When setting up an explicit proxy for a local breakout, FQDN objects are commonly used as the destination for static routes.

However, in this environment, there can be a slight time lag between the expiration of the FQDN cache TTL and the update of the route (RIB/FIB) after the DNS re-query resolves the IP address. This can temporarily cause communication failures.

1. Best Practices: Using Policy Routes instead of Static Routes is recommended. Policy Routes differ from Static Routes in how they perform route lookups. They can reference the latest routes faster than RIB/FIB updates by FQDN renew of a static route, allowing successful communication even on the first attempt after the FQDN cache expires. For configuration details on combining Explicit Proxy and Policy Routes, refer to the following KB article: Technical Tip: Creating a Policy Route Using FQDN for Explicit Proxy traffic.
   
   
2. Conditions Prone to Issues When Using Static Routes: This issue is more likely to occur under the following conditions:

• Using FQDN Objects:
  • The DNS server's cache TTL for the target FQDN is short (less than 60s). The default DNS re-query interval setting for Fortigate is 60 seconds, so shorter settings can lead to frequent cache expirations. This is common in CDN services using GSLB. For example, the cache TTL is sometimes set to 5s.
  • Frequent changes in IP addresses resolved by DNS. Issues occur when the IP address at the beginning of a DNS query response A record is not included in the existing cache. If the IP resolved by the DNS re-query is the same each time, routing is based on the route created by the previous cache, with no impact even before the route update.
• Using Wildcard FQDN Objects:
  • When name resolution is performed by the system DNS rather than learned from client DNS queries. When using Wildcard FQDN in combination with an Explicit proxy, DNS queries do not pass through FortiGate, preventing cache updates and leading to a constant loss of cache after the cache TTL expires.

3. Mitigation Strategies When Using Static Routes: If static routes must be used, the following settings can reduce the frequency of issues.

• Adjust the Minimum Cache TTL Time The following configuration allows for a minimum cache TTL of 10s. Re-queries occur 5s before cache expiration. 

Note:

This does not apply to wildcard FQDN objects.

config system dns

    set fqdn-min-refresh 10    <----- <10> to <3600>.

end

Refer to the following KB article for settings: Technical Tip: Improve FQDN re-query interval on FortiGate.

• Increasing the FQDN cache TTL reduces the frequency of cache expirations. 

config firewall address
    edit ""
        set cache-ttl 86400    <----- <0> to <86400>.
    next
end

• If wildcard FQDNs are being used, replace them with regular FQDNs where possible and implement the aforementioned measures. By utilizing FQDN, cache updates are automated, thereby eliminating cache expiration.

Refer to the following KB articles for settings:

Technical Tip: Explanation of the FQDN default cache-ttl

Technical Tip: Using a wildcard FQDN

Note:

When the FQDN cache is updated, the routing table is also updated each time, requiring re-evaluation of related sessions. Considering the resources of FortiGate aspects, a policy route is still recommended.