Fortinet black logo

New Features

Home FortiGate / FortiOS 6.4.0 New Features

Use anycast to communicate with FortiGuard servers

6.4.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
Copy Link
Copy Doc ID de1e129a-0283-11ea-8977-00505692583a:925541
Download PDF

Use anycast to communicate with FortiGuard servers

Third party certificate verification and OCSP stapling check is implemented for all FortiGuard servers that are connected to FortiOS. The default FortiGuard access mode is anycast.

FortiGuard represents all cloud based servers; see Anycast and unicast services for details.

The anycast server has one IP address to match its domain name. The FortiGate connects with a single server address, regardless of where the FortiGate is located.

The following process is used to connect to an anycast server:

Abort conditions include:

  • The CN in the server's certificate does not match the domain name resolved from the DNS.
  • The OCSP status is not good.
  • The issuer-CA is revoked by the root-CA.

Once the SSL handshake is established, the FortiGate can engage the server.

Example Wireshark PCAP:

To enable anycast FortiGuard access mode:
config system fortiguard
    set fortiguard-anycast enable
    set fortiguard-anycast-source fortinet
end
Previous
Next

Use anycast to communicate with FortiGuard servers

Third party certificate verification and OCSP stapling check is implemented for all FortiGuard servers that are connected to FortiOS. The default FortiGuard access mode is anycast.

FortiGuard represents all cloud based servers; see Anycast and unicast services for details.

The anycast server has one IP address to match its domain name. The FortiGate connects with a single server address, regardless of where the FortiGate is located.

The following process is used to connect to an anycast server:

Abort conditions include:

  • The CN in the server's certificate does not match the domain name resolved from the DNS.
  • The OCSP status is not good.
  • The issuer-CA is revoked by the root-CA.

Once the SSL handshake is established, the FortiGate can engage the server.

Example Wireshark PCAP:

To enable anycast FortiGuard access mode:
config system fortiguard
    set fortiguard-anycast enable
    set fortiguard-anycast-source fortinet
end
Previous
Next