Add a static URL filter to allow these domains:
For DNS Filtering, add an exemption for *.fortinet.net under DNS Filter > Static Domain Filter.
If Step 4.3 failed, ensure the following traffic is permitted outbound from the FortiGate's WAN IP:
Note: If the firewall is behind a proxy, you must configure the FortiGate to use the proxy via CLI:
config system fortiguard
set protocol https
set port 443
# If proxy is required:
set source-ip <interface_ip>
end
Before diving into complex configurations, verify basic network reachability from the FortiGate itself.
Open a support ticket if:
diagnose test application fortiguard 1
diagnose test application update 1
execute reboot (if necessary)
Workaround if Issue Persists
Manually define the DDNS entry without relying on the server list:
config system ddns
edit 1
set ddns-server update.fortiddns.com
set ddns-domain yourhostname.fortiddns.com
set ddns-username "your-email@example.com"
set ddns-password "your-password"
set interface "wan1"
set use-public-ip enable
next
end
execute ddns test 1
Prevention
Conclusion
The “Unable to load FortiGuard DDNS servers list” error typically stems from connectivity or DNS problems, not the DDNS service itself. By following this guide—testing DNS, verifying policies, and using CLI workarounds—you can restore DDNS functionality. If issues persist, contact Fortinet Support with the debug output from diagnose debug application update -1 and diagnose debug enable.
Here’s a clean, professional text you can use for a support ticket, KB article, status update, or internal note:
Title: Unable to Load FortiGuard DDNS Servers List on FortiGate Firewall
Description:
When attempting to configure a Dynamic DNS (DDNS) service on a FortiGate firewall, the FortiGuard DDNS servers list fails to load. Instead of seeing available service providers (e.g., fortiddns.com, noip.com, etc.), the list remains empty or returns a “Failed to retrieve server list” error.
Possible Symptoms:
Common Causes:
Troubleshooting Steps:
Workaround:
Manually configure DDNS settings using the provider’s API or credentials without relying on the dynamic list. Add a static URL filter to allow these domains:
"Unable to load FortiGuard DDNS server list" on FortiGate firewalls typically indicates a breakdown in communication between the local device and Fortinet's FortiGuard Services
. This issue prevents the firewall from retrieving the necessary dynamic DNS (DDNS) server metadata required to maintain reachable hostnames for dynamic public IP addresses. BOLL Engineering AG Common Root Causes DNS Resolution Failures: If the FortiGate cannot resolve globalddns.fortinet.net
, it cannot reach the server list. This often occurs when WAN interfaces obtain DNS from an ISP via DHCP/PPPoE, which might overwrite internal FortiGuard-specific DNS settings. Anycast & Protocol Conflicts:
Modern FortiOS versions use Anycast (DNS over TLS) by default. Handshake failures or ISP blocking of port 8888 or 53 can prevent the server list from loading. Contractual & System Status: An expired FortiCare contract will disable access to these cloud-based services. Time Synchronization:
If the system time is significantly off, SSL handshake failures will occur, blocking secure communication with FortiGuard. Step-by-Step Troubleshooting and Resolution 1. Verify Basic Connectivity
Ensure the device can reach the internet and resolve Fortinet domains using the FortiGate CLI execute ping service.fortiguard.net execute ping update.fortiguard.net 2. Fix DNS Overwrites
If using DHCP/PPPoE on your WAN, disable the setting that allows the ISP to override your DNS, as this often breaks FortiGuard resolution: Network > Interfaces > Edit WAN > Unselect Override internal DNS config system interface
edit
Many connectivity issues are resolved by disabling the Anycast protocol and switching to standard UDP communication: config system fortiguard fortiguard-anycast disable protocol udp # or 8888 if 53 is blocked by ISP Use code with caution. Copied to clipboard 4. Manually Set the DDNS Server IP
If the list still won't load automatically, you can manually point the device to a known FortiGuard DDNS server IP: For Anycast disabled: 173.243.138.226 Alternative: 173.243.138.225 config system fortiguard ddns-server-ip Use code with caution. Copied to clipboard 5. Restart the DDNS Daemon
If the configuration is correct but the GUI remains stuck, force a restart of the DDNS client process: fnsysctl killall ddnscd Use code with caution. Copied to clipboard Advanced Debugging If the error persists, technicians can use the Fortinet Community Support debug tools to see real-time errors: diagnose debug application ddnscd -1 diagnose debug enable for a particular FortiOS version , or help checking your license status Unable to load FortiGuard DDNS server list
To fix the "Unable to load FortiGuard DDNS server list" error on a FortiGate firewall, you must ensure the device can properly resolve and reach Fortinet's global DDNS domain. This error usually stems from DNS resolution conflicts or blocked management traffic. 1. Disable DNS Server Overrides
If your WAN interface receives its IP via DHCP or PPPoE, it may be automatically using ISP-provided DNS servers that cannot resolve FortiGuard domains like globalddns.fortinet.net.
GUI Method: Navigate to Network > Interfaces, edit your WAN interface, and unselect Override internal DNS. CLI Method:
config system interface edit "wan1" # Or your specific WAN interface set dns-server-override disable end Use code with caution. Copied to clipboard 2. Verify System DNS Settings
Ensure your FortiGate is configured to use reliable DNS servers (like FortiGuard's own or public ones like Google 8.8.8.8) to fetch the server list.
Go to Network > DNS and confirm Use FortiGuard Servers is selected.
Test connectivity in the CLI: execute ping www.fortinet.com. 3. Restart the DDNS Daemon For DNS Filtering, add an exemption for *
If the configuration is correct but the list still won't populate, the internal DDNS client process (ddnscd) may be stuck.
Run the following CLI command to force a restart of the service: fnsysctl killall ddnscd Use code with caution. Copied to clipboard
The system will automatically restart this process immediately. 4. Adjust FortiGuard Connectivity
Network restrictions or ISP interference on standard ports (like 53 or 443) can prevent the server list from loading.
Disable Anycast: Sometimes Anycast routing causes connection failures. Try switching to a static communication port:
config system fortiguard set fortiguard-anycast disable set protocol udp set port 8888 # Or 53 end Use code with caution. Copied to clipboard 5. Check Support Contract & Firmware
License: Verify your FortiCare contract is valid under System > FortiGuard; expired licenses can disable certain FortiGuard services.
Firmware: Buggy older versions of FortiOS sometimes fail to load these lists; ensure you are on a current, stable firmware release.
✅ ResultThe FortiGuard DDNS server list should now populate in the dropdown menu under Network > DNS, allowing you to select a server and configure your hostname. Unable to load FortiGuard DDNS server list
"Unable to load FortiGuard DDNS server list" on a FortiGate firewall typically occurs due to a communication failure between the device and the FortiGuard network, often caused by DNS overrides, protocol mismatches, or Anycast issues. Immediate Fixes Disable DNS Server Override
: If your WAN interface uses DHCP or PPPoE, the ISP's DNS might be overriding FortiGuard's internal DNS, preventing proper resolution. Interfaces , edit your WAN interface, and uncheck Override internal DNS config system interface edit dns-server-override disable end Use code with caution. Copied to clipboard Disable Anycast & Use UDP
: Anycast can sometimes fail to find a valid server path. Disabling it and switching to standard UDP often restores the list. config system fortiguard fortiguard-anycast disable protocol udp end Use code with caution. Copied to clipboard Manually Set DDNS Server IP
: If the list still won't load, manually specifying a known FortiGuard DDNS server IP can bypass the discovery process. Common IPs 173.243.138.225 173.243.138.226 config system fortiguard ddns-server-ip Use code with caution. Copied to clipboard Advanced Troubleshooting Verify Connectivity
: Ensure the firewall can reach the FortiGuard domains. From the CLI, try to ping update.fortiguard.net service.fortiguard.net Restart the DDNS Daemon
: If the service is stuck, killing the process will force a restart and a fresh attempt to fetch the list. fnsysctl killall ddnscd Check SSL Versions
: A handshake failure (common in older versions like v7.0) may require you to lower the minimum SSL version if there is a protocol mismatch. config system global ssl-min-proto-version TLS1.0 end Use code with caution. Copied to clipboard Hardware/Firmware Limitations
: Note that the DDNS menu is automatically hidden in the GUI if you are using custom DNS servers instead of FortiGuard Servers Starting FortiOS 7.2
. It is also unavailable on high-end appliances, FortiGate-VMs, or when in transparent mode. For persistent issues, you can review detailed logs using diagnose debug application ddnscd -1 diagnose debug enable for your particular FortiOS version to ensure the syntax matches? Unable to load FortiGuard DDNS server list
Troubleshooting: "Unable to Load FortiGuard DDNS Servers List" on FortiGate
If you’re trying to set up Dynamic DNS (DDNS) on your FortiGate and hitting the error "Unable to load FortiGuard DDNS server list," you aren’t alone. This common issue usually stems from a breakdown in communication between your firewall and FortiGuard services. 1. Disable "Override Internal DNS"
The most frequent cause is when your WAN interface (set to DHCP or PPPoE) is configured to use the ISP's DNS servers instead of FortiGuard's. If the ISP's DNS cannot resolve globalddns.fortinet.net, the server list will fail to load.
GUI Fix: Navigate to Network > Interfaces, edit your WAN interface, and uncheck Override internal DNS. CLI Fix:
config system interface edit "wan1" set dns-server-override disable end Use code with caution. Copied to clipboard 2. Verify Basic Connectivity and DNS
If the firewall cannot reach the internet or resolve domains, it won't fetch the server list.
Test Resolution: Run execute ping www.fortinet.com from the CLI.
Check FortiGuard Connectivity: Go to System > FortiGuard and verify that your licenses are active and the FortiGate can reach FortiGuard servers. 3. Adjust Protocol and Ports
Sometimes, SSL negotiation fails or a specific port is blocked.
Change Communication Port: Try switching the FortiGuard communication port between 53, 443, or 8888.
Disable Anycast: Some users find success by switching from Anycast to Unicast.
config system fortiguard set fortiguard-anycast disable set protocol udp set port 8888 end Use code with caution. Copied to clipboard 4. Enable Cloud Communication
If you recently upgraded firmware, certain cloud communication settings might have been disabled by default. Enable Settings: config system global set cloud-communication enable end Use code with caution. Copied to clipboard 5. Restart the DDNS Client
If the configuration looks correct but the list still won't load, the internal DDNS daemon (ddnscd) might be stuck. Restart Daemon: fnsysctl killall ddnscd Use code with caution. Copied to clipboard
The system will automatically restart the process, forcing a fresh attempt to fetch the server list. Summary Checklist
Technical Tip: How to check FortiGuard Server status on FortiGate
Ensure policy from FortiGate’s internal interface to WAN allows HTTPS (443) to *.fortiguard.net and *.fortiddns.com.
Starting FortiOS 7.2, Fortinet requires a valid FortiGuard DDNS license (previously bundled with Unified Threat Protection).