If there is a proxy between FortiGate and FortiGuard, the FortiGate must be configured to go through the proxy as in the following KB article: Technical Tip: How to identify if the FortiGate is using proxy server to receive update from FortiG...

To troubleshoot possible issues, collect the updated process debug output:

diagnose debug application update -1
diagnose debug enable
execute update-now

After collecting the output, to stop the debug processes:

diagnose debug disable
diagnose debug reset

If the output shows the following error, it indicates that the proxy requires the FortiGate to authenticate:

negotiate_proxy_tunnel[138]-tunneling request=[CONNECT 149.5.232.66:443 HTTP/1.0
User-agent: Fortinet/7.02

] response=[HTTP/1.0 407 Proxy authentication required

[Output omitted for brevity]

input[type=date], input[type=email], input[type=number], input[type=password], input[type=search], input[type=tel], input[type=text], input[type=time], input]
2025-08-21 12:59:14 negotiate_proxy_tunnel[126]-Error reading

The proxy requires authentication, but the FortiGate has no username and password configured.
To resolve this, either remove authentication for the FortiGate on the proxy or configure a username and password with the following commands:

config system autoupdate tunneling
   set username <username>
   set password <password>
end

The connection should succeed after taking these steps.

Note:

There are important limitations to consider when connecting to FortiGuard using a proxy. To read about them, see this document: Using a proxy server to connect to the FortiGuard Distribution Network