The issue "Unable to load FortiGuard DDNS server list" on FortiGate firewalls typically prevents you from selecting a DDNS server in the GUI, often occurring after firmware upgrades or due to DNS/network configuration conflicts. Common Root Causes
DNS Server Overrides: If your WAN interface uses DHCP or PPPoE, it may be overriding your internal DNS settings with ISP-provided servers that cannot resolve globalddns.fortinet.net.
FortiGuard Port Blocking: ISPs or upstream firewalls may block traffic on Port 53 (proprietary UDP) or Port 8888, which FortiGuard uses for communication.
Expired Licenses: A valid FortiCare contract is often required to communicate with FortiGuard servers for DDNS services.
Service Daemon Glitches: The internal DDNS client daemon (ddnscd) may become unresponsive. Troubleshooting Steps Disable DNS Overrides:
GUI: Go to Network -> Interfaces, edit your WAN interface, and ensure Override internal DNS is disabled. CLI:
config system interface edit "wan1" set dns-server-override disable next end Use code with caution. Copied to clipboard Verify Connectivity & DNS:
Test if the firewall can reach the internet: exec ping www.fortinet.com.
Confirm the DDNS domain resolves: exec traceroute globalddns.fortinet.net. Adjust FortiGuard Communication Port: If Port 53 is blocked, switch to 8888 or 443: config system fortiguard set port 8888 end Use code with caution. Copied to clipboard Restart the DDNS Process: Kill and restart the daemon to force a fresh update: fnsysctl killall ddnscd Use code with caution. Copied to clipboard Configure via CLI (Workaround):
If the GUI list remains empty, you can manually set the server in the CLI: The issue "Unable to load FortiGuard DDNS server
config system ddns edit 1 set ddns-server FortiGuardDDNS set ddns-domain "yourname.fortiddns.com" set monitor-interface "wan1" next end Use code with caution. Copied to clipboard Verification
Check the status of your DDNS configuration and the server IP resolved by the FortiGate using the Fortinet Community Guide for detailed command outputs.
Troubleshooting: "Unable to Load FortiGuard DDNS Servers List" on FortiGate
If you’re trying to set up Dynamic DNS (DDNS) on your FortiGate and hitting the error "Unable to load FortiGuard DDNS server list," you aren’t alone. This common issue usually stems from a breakdown in communication between your firewall and FortiGuard services. 1. Disable "Override Internal DNS"
The most frequent cause is when your WAN interface (set to DHCP or PPPoE) is configured to use the ISP's DNS servers instead of FortiGuard's. If the ISP's DNS cannot resolve globalddns.fortinet.net, the server list will fail to load.
GUI Fix: Navigate to Network > Interfaces, edit your WAN interface, and uncheck Override internal DNS. CLI Fix:
config system interface edit "wan1" set dns-server-override disable end Use code with caution. Copied to clipboard 2. Verify Basic Connectivity and DNS
If the firewall cannot reach the internet or resolve domains, it won't fetch the server list.
Test Resolution: Run execute ping www.fortinet.com from the CLI. "Unable to load FortiGuard DDNS servers list
Check FortiGuard Connectivity: Go to System > FortiGuard and verify that your licenses are active and the FortiGate can reach FortiGuard servers. 3. Adjust Protocol and Ports
Sometimes, SSL negotiation fails or a specific port is blocked.
Change Communication Port: Try switching the FortiGuard communication port between 53, 443, or 8888.
Disable Anycast: Some users find success by switching from Anycast to Unicast.
config system fortiguard set fortiguard-anycast disable set protocol udp set port 8888 end Use code with caution. Copied to clipboard 4. Enable Cloud Communication
If you recently upgraded firmware, certain cloud communication settings might have been disabled by default. Enable Settings: config system global set cloud-communication enable end Use code with caution. Copied to clipboard 5. Restart the DDNS Client
If the configuration looks correct but the list still won't load, the internal DDNS daemon (ddnscd) might be stuck. Restart Daemon: fnsysctl killall ddnscd Use code with caution. Copied to clipboard
The system will automatically restart the process, forcing a fresh attempt to fetch the server list. Summary Checklist
Technical Tip: How to check FortiGuard Server status on FortiGate This error can halt deployment, break existing DDNS
Dynamic DNS (DDNS) is a critical service for organizations operating without static public IP addresses. It allows remote users, site-to-site VPNs, and external services to connect to a FortiGate firewall using a fully qualified domain name (FQDN) that automatically updates whenever the ISP changes the public IP.
However, a notoriously frustrating error message often appears when administrators attempt to configure or refresh the DDNS provider list on a FortiGate appliance:
"Unable to load FortiGuard DDNS servers list. Please check your internet connection and FortiGuard settings."
This error can halt deployment, break existing DDNS configurations, and lead to significant downtime if not resolved quickly. This article provides a deep-dive diagnosis, root cause analysis, and step-by-step remediation for this exact issue.
Run from CLI:
execute ping fortiguard.com
execute ping update.fortiddns.com
If pings fail, check:
Based on the troubleshooting findings, apply one of the following solutions.
The following steps should be performed in order to isolate the fault.