FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Dongfang_Li_FTNT
Article Id 335943
Description

This article describes how to resolve an issue where the FortiGate GUI shows a FortiGuard update failed.

 

To troubleshoot the issue, the FortiGate administrator runs the following 'update' debug:

 

diagnose debug reset

diagnose debug application update -1

exec update-now

diagnose debug enable

 

To disable debugs:

 

diagnose debug disable

 

The logs show the update failed because of a certificate error:

 

Cert error…… Self-signed certificate in certificate chain……

SSL_Connect fails, …… certificate verify failed.

 

FortiGuard-5.png

 

The network setup is as follows:

 

  • FortiGate – the third-party firewall - ISP.
Scope FortiOS v7.0 or later.
Solution

In the upstream, there is a third-party firewall enabling SSL deep inspection, which causes the FortiGuard update certificate error. The solution is to add an exemption in the upstream firewall for FortiGuard FQDN.

 

The FQDN for FortiGuard traffic can be found in the following documents.

 

After making this change, run the following commands:

 

diagnose debug reset

diagnose debug application update -1

exec update-now

diagnose debug enable

 

Now, the certificate warning should be gone, and FortiGate should be able to communicate with the FortiGuard server.

 

To disable the debug processes above, run the following command:

     

     diagnose debug disable

 

Related articles: