FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 189678



This article explains troubleshooting steps for cases where FortiGate cannot connect to FortiGuard servers and does not have direct access to the internet.




FortiGate v5.4, v5.6, v6.0, v6.2, v6.4.



First, troubleshoot the connection with a debug log:


# diag debug application update -1
# diag debug enable
# exec update-now


Note the following output:


[357] __ssl_crl_verify_cb: Cert error 20, unable to get local issuer certificate. Depth 0
__upd_peer_vfy[331]-Server certificate failed verification. Error: 20 (unable to get local issuer certificate), depth: 0, subject: .
[967] ssl_connect: SSL_connect failes: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
ssl_connect_fds[389]-Failed SSL connecting (5,0,Success)


In the packet capture:

The issue is caused by another upstream unit (such as another FortiGate or 3rd party firewall) replacing the certificate of the connection. Because the replacement certificate is unknown to the local FortiGate, the SSL Handshake fails.

If the issue is caused by an upstream FortiGate, configure it to not perform 'deep inspection' of the traffic going to the local FortiGate. Use a similar process if the problem is caused by a 3rd party unit.

Related Articles:

Technical Tip: Unable to load FortiGuard DDNS server list

Technical Tip: Unable to connect to FortiGuard servers

Technical Tip: FortiGuard is not reachable via Anycast default method

Troubleshooting Tip: FortiGuard DDNS IP update fails