Troubleshooting Tip: FortiGuard Update failed using proxy, HTTP 1.1 host header missing

vshtaloja · ‎04-25-2025

Description

This article describes how to handle behavior where FortiGuard updates using a proxy fail due to a host header missing in HTTP 1.1.

Scope

FortiOS v7.2, FortiOS v7.4.

Solution

Configure proxy tunneling for IPS updates.

config system autoupdate tunneling
    set status enable
    set address "10.10.10.50"
    set port 8080
end

FortiGate (global) # diagnose debug application update -1
Debug messages will be on for 30 minutes.

FortiGate (global) # diagnose debug enable

FortiGate (global) #execute update-now

FortiGate (global) # eupd_fds_load_default_server[939]-Resolve and add fds globalupdate.fortinet.net ip address failed.

SGLSFW07 (global) # upd_fds_load_default_server6[1046]-Resolve and add fds globalupdate.fortinet.net ipv6 address failed.
upd_comm_connect_fds[457]-Trying FDS globalupdate.fortinet.net:443
tcp_connect_fds[168]-Proxy tunneling enabled to 10.10.10.50:8080
negotiate_proxy_tunnel[138]-tunneling request=[CONNECT globalupdate.fortinet.net:443 HTTP/1.1
User-agent: Fortinet/7.04

] response=[HTTP/1.1 400 Bad Request
x-panw-pxtxid: dc17c200-a20d-48f0-a6fb-68f3d4a45d10.3b76b7a3-1890-4344-bf57-082db47a4822
date: Thu, 20 Feb 2025 10:49:12 GMT
via: 166ba57b9f9c30b.europe-west2-c/panwepx
connection: close
content-length: 0

The converted Wireshark analysis reveals that the HTTP/1.1 Host header is absent in the FortiGuard web proxy requests.

Hypertext Transfer Protocol
CONNECT globalupdate.fortinet.net:443 HTTP/1.1\r\n
Request Method: CONNECT
Request URI: globalupdate.fortinet.net:443
Request Version: HTTP/1.1
User-agent: Fortinet/7.04\r\n
\r\n

The issue has been identified and fixed on FortiOS v7.4.8.

Troubleshooting Tip: FortiGuard Update failed using proxy, HTTP 1.1 host header missing

You are leaving our website