override internal DNS config system interface
edit
Many connectivity issues are resolved by disabling the Anycast protocol and switching to standard UDP communication: config system fortiguard fortiguard-anycast disable protocol udp # or 8888 if 53 is blocked by ISP Use code with caution. Copied to clipboard 4. Manually Set the DDNS Server IP
If the list still won't load automatically, you can manually point the device to a known FortiGuard DDNS server IP: For Anycast disabled: 173.243.138.226 Alternative: 173.243.138.225 config system fortiguard ddns-server-ip Use code with caution. Copied to clipboard 5. Restart the DDNS Daemon
If the configuration is correct but the GUI remains stuck, force a restart of the DDNS client process: fnsysctl killall ddnscd Use code with caution. Copied to clipboard Advanced Debugging If the error persists, technicians can use the Fortinet Community Support debug tools to see real-time errors: diagnose debug application ddnscd -1 diagnose debug enable for a particular FortiOS version , or help checking your license status Unable to load FortiGuard DDNS server list
The error "Unable to load FortiGuard DDNS server list" typically occurs when the FortiGate firewall cannot reach FortiGuard services to retrieve the list of available Dynamic DNS servers Common Fixes Disable DNS Overrides on WAN
: If your WAN interface uses DHCP or PPPoE, it may be receiving ISP-provided DNS servers that cannot resolve FortiGuard domains like globalddns.fortinet.net Interfaces , edit your WAN interface, and unselect Override internal DNS config system interface edit dns-server-override disable end Use code with caution. Copied to clipboard Switch to Unicast & UDP
: FortiGuard services sometimes fail when using the default Anycast protocol. Forcing UDP can bypass handshake issues. config system fortiguard fortiguard-anycast disable protocol udp # Optional: Try port 53 if 8888 is blocked Use code with caution. Copied to clipboard Restart the DDNS Daemon
: If the service is stuck, killing the process will force a refresh. fnsysctl killall ddnscd Verification Steps Check License Status : Ensure your FortiCare contract is active under Test Connectivity
: Confirm the firewall can resolve and ping Fortinet servers via CLI: exec ping update.fortiguard.net Validate System Time
: Incorrect time/date can cause SSL certificate errors that block communication. Sync with an NTP server if needed. BOLL Engineering AG CLI debug commands
to see the exact error occurring during the server list retrieval?
To fix the "Unable to load FortiGuard DDNS server list" error on a FortiGate firewall, you must ensure the device can properly resolve and reach Fortinet's global DDNS domain. This error usually stems from DNS resolution conflicts or blocked management traffic. 1. Disable DNS Server Overrides Create a dedicated SSL/SSH Inspection profile for management
If your WAN interface receives its IP via DHCP or PPPoE, it may be automatically using ISP-provided DNS servers that cannot resolve FortiGuard domains like globalddns.fortinet.net.
GUI Method: Navigate to Network > Interfaces, edit your WAN interface, and unselect Override internal DNS. CLI Method:
config system interface edit "wan1" # Or your specific WAN interface set dns-server-override disable end Use code with caution. Copied to clipboard 2. Verify System DNS Settings
Ensure your FortiGate is configured to use reliable DNS servers (like FortiGuard's own or public ones like Google 8.8.8.8) to fetch the server list.
Go to Network > DNS and confirm Use FortiGuard Servers is selected.
Test connectivity in the CLI: execute ping www.fortinet.com. 3. Restart the DDNS Daemon
If the configuration is correct but the list still won't populate, the internal DDNS client process (ddnscd) may be stuck.
Run the following CLI command to force a restart of the service: fnsysctl killall ddnscd Use code with caution. Copied to clipboard
The system will automatically restart this process immediately. 4. Adjust FortiGuard Connectivity
Network restrictions or ISP interference on standard ports (like 53 or 443) can prevent the server list from loading.
Disable Anycast: Sometimes Anycast routing causes connection failures. Try switching to a static communication port:
config system fortiguard set fortiguard-anycast disable set protocol udp set port 8888 # Or 53 end Use code with caution. Copied to clipboard 5. Check Support Contract & Firmware
License: Verify your FortiCare contract is valid under System > FortiGuard; expired licenses can disable certain FortiGuard services.
Firmware: Buggy older versions of FortiOS sometimes fail to load these lists; ensure you are on a current, stable firmware release.
✅ ResultThe FortiGuard DDNS server list should now populate in the dropdown menu under Network > DNS, allowing you to select a server and configure your hostname. Unable to load FortiGuard DDNS server list