Technical Tip: Configure Squid proxy to reach FortiGuard services

fropert_FTNT · ‎09-22-2013

Description

This article describes that he FortiGate CLI command 'diag debug application update -1' may return the 'negotiate_proxy_tunnel-Error reading' error message when trying to connect to FortiGuard servers:

upd_daemon.c[859] upd_daemon-Received update now request
upd_daemon.c[302] do_update-Starting now UPDATE (final try)
upd_cfg.c[49] upd_cfg_get_host_by_name-Failed to gethostbyname for update.fortiguard.net
upd_act.c[653] upd_act_HA_contract_info-Trying FDS 208.91.112.82:443
upd_comm.c[202] tcp_connect_fds-Proxy tunneling enabled to 10.62.0.16:8080
upd_comm.c[117] negotiate_proxy_tunnel-Error reading

A sniffer trace shows that the Squid proxy denied the request of the FortiGate, and replied with a 403 TCP DENIED error message. As a consequence, the FortiGate unit cannot retrieve the FortiGuard services information.

This article provides a solution in the situations, when requirement is to have the downstream FortiGate unit to be able to access FortiGuard services, which are reachable only via the Squid proxy.

Here is a sample network diagram:

Scope

FortiGate v4.00 MR2, v4.00 MR3, v 5.0.x.

Solution

Configuration of the FortiGate unit (CLI):

config system auotupdate tunneling
set address 10.62.0.16
set port 8080
set status enable
end

Configuration of the Squid proxy (squid.conf):

acl myfgt src 10.62.0.210
http_access allow myfgt

Note:

v5.0 up tov 6.4 is out of engineering support. So these commands might be different on higher versions. Consider upgrading the firmware level on the device to a supported version (7.0 up to 7.6). Here check the firmware path and compatibility depending on the hardware: Upgrade tool.

Technical Tip: Configure Squid proxy to reach FortiGuard services

You are leaving our website