Third party certificate verification and OCSP stapling check is implemented for all FortiGuard servers that are connected to FortiOS. The default FortiGuard access mode is anycast.
FortiGuard represents all cloud based servers; see Anycast and unicast services for details.
The anycast server has one IP address to match its domain name. The FortiGate connects with a single server address, regardless of where the FortiGate is located.
The following process is used to connect to an anycast server:
Abort conditions include:
- The CN in the server's certificate does not match the domain name resolved from the DNS.
- The OCSP status is not good.
- The issuer-CA is revoked by the root-CA.
Once the SSL handshake is established, the FortiGate can engage the server.
config system fortiguard set fortiguard-anycast enable set fortiguard-anycast-source fortinet end