Skip to main content
osoleimani
Staff
osoleimani
Staff
April 2, 2015

Technical Tip: How to identify the policy ID number when using Explicit Proxy Policy

  • April 2, 2015
  • 0 replies
  • 5504 views

Description


This article explains how to verify whether traffic is hitting the correct explicit proxy policy.

When the explicit proxy is not used, the policy ID can be viewed in the session table.

However, when the explicit proxy is used, the policy ID shows as 0 in the session table because the session reflects the client-side session.  It is also not mentioned in the 'debug flow' output.

The solution is to enable traffic logging on the explicit proxy policy. The policy ID is then observed in the traffic logs.

 

Scope

 

FortiGate, Explicit Proxy


Solution

 

  1. Enable Logging in Policy: Enable all session logs on the Explicit Proxy policy under Policy & Objects > Policy > Explicit Proxy.


config firewall explicit-proxy-policy
    edit 1
        set proxy web
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set service "webproxy"
        set action accept
        set schedule "always"
        set logtraffic all
    next

  1. Topology: In the following example:

 

Client                             --            FortiGate           --             Server
172.77.97.125                         172.77.97.129                    207.46.15.253

  1. Session Table: The Session table only shows the session between the client (172.77.97.125) and FortiGate (172.77.97.129). 

 

Note:

The destination port is 8080 (default port for explicit proxy)

session info: proto=6 proto_state=01 duration=191 expire=3574 timeout=3600 flags=00000000 sockflag=00000000
...
orgin->sink: org pre->in, reply out->post dev=3->13/13->3 gwy=172.77.97.129/0.0.0.0
hook=pre dir=org act=noop 172.77.97.125:50889->172.77.97.129:8080(0.0.0.0:0)
hook=post dir=reply act=noop 172.77.97.129:8080->172.77.97.125:50889(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=0 auth_info=0 chk_client_info=0 vd=0
...

 

  1. Traffic Log: Sample traffic log output for the explicit proxy policy:


1: date=2015-03-31 time=21:54:41 logid=0000000010 type=traffic subtype=forward level=notice vd=root srcip=172.77.97.125 srcport=50797 srcintf="root.b" dstip=207.46.15.253 dstport=443 dstintf="root.b" sessionid=604204290 dstcountry="United States" srccountry="Reserved" service=HTTPS wanoptapptype=web-proxy proto=0 duration=0 policyid=1 wanin=5802 rcvdbyte=5802 wanout=1637 lanin=1809 sentbyte=1809 lanout=5874

Related articles:

Troubleshooting Tip: FortiGate session table information 
Troubleshooting Tip: Example of wad debugging for Explicit Proxy 

Technical Tip: Add a custom field in FortiGate logs 

    Terms & ConditionsAccessibility statement