FortiGate – FortiGuard Servers with SD-WAN

We’ve started rolling out SD-WAN setups at all our sites with redundant internet connections. Had a couple of them run into issues connecting to FortiGuard and had to contact support. Here is the CLI they ran.

config system fortiguard
    set fortiguard-anycast disable
    set protocol udp
    set port 53
    set sdns-server-ip "208.91.112.220" 
    set interface-select-method sdwan
end

This disables the anycast settings, sets the port and protocol and configures FortiGuard to use the SD-WAN interface. What I found out later is that when you disable anycast, you also need to specify an SDNS server for the firewall to update all the security profiles from. The US server is 208.91.112.220.

You also need to update the FortiGate DNS servers to use the SD-WAN connection.

config system dns
    set primary 208.91.112.53
    set secondary 208.91.112.52
    set interface-select-method sdwan
end