Description
This article shows how to allow the FortiGate’s FortiGuard traffic on the upstream firewalls when the FortiGate has 'fortiguard-anycast' enabled.
Solution
In FortiOS v6.2.2 and later, you can enable fortiguard-anycast on Fortigate to optimize the routing performance to FortiGuard servers
# config system fortiguard
set protocol https
set port 443
set fortiguard-anycast enable
set fortiguard-anycast-source fortinet
end
With the fortiguard-anycast enable, the Fortigate communicate with the IP's resolved by the below FQDN for the respective feature.
The AV/IPS FQDN:
globalupdate.fortinet.net
The WF FQDN:
globalguardservice.fortinet.net
Basically, it is necessary to create the firewall policy in the FortiGate upstream Firewalls allowing the above two FQDN's so that the FortiGate can communicate with the FortiGuard servers.