Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Koushik_IND_Banglore
Staff
Staff

Created on ‎05-29-2025 01:15 PM Edited on ‎06-02-2025 12:27 AM By Community Manager

Article Id 394172

Technical Tip: FortiGuard connectivity failed when proxy tunneling is used

Description This article describes the reason for connectivity failure to FortiGuard through a proxy server.
Scope FortiGate.
Solution

When using a proxy server to connect to FortiGuard under auto-update-tunneling settings, the connectivity may fail.

 

The proxy server can be configured under auto-update-tunneling settings as follows:

 

config system autoupdate tunneling
    set address <proxy_address>
    set password <password>
    set port <proxy_port>
    set status {enable | disable}
    set username
end

 

The connectivity fails mostly due to proxy server not responding to TCP connection attempts from FortiGate.

 

To diagnose the issue a sniffer trace can be taken with host filter for proxy server IP address. In addition to the sniffer trace, FortiGuard update daemon debug is also helpful.

 

Three putty sessions are required with SSH access to the FortiGate unit. Logging should be enabled to save the outputs.

 

From putty session #1, sniffer traces should start with the host filter as proxy server IP first:

 

diagnose sniffer packet any 'host <proxy_server_IP>' 6 0 l

 

Packet capture can be taken from the GUI too: Using the packet capture tool

 

From the Putty session#2 following commands need to be executed to start the update daemon debug:

diagnose debug reset
diagnose debug application update -1
diagnose debug console timestamp enable
diagnose debug enable

 

From the Putty session#3, need to start the update manually using the below command:

execute update-now

To disable the update daemon debug (putty session 2 in this example), the following command is used:

 

diagnose debug disable

 

If the update fails through the proxy server, the following log traces will be observed in the update daemon debug outputs:

 

2025-05-26 11:29:44 upd_comm_connect_fds[457]-Trying FDS 173.243.129.6:443
2025-05-26 11:29:44 tcp_connect_fds[168]-Proxy tunneling enabled to 172.17.0.57:8180 <----- Proxy server IP and Port.
2025-05-26 11:29:44 tcp_connect_fds[235]-Binding to interface 5
2025-05-26 11:30:44 tcp_connect_fds[260]-select() timed out
2025-05-26 11:30:44 upd_comm_connect_fds[472]-Failed TCP connect

 

The reason for the failed TCP connection is mostly due to proxy server not responding to SYN packets sent by FortiGate as seen in the below sniffer trace:

 

2025-05-29 12:42:17.728879 wan out 192.168.35.2.15716 -> 172.17.0.51.8188: syn 499508116

2025-05-29 12:42:33.768905 wan out 192.168.35.2.15716 -> 172.17.0.51.8188: syn 499508116

2025-05-29 12:43:06.799393 wan out 192.168.35.2.15728 -> 172.17.0.51.8188: syn 3518981479

2025-05-29 12:43:07.798890 wan out 192.168.35.2.15728 -> 172.17.0.51.8188: syn 3518981479

 

The proxy server must respond and complete the TCP three-way handshake with FortiGate and allow the subsequent HTTP CONNECT requests to FortiGuard servers. If this behavior is observed the issue is on the proxy server end.
439
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.