FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article discusses about ICMP response to FortiGuard Distribution Servers (FDS). Solution ICMP packet loss has been observed on FortiGuard servers occasionally.
# execute ping update.fortiguard.net PING fds1.fortinet.com (96.45.33.86): 56 data bytes 64 bytes from 96.45.33.86: icmp_seq=0 ttl=56 time=158.2 ms 64 bytes from 96.45.33.86: icmp_seq=1 ttl=56 time=158.2 ms 64 bytes from 96.45.33.86: icmp_seq=2 ttl=56 time=158.2 ms 64 bytes from 96.45.33.86: icmp_seq=3 ttl=56 time=158.1 ms 64 bytes from 96.45.33.86: icmp_seq=4 ttl=56 time=158.2 ms
--- fds1.fortinet.com ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 158.1/158.1/158.2 ms
# execute ping service.fortiguard.net PING guard.fortinet.net (209.222.147.36): 56 data bytes 64 bytes from 209.222.147.36: icmp_seq=1 ttl=50 time=117.0 ms
--- guard.fortinet.net ping statistics --- 5 packets transmitted, 1 packets received, 80% packet loss round-trip min/avg/max = 117.0/117.0/117.0 ms
The packet loss occurs due to ICMP echo rate-limitation applied on the FortiGuard servers. Hence, packet loss to FortiGuard servers is expected.
ICMP echo requests and responses can be misleading as protocols are prioritized at various levels. This has no relation to updates from FortiGuard servers as updates happen on port 443.
