Unable To Load Fortiguard Ddns - Servers List On Fortigate Firewalls

Unable to load FortiGuard DDNS servers list on FortiGate firewalls

Many FortiGate administrators encounter the error “unable to load FortiGuard DDNS servers list” or similar messages when the firewall cannot retrieve FortiGuard Dynamic DNS (DDNS) server information. This prevents DDNS hostname registration, impairs FortiGuard-dependent features, and can indicate connectivity, DNS, or certificate issues. The guide below explains likely causes, diagnostic steps, and actionable fixes.

6. Workaround (Manual Configuration)

If the list cannot be loaded but the administrator knows the DDNS IP or server name (for example, if using a 3rd party provider like No-IP, or a known FortiGuard server IP), it is possible to configure DDNS via CLI bypassing the GUI dropdown.

Example for FortiGuard DDNS:

config system ddns
    edit 0
        set ddns-server FortiGuard
        set ddns-domain "your-fqdn.ddns.net"
        set monitor-interface "wan1"
    next
end

Note: While the GUI list fails to load, typing set ddns-server FortiGuard in CLI often works as it does not rely on the dynamic dropdown list.

Root Cause #3: FortiOS Firmware Bugs

Several FortiOS versions have known bugs causing the "unable to load fortiguard ddns servers list" symptom, particularly in: Unable to load FortiGuard DDNS servers list on

• 6.0.x (early builds)
• 6.2.0 – 6.2.5
• 6.4.0 – 6.4.2
• 7.0.0 – 7.0.1

In these versions, even with perfect connectivity, the GUI or CLI cannot parse the provider list due to a JSON schema mismatch or SSL certificate issues.

Solution:

Add a static URL filter to allow these domains:

1. Go to Security Profiles > Web Filter.
2. Edit the profile applied to the local-out policy.
3. Under Static URL Filter, add:
   • guard.fortinet.net – Action: Allow
   • service.fortinet.com – Action: Allow
   • update.fortinet.net – Action: Allow
4. Alternatively, disable web filtering for the management interface temporarily to test.

For DNS Filtering, add an exemption for *.fortinet.net under DNS Filter > Static Domain Filter.

---

6. Apply Known Firmware Fixes

• Upgrade to FortiOS 6.4.9+, 7.0.6+, or 7.2.2+ where this bug is resolved.
• For affected versions (e.g., 6.4.0–6.4.4), use CLI configuration only, avoiding the GUI dropdown.

Step 1: Test Name Resolution

SSH into the FortiGate or use the console. Run: Note: While the GUI list fails to load,

execute ping guard.fortinet.net

If ping fails with ping: cannot resolve guard.fortinet.net: Unknown host, you have a DNS problem.

Check the FortiGate’s configured DNS servers:

show system dns

Ensure they are valid (e.g., 8.8.8.8, 1.1.1.1, or your internal resolvers). Also verify:

execute ping 8.8.8.8

If external pings fail, the routing or WAN interface is misconfigured. Default gateway Static routes Interface status

5.4 Force DDNS list refresh from CLI

diagnose test application ddns 1
execute ddns list

Step-by-Step Troubleshooting Guide

Follow these steps in order. Do not skip the diagnostic commands—they are essential.

1. Verify Basic Internet Connectivity

Run from CLI:

execute ping fortiguard.com
execute ping update.fortiddns.com

If pings fail, check:

• Default gateway
• Static routes
• Interface status