Created on 09-22-2013 04:04 PM Edited on 05-26-2022 10:20 AM By Anonymous
Description
The FortiGate CLI command 'diag debug application update -1' may return the 'negotiate_proxy_tunnel-Error reading' error message when trying to connect to FortiGuard servers:
upd_daemon.c[859] upd_daemon-Received update now request
upd_daemon.c[302] do_update-Starting now UPDATE (final try)
upd_cfg.c[49] upd_cfg_get_host_by_name-Failed to gethostbyname for update.fortiguard.net
upd_act.c[653] upd_act_HA_contract_info-Trying FDS 208.91.112.82:443
upd_comm.c[202] tcp_connect_fds-Proxy tunneling enabled to 10.62.0.16:8080
upd_comm.c[117] negotiate_proxy_tunnel-Error reading
Then, a sniffer trace shows that the Squid proxy denied the request of FortiGate unit, and replied with a 403 TCP DENIED error message. As a consequence, the FortiGate unit cannot retrieve the FortiGuard services information.
Scope
Solution
Configuration of the FortiGate unit (CLI):
config system auotupdate tunneling
set address 10.62.0.16
set port 8080
set status enable
end
Configuration of the Squid proxy (squid.conf):
acl myfgt src 10.62.0.210
http_access allow myfgt
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.