An internal FortiProxy receives traffic on an Explicit Proxy port but cannot resolve certain external hostnames. These requests must be forwarded to an upstream proxy that can perform DNS resolution.

When the requested URL matches a URL Match rule, FortiProxy:

• Skips DNS resolution.
• Forwards the request directly to the configured forward-server.

If the URL does not match, FortiProxy attempts DNS resolution itself and may return an HTTP 504 DNS Timeout if resolution fails.

config web-proxy url-match
    edit "forward-upstream"
        set status enable
        set explicit-web-proxy all
        set type wildcard
        set url-pattern "*bbc.com"
        set forward-server "upstream-proxy"
    next
end

FortiProxy forwards matching requests to the upstream proxy without DNS checks, ensuring successful resolution and preventing DNS timeout errors.