Troubleshooting Tip: FortiGuard Update failed using proxy, HTTP 1.1 host header missing
| Description | This article describes how to handle behavior where FortiGuard updates using a proxy fail due to a host header missing in HTTP 1.1. |
| Scope | FortiOS v7.2, v7.4. |
| Solution |
config system autoupdate tunneling
FortiGate (global) # diagnose debug application update -1 FortiGate (global) # diagnose debug enable FortiGate (global) #execute update-now FortiGate (global) # eupd_fds_load_default_server[939]-Resolve and add fds globalupdate.fortinet.net ip address failed. SGLSFW07 (global) # upd_fds_load_default_server6[1046]-Resolve and add fds globalupdate.fortinet.net ipv6 address failed. ] response=[HTTP/1.1 400 Bad Request
The Wireshark analysis confirms that the FortiGuard web proxy requests are missing the HTTP/1.1 Host header, which causes update failures. When proxy tunneling is enabled, debug logs should display a CONNECT request containing the correct Host header.
If a 400 Bad Request or similar error appears, it indicates that the proxy is rejecting the request due to the missing header; enabling tunneling ensures the header is properly included.
Hypertext Transfer Protocol
The issue has been identified and fixed in v7.4.8.
Note: In v7.6.3 and above, the 'config system autoupdate tunneling' command has been removed and replaced with 'config system fortiguard'. See: Changes in CLI
config system fortiguard set proxy-server-ip <proxy_address> set proxy-server-port <proxy_port> end |