Fortinet Document Library

Version:


Table of Contents

New Features

6.4.0
Download PDF
Copy Link

Use anycast to communicate with FortiGuard servers

Third party certificate verification and OCSP stapling check is implemented for all FortiGuard servers that are connected to FortiOS. The default FortiGuard access mode is anycast.

FortiGuard represents all cloud based servers; see Anycast and unicast services for details.

The anycast server has one IP address to match its domain name. The FortiGate connects with a single server address, regardless of where the FortiGate is located.

The following process is used to connect to an anycast server:

Abort conditions include:

  • The CN in the server's certificate does not match the domain name resolved from the DNS.
  • The OCSP status is not good.
  • The issuer-CA is revoked by the root-CA.

Once the SSL handshake is established, the FortiGate can engage the server.

Example Wireshark PCAP:

To enable anycast FortiGuard access mode:
config system fortiguard
    set fortiguard-anycast enable
    set fortiguard-anycast-source fortinet
end

Use anycast to communicate with FortiGuard servers

Third party certificate verification and OCSP stapling check is implemented for all FortiGuard servers that are connected to FortiOS. The default FortiGuard access mode is anycast.

FortiGuard represents all cloud based servers; see Anycast and unicast services for details.

The anycast server has one IP address to match its domain name. The FortiGate connects with a single server address, regardless of where the FortiGate is located.

The following process is used to connect to an anycast server:

Abort conditions include:

  • The CN in the server's certificate does not match the domain name resolved from the DNS.
  • The OCSP status is not good.
  • The issuer-CA is revoked by the root-CA.

Once the SSL handshake is established, the FortiGate can engage the server.

Example Wireshark PCAP:

To enable anycast FortiGuard access mode:
config system fortiguard
    set fortiguard-anycast enable
    set fortiguard-anycast-source fortinet
end