FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 198283


This article provides some basic troubleshooting steps when an administrator detects a failure on an update process.


FortiGates with FortiGuard anti virus, web filtering, Licenses and IPS updates.



During the troubleshooting process, an attempt was made to synchronize the unit with FortiGuard using the following debug flow:


diag debug application update -1
diag debug enable
exec update-now


Note that in the event log, entries indicate that FortiGuard updates were not successful.


In the debug, the following messages are shown:



upd_comm.c[430] load_ssl_certificates-Failed loading CA certificate

upd_comm.c[482] ssl_connect_fds-Failed loading SSL certificates

upd_comm.c[620] upd_comm_connect_fds-Failed SSL connect


One of the reasons for the failure is that the certificate Fortinet_CA_SSLProxy is not available. To fix this, reinstall FortiOS.
After reinstalling FortiOS, FortiGate will be able to reach FortiGuard Services.
Additionally, make sure the FortiGuard settings and DNS settings are as follows:

config system fortiguard
set fortiguard-anycast disable
set protocol udp
set port 8888
set update-server-location usa
set sdns-server-ip ""

In the DNS setting make sure you use the protocol cleartext.


config system dns

set primary

set secondary

set protocol cleartext



After the above commands run the update again and you will see the following debug:


upd_status_save_status[201]-Wrote status file
__upd_act_update[319]-Package installed successfully
upd_comm_disconnect_fds[500]-Disconnecting FDS
[206] __ssl_data_ctx_free: Done
[1094] ssl_free: Done
[198] __ssl_cert_ctx_free: Done
[1104] ssl_ctx_free: Done
[1085] ssl_disconnect: Shutdown
do_update[684]-UPDATE successful

Related articles: