Description
The FortiGate CLI command 'diag debug application update -1' may return the 'negotiate_proxy_tunnel-Error reading' error message when trying to connect to FortiGuard servers:
upd_daemon.c[859] upd_daemon-Received update now request
upd_daemon.c[302] do_update-Starting now UPDATE (final try)
upd_cfg.c[49] upd_cfg_get_host_by_name-Failed to gethostbyname for update.fortiguard.net
upd_act.c[653] upd_act_HA_contract_info-Trying FDS 208.91.112.82:443
upd_comm.c[202] tcp_connect_fds-Proxy tunneling enabled to 10.62.0.16:8080
upd_comm.c[117] negotiate_proxy_tunnel-Error reading
Then, a sniffer trace shows that the Squid proxy denied the request of FortiGate unit, and replied with a 403 TCP DENIED error message. As a consequence, the FortiGate unit cannot retrieve the FortiGuard services information.
This article provides a solution in the situations, when requirement is to have the downstream FortiGate unit to be able to access FortiGuard services, which are reachable only via the Squid proxy.
Here is a sample network diagram:
Scope
FortiOS firmware version 4.00 MR2
FortiOS firmware version 4.00 MR3
FortiOS firmware version 5.0.x
Solution
Configuration of the FortiGate unit (CLI):
config system auotupdate tunneling
set address 10.62.0.16
set port 8080
set status enable
end
Configuration of the Squid proxy (squid.conf):
acl myfgt src 10.62.0.210
http_access allow myfgt
