FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
avargas
Staff
Staff
Article Id 198283

Description


This article provides some basic troubleshooting steps when an administrator detects a failure on an update process.

Scope:

FortiGates with FortiGuard anti virus, web filtering, Licenses and IPS updates.

Solution

 

During the troubleshooting process, an attempt was made to synchronize the unit with FortiGuard using the following debug flow:

 

diag debug application update -1
diag debug enable
exec update-now

 

Note that in the event log, entries indicate that FortiGuard updates were not successful.

 

In the debug, the following messages are shown:

 

**************************Messages**************************

upd_comm.c[430] load_ssl_certificates-Failed loading CA certificate

upd_comm.c[482] ssl_connect_fds-Failed loading SSL certificates

upd_comm.c[620] upd_comm_connect_fds-Failed SSL connect

 

One of the reasons for the failure is that the certificate Fortinet_CA_SSLProxy is not available. To fix this, reinstall FortiOS.
 
After reinstalling FortiOS, FortiGate will be able to reach FortiGuard Services.
 
Additionally, make sure the FortiGuard settings and DNS settings are as follows:

config system fortiguard
set fortiguard-anycast disable
set protocol udp
set port 8888
set update-server-location usa
set sdns-server-ip "208.91.112.220"
end


In the DNS setting make sure you use the protocol cleartext.

 

config system dns

set primary 96.45.45.45

set secondary 96.45.46.46

set protocol cleartext

end

 

After the above commands run the update again and you will see the following debug:

 

upd_status_save_status[201]-Wrote status file
__upd_act_update[319]-Package installed successfully
upd_comm_disconnect_fds[500]-Disconnecting FDS 208.184.237.67:443
[206] __ssl_data_ctx_free: Done
[1094] ssl_free: Done
[198] __ssl_cert_ctx_free: Done
[1104] ssl_ctx_free: Done
[1085] ssl_disconnect: Shutdown
do_update[684]-UPDATE successful

Related articles: