I recently encountered an issue with the proxy chain function on a FortiGate 121G running FortiOS 7.4.7, and I wanted to share my findings in case others are facing similar problems.
Issue Description:
When configuring an upstream proxy using an FQDN in the proxy chain, the function intermittently fails. After extensive troubleshooting, including log retrieval and packet captures, we identified the root cause: the FortiGate device queries both A and AAAA DNS records for the FQDN. It then selects the response that arrives first—often the IPv6 (AAAA) address. However, since our setup does not have IPv6 configured, the device attempts to use the IPv6 address, resulting in connectivity failure.
Current Status:
We’ve reported this to Fortinet and are awaiting their investigation or a potential fix. In the meantime, we’ve had to implement workarounds to ensure stable operation.
Workaround:
- Explicitly configure the upstream proxy using an IPv4 address instead of an FQDN to bypass the A/AAAA record issue.
- Alternatively, ensure DNS responses prioritize A records or disable IPv6 DNS queries if possible in your environment.
Has anyone else encountered this issue on FortiOS 7.4.7 or other versions? Any insights or updates from Fortinet would be greatly appreciated. Let’s keep this thread updated with any new findings or solutions!