FortiGates treat their own generated traffic (DNS, DDNS, FortiGuard updates, NTP) differently from traffic passing through the device. This is called . A common oversight is failing to create a policy allowing the FortiGate’s management IP to reach the internet.
The error "Unable to load FortiGuard DDNS server list" typically occurs when the FortiGate firewall cannot reach FortiGuard services to retrieve the list of available Dynamic DNS servers Common Fixes Disable DNS Overrides on WAN
When your WAN interface obtains an IP address via DHCP or PPPoE, it often pulls the internet service provider's (ISP) upstream DNS servers. Many ISP DNS servers fail to properly resolve or allow connection to Fortinet's global DDNS infrastructure ( globalddns.fortinet.net ).
A valid FortiCare contract is required for some FortiGuard services.
Check current error and system status
Run from CLI:
A fundamental cause of this error is often a breakdown in basic network or DNS communication. Before diving deeper, it's essential to verify that your FortiGate can resolve domain names and reach the broader internet.
execute ping www.fortinet.com execute ping guard.fortinet.net
If the configuration looks correct but the list still won't load, the internal DDNS daemon ( ddnscd ) might be stuck. : fnsysctl killall ddnscd Use code with caution. Copied to clipboard FortiGates treat their own generated traffic (DNS, DDNS,
diagnose debug application update -1 diagnose debug enable execute update-now
Ensure are toggled appropriately if your network limits port 853 (DNS over TLS). Phase 2: Bypassing the GUI via CLI Configuration
Several FortiOS versions have known bugs causing the "unable to load fortiguard ddns servers list" symptom, particularly in:
Select your primary outbound WAN interface (e.g., WAN1) and click . The error "Unable to load FortiGuard DDNS server
A successful ping indicates basic internet connectivity is working.
Firewall policies, routing, and NAT
# Disable DNS override on WAN interface config system interface edit wan1 set dns-server-override disable next end