To configure the FortiGate to receive FortiGuard updates through a proxy server, follow the document: Using a proxy server to connect to the FortiGuard Distribution Network 

In this example, the following configuration is used on the FortiGate:

config system autoupdate tunneling
   set status enable
   set address "192.168.9.1"
   set port 8443
end

192.168.9.1 is the proxy server IP and port 8443 is the listening port on the proxy server.

To view the FortiGuard update debug logs, run the following commands.

diagnose debug application update -1

diagnose debug console time enable

diagnose debug enable

execute update-now

To stop the debug processes in the end, press 'Ctrl+C' and enter 'diagnose debug disable'.

If the output shows 'Proxy tunneling enabled', it means the FortiGate is configured to receive updates from the proxy server.

2025-03-16 13:34:36 tcp_connect_fds[168]-Proxy tunneling enabled to 192.168.9.1:8443
2025-03-16 13:34:36 negotiate_proxy_tunnel[138]-tunneling request=[CONNECT usupdate.fortinet.net:443 HTTP/1.1
User-agent: Fortinet/7.06

] response=[HTTP/1.1 200 Connection established
Proxy-Agent: Fortinet-Proxy/1.0

]

In this case, if FortiGuard shows unreachable in the GUI, the debug shows the following output:

2025-03-16 13:47:28 tcp_connect_fds[168]-Proxy tunneling enabled to 192.168.9.1:8443
2025-03-16 13:47:31 tcp_connect_fds[269]-Failed connecting after sock writable
2025-03-16 13:47:31 upd_comm_connect_fds[472]-Failed TCP connect

Check the proxy server settings and make sure the proxy server is allowed to reach the FortiGuard server.

To disable FortiOS from using a proxy server for FortiGuard updates:

config system autoupdate tunneling
   set status disable
end