Home > Networking > FortiGate Explicit Proxy Issue with FQDN Resolution to IPv6 (FortiOS 7.4.7)

FortiGate Explicit Proxy Issue with FQDN Resolution to IPv6 (FortiOS 7.4.7)

By /

We recently encountered a perplexing issue with the explicit proxy configuration on our FortiGate 121G running FortiOS 7.4.7, specifically when using an FQDN to resolve an upstream proxy. I’m sharing our findings and Fortinet TAC’s response to help others who might face similar challenges.

Issue Overview

In our setup, we configured the explicit proxy to use an FQDN for the upstream proxy. However, the proxy chain intermittently fails, with the proxy status showing as “down.” After extensive troubleshooting, including log retrieval and packet captures, we pinpointed the issue: the FortiGate queries both A and AAAA DNS records for the FQDN and selects the first response received. Often, this is an IPv6 (AAAA) address. Since our environment lacks IPv6 configuration, the FortiGate attempts to connect via IPv6, causing the proxy to fail.

Fortinet TAC Response

We escalated this to Fortinet TAC, and here’s their feedback:

They suggests a potential inconsistency between lab and real-world environments, possibly related to how the FortiGate handles DNS responses or interacts with the upstream squid proxy.

Current Status and Workarounds

We’re still waiting for Fortinet to investigate further, pending analysis of the squid proxy logs. In the meantime, we’ve implemented the following workarounds to maintain connectivity:

  • Use a static IPv4 address: Instead of an FQDN, configure the upstream proxy with a direct IPv4 address to bypass DNS resolution issues.
  • Adjust DNS settings: If possible, prioritize A records in DNS responses or filter out AAAA records to prevent IPv6 resolution.

Next Steps

We’ll continue working with TAC to identify whether this is a FortiOS bug or a configuration-specific issue. If you’re experiencing similar problems, consider checking your DNS resolution behavior and upstream proxy logs. Here are some questions for the community:

  • Have you seen this issue on FortiOS 7.4.7 or other versions?
  • Are there specific squid proxy configurations that mitigate this behavior?
  • Any updates from Fortinet on a potential fix?

Related posts:

  1. FortiADC TLS Mismatch with Backend Servers: A Real-World Troubleshooting Case
  2. Investigating PAN-273949: A Potential Resolution for SSL Decryption Deny Log Anomalies
  3. How to Troubleshoot IPsec VPN Issues: Step-by-Step Guide for Palo Alto 820
  4. Configuration of PAC file for dynamic proxy selection

Powered by YARPP.

Leave a Comment