• When the FortiGuard default servers are used for the license update or the database update, it is used FortiManager as the FDS server.
• So there are two ways in case the FortiManager is failing to update then it can be updated by the FortiGuard Default server in the settings enabled in central management.

CLI config:

FortiGate-100F # show system central-management
    config system central-management
        set type fortimanager
        set fmg "172.x.x.x"
            config server-list
                edit 1
                    set server-type update rating
                    set server-address 172.x.x.x
                next
            end
        set fmg-update-port 443
        set include-default-servers disable    -> by default this is enabled.
end

• When the include-default-servers is disabled then FortiGate has to get updates only from the FortiManager.
• By default, the enc-algorithm is set to high for normal licenses, but for the LENC FortiGate license, it is set to low.
• So when the FortiGate tries to communicate with the FortiManager it tries low encryption like sslv3/TLS1.0.

As in the FortiManager,  the default enc-algorithm is set to high and also TLS version is high under the config fmupdate fds-setting in FortiManager.

Debugs when FortiGate with LENC and FortiManager with default settings (SSL handshake fails).

FortiGate-100F # diagnose debug application update -1
Debug messages will be on for 30 minutes.

FortiGate-100F # diagnose debug enable

FortiGate-100F # execute update-now

FortiGate-100F # upd_daemon[1782]-Received update now request
upd_daemon[1508]-Found cached action=00000002
do_update[492]-Starting now UPDATE (final try)
upd_comm_connect_fds[458]-Trying FMG 172.x.x.x:443
[113] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
[755] ssl_ctx_create_new_ex: SSL CTX is created
[782] ssl_new: SSL object is created
[1001] ssl_connect: SSL_connect failes: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
ssl_connect_fds[392]-Failed SSL connecting (6,0,TLS/SSL connection has been closed)
[203] __ssl_data_ctx_free: Done
[1046] ssl_free: Done
[195] __ssl_cert_ctx_free: Done
[1056] ssl_ctx_free: Done
upd_comm_connect_fds[476]-Failed SSL connect
do_update[504]-UPDATE failed
upd_fds_create_list[1159]-trying remote fds without default FortiGuard servers
mgmt_vd_change_notif[39]-Detected tz change 4->84
upd_daemon[1759]-Received setup request
upd_daemon[1508]-Found cached action=00000001
do_setup[343]-Starting SETUP
upd_comm_connect_fds[458]-Trying FMG 172.x.x.x.:443
[113] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
[755] ssl_ctx_create_new_ex: SSL CTX is created
[782] ssl_new: SSL object is created
[1001] ssl_connect: SSL_connect failes: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
ssl_connect_fds[392]-Failed SSL connecting (6,0,TLS/SSL connection has been closed)
[203] __ssl_data_ctx_free: Done
[1046] ssl_free: Done
[195] __ssl_cert_ctx_free: Done
[1056] ssl_ctx_free: Done
upd_comm_connect_fds[476]-Failed SSL connect
do_setup[355]-Failed setup

In the above debugs it is possible to see that the SSL handshake is failing and getting a Fatal alert for the protocol version from FortiManager in the Wireshark.

Where: 172.X.X.4 is the FortiGate IP and 172.X.X.6 is the FortiManager IP.

So on verifying the setting in the FortiManager under config fmupdate fds-setting check the TLS version FortiManager is accepting for the downstream FortiGate devices.

In FortiManager there are 2 places to set the TLS version do not change the admin setting to access the GUI: