• Configure proxy tunneling for IPS updates.

config system autoupdate tunneling
    set status enable
    set address "10.10.10.50"
    set port 8080
end

• After configuring, run the debug to verify:

FortiGate (global) # diagnose debug application update -1
Debug messages will be on for 30 minutes.

FortiGate (global) # diagnose debug enable

FortiGate (global) #execute update-now

FortiGate (global) # eupd_fds_load_default_server[939]-Resolve and add fds globalupdate.fortinet.net ip address failed.

SGLSFW07 (global) # upd_fds_load_default_server6[1046]-Resolve and add fds globalupdate.fortinet.net ipv6 address failed.
upd_comm_connect_fds[457]-Trying FDS globalupdate.fortinet.net:443
tcp_connect_fds[168]-Proxy tunneling enabled to 10.10.10.50:8080
negotiate_proxy_tunnel[138]-tunneling request=[CONNECT globalupdate.fortinet.net:443 HTTP/1.1
User-agent: Fortinet/7.04

] response=[HTTP/1.1 400 Bad Request
x-panw-pxtxid: dc17c200-a20d-48f0-a6fb-68f3d4a45d10.3b76b7a3-1890-4344-bf57-082db47a4822
date: Thu, 20 Feb 2025 10:49:12 GMT
via: 166ba57b9f9c30b.europe-west2-c/panwepx
connection: close
content-length: 0

The Wireshark analysis confirms that the FortiGuard web proxy requests are missing the HTTP/1.1 Host header, which causes update failures.

When proxy tunneling is enabled, debug logs should display a CONNECT request containing the correct Host header.

If a 400 Bad Request or similar error appears, it indicates that the proxy is rejecting the request due to the missing header; enabling tunneling ensures the header is properly included.

Hypertext Transfer Protocol
CONNECT globalupdate.fortinet.net:443 HTTP/1.1\r\n
Request Method: CONNECT
Request URI: globalupdate.fortinet.net:443
Request Version: HTTP/1.1
User-agent: Fortinet/7.04\r\n
\r\n

The issue has been identified and fixed in v7.4.8.