When FortiGate devices are configured to use a proxy server for FortiGuard updates, the behavior of the CONNECT request to the proxy may vary depending on DNS configuration. Understanding this behavior is important when configuring proxies that strictly enforce URL-based CONNECT requests.

Behavior Overview.

FortiGate typically resolves the domain names of FortiGuard (FDN) servers locally before establishing a connection. As a result, the CONNECT request sent to the proxy may contain the resolved IP address of the FortiGuard server instead of the domain name.

If the proxy is configured to accept only URL-based CONNECT requests (i.e., containing hostnames), it may reject these IP-based requests. This is expected behavior based on how FortiGate handles DNS resolution for update services.

Configuration Guidance.

To ensure FortiGate can successfully communicate with FortiGuard servers through a proxy, consider the following options:

1. Allow IP-based CONNECT Requests on the Proxy.
   Modify the proxy configuration to accept CONNECT requests that contain IP addresses or allow connection requests specific to FortiGuard IPs (if possible). This aligns with FortiGate's default behavior of resolving FortiGuard domains before connecting.

2. Leverage Proxy DNS Resolution.
   FortiGate can be made to send domain names instead of resolved IP addresses in CONNECT requests by disabling DNS settings on the FortiGate device. This allows the proxy (e.g., Squid) to perform DNS resolution and accept URL-based CONNECT requests.

   This behavior has been validated in user testing environments where disabling FortiGate's DNS settings caused HTTP requests to the proxy to use URLs instead of IPs. This approach can be useful in environments where the proxy enforces URL-only CONNECT policies.

Note: Removing DNS settings from FortiGate should be done during off-production hours, as it may affect other services on the firewall that rely on DNS resolution.