Use the following command to contact the FortiGuard server for IPS/AV database updates:

config system autoupdate tunneling

    set proxy-server-ip "10.176.2.168" <-- Proxy IP.

    set proxy-server-port 8080 <-- Proxy Port.

Note: In FortiOS 7.6.3 and above, the 'config system autoupdate tunneling' command has been removed and replaced with 'config system fortiguard'. See the FortiOS 7.6.3 Release notes for details. 

config system fortiguard

    set proxy-server-ip <proxy_address>

    set proxy-server-port <proxy_port>

    set proxy-username <username>

    set proxy-password <password>

end

To check the web-filter rating when hitting firewall policy with a web filter profile turned on, it is necessary to configure it:

config system fortiguard

    set fortiguard-anycast disable

    set protocol https

    set port 443

    set source-ip 0.0.0.0

    set source-ip6 ::

    set proxy-server-ip "10.176.2.168" <----- Proxy IP.

    set proxy-server-port 8080 <----- Proxy Port.

    set proxy-username ''

    set proxy-password

end

Note: In the above configuration, the explicit proxy is 10.176.2.168:8080. It is necessary to configure the proxy IP and port in the system FortiGuard. Note that the FortiGate has to first resolve the web-filter service to the IP address by its own DNS entry and then initiate the traffic through the explicit proxy.

Note: 'HA reserved Management Interface' will not work.