Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.4.5 Administration Guide
    7.4.5
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Anycast

    Anycast

    FortiGuard servers use Anycast addresses in order to optimize and distribute traffic across many servers. Anycast is the default access mode for FortiGates when connecting to FortiGuard which by default utilizes HTTPS and port 443.

    Each type of FortiGuard servers and services have a FortiGuard domain name that resolves to a single Anycast IP address. Regardless of where the FortiGate is located, the resolution is still the same. Fortinet maintains the network in the background to ensure routes to the FortiGuard servers are optimized. In the below diagram, several servers have the same Anycast IP, but the FortiGate will connect to the one with the least hops.

    Connection and OCSP stapling

    When the FortiGate connects to a FortiGuard server, it is important for it to validate the server is indeed a real FortiGuard server. Hence, FortiGuard servers provide the following security:

    • The domain name of each FortiGuard service is the common name in that service's certificate, which is signed by a third-party intermediate CA.

    • The FortiGuard server also applies Online Certificate Status Protocol (OCSP) stapling check, in which it attaches a time-stamped OCSP status of the server certificate from the OCSP server to the TLS response.

    This ensures FortiGate can validate the FortiGuard server certificate efficiently during the TLS handshake.

    The following illustrates the connection process:

    FortiGate will only complete the TLS handshake with an anycast server when abort conditions are not met. Abort conditions include:

    • The CN in the server's certificate does not match the domain name resolved from the DNS.

    • The OCSP status is revoked or unknown.

    • The issuer-CA is revoked by the root-CA.

    To configure the anycast FortiGuard access mode:

    config system fortiguard
    set fortiguard-anycast enable 
end

    If FortiGuard is not reachable via Anycast, choose between the following options to work around this issue:

    1. Switch to other Anycast servers:

      config system fortiguard
    set fortiguard-anycast enable
    set fortiguard-anycast-source aws
end

    2. Disable Anycast and use HTTPS:

      config system fortiguard
    set fortiguard-anycast disable
    set protocol https 
    set port 8888
end

    3. Disable Anycast and use UDP:

      config system fortiguard
    set fortiguard-anycast disable
    set protocol udp 
    set port 53         
end
    Previous
    Next

    Anycast

    Anycast

    FortiGuard servers use Anycast addresses in order to optimize and distribute traffic across many servers. Anycast is the default access mode for FortiGates when connecting to FortiGuard which by default utilizes HTTPS and port 443.

    Each type of FortiGuard servers and services have a FortiGuard domain name that resolves to a single Anycast IP address. Regardless of where the FortiGate is located, the resolution is still the same. Fortinet maintains the network in the background to ensure routes to the FortiGuard servers are optimized. In the below diagram, several servers have the same Anycast IP, but the FortiGate will connect to the one with the least hops.

    Connection and OCSP stapling

    When the FortiGate connects to a FortiGuard server, it is important for it to validate the server is indeed a real FortiGuard server. Hence, FortiGuard servers provide the following security:

    • The domain name of each FortiGuard service is the common name in that service's certificate, which is signed by a third-party intermediate CA.

    • The FortiGuard server also applies Online Certificate Status Protocol (OCSP) stapling check, in which it attaches a time-stamped OCSP status of the server certificate from the OCSP server to the TLS response.

    This ensures FortiGate can validate the FortiGuard server certificate efficiently during the TLS handshake.

    The following illustrates the connection process:

    FortiGate will only complete the TLS handshake with an anycast server when abort conditions are not met. Abort conditions include:

    • The CN in the server's certificate does not match the domain name resolved from the DNS.

    • The OCSP status is revoked or unknown.

    • The issuer-CA is revoked by the root-CA.

    To configure the anycast FortiGuard access mode:

    config system fortiguard
    set fortiguard-anycast enable 
end

    If FortiGuard is not reachable via Anycast, choose between the following options to work around this issue:

    1. Switch to other Anycast servers:

      config system fortiguard
    set fortiguard-anycast enable
    set fortiguard-anycast-source aws
end

    2. Disable Anycast and use HTTPS:

      config system fortiguard
    set fortiguard-anycast disable
    set protocol https 
    set port 8888
end

    3. Disable Anycast and use UDP:

      config system fortiguard
    set fortiguard-anycast disable
    set protocol udp 
    set port 53         
end
    Previous
    Next