FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 189678



This article explains troubleshooting steps for cases where FortiGate cannot connect to FortiGuard servers and does not have direct access to the internet.




FortiGate v5.4, v5.6, v6.0, v6.2, v6.4.



First, troubleshoot the connection with a debug log:


# diag debug application update -1
# diag debug enable
# exec update-now


Note the following output:


[357] __ssl_crl_verify_cb: Cert error 20, unable to get local issuer certificate. Depth 0
__upd_peer_vfy[331]-Server certificate failed verification. Error: 20 (unable to get local issuer certificate), depth: 0, subject: .
[967] ssl_connect: SSL_connect failes: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
ssl_connect_fds[389]-Failed SSL connecting (5,0,Success)


In the packet capture:

The issue is caused by another upstream unit (such as another FortiGate or 3rd party firewall) replacing the certificate of the connection. Because the replacement certificate is unknown to the local FortiGate, the SSL Handshake fails.

If the issue is caused by an upstream FortiGate, configure it to not perform a 'deep inspection' of the traffic going to the local FortiGate. Use a similar process if the problem is caused by a 3rd party unit.

- if you verify that there is no upstream unit or any device that is doing the inspection and still experiencing the issue. This might be happening because the certificate bundle is missing some Public certificates. 

2023-08-29 13_15_54-Clipboard.png


  • It is possible to try to change the Fortiguard Port to 8888 and the protocol to UDP. This can only be done after disabling the anycast. Use the following commands 


config system fortiguard

   set fortiguard-anycast disable

   set port 8888

   set protocol udp



  •  The TLS negotiation should be successful after that. 


Related Articles:

Technical Tip: Unable to load FortiGuard DDNS server list

Technical Tip: Unable to connect to FortiGuard servers

Technical Tip: FortiGuard is not reachable via Anycast default method

Troubleshooting Tip: FortiGuard DDNS IP update fails