Skip to main content
zromano
Staff & Editor
zromano
Staff & Editor
February 24, 2025

Technical Tip: Checking the matching explicit proxy policy from the CLI on a FortiProxy

  • February 24, 2025
  • 0 replies
  • 546 views
Description This article describes how to do an explicit proxy policy lookup from the CLI with the FortiProxy.
Scope FortiProxy.
Solution

On a FortiProxy, it is possible to run an explicit proxy policy lookup using the following command:

 

diagnose wad exp-fw-policy-test <SRC> <WEBPROXY> <REQ> <AUTH-TYPE> [<USERNAME/GROUP>] [<SERVER>]

 

  • <SRC> is the source IP of the traffic.
  • <WEBPROXY> is the webproxy configured in 'config web-proxy explicit-proxy' section (or in the GUI: 'Proxy Settings -> Explicit Proxy').
  • <REQ> is the requested IP/URI.
  • <AUTH-TYPE> is the Authentication type that can be none, user or group.
  • <USERNAME/GROUP> is the username or group to which the user belongs to.
  • <SERVER> is the name (as it appears in the configuration) of the remote authentication server, or the local authentication server.


Running just the first part will show examples on how to use it:

 

diagnose wad exp-fw-policy-test

Usage:
diagnose wad exp-fw-policy-test <SRC> <WEBPROXY> <REQ> <AUTH-TYPE> [<USERNAME/GROUP>] [<SERVER>]
Example 1: diagnose wad exp-fw-policy-test 1.1.1.1 web-proxy "uri=http://example.com/path" user user1 ldap_srv
Example 2: diagnose wad exp-fw-policy-test 1.1.1.1 web-proxy "ipport=2.2.2.2:8080" user user2 local
Example 3: diagnose wad exp-fw-policy-test 1.1.1.1 web-proxy "copy then paste exact http request here" none

 

The output will show the matching policy ID. If the traffic is accepted or blocked, source and destination addresses are configured in the policy and matching user/group.
In the following example, user1's traffic matches proxy policy 4 and the traffic is accepted:

 

diagnose wad exp-fw-policy-test 10.1.1.1 web-proxy "ipport=1.1.1.1:443" user user1 local
firewall policy id: 4
policy_action: accept
srcaddr: all
dstaddr: all
user(group): user1

 

In the following example, as user1 belongs to the group usr-grp, traffic will match policy 5 and will be denied:

 

diagnose wad exp-fw-policy-test 10.1.1.1 web-proxy "ipport=1.2.3.4:443" user user1 local
firewall policy id: 5
policy_action: deny
srcaddr: all
dstaddr: 1.2.3.4
user(group): usr-grp


If no authentication is used, 'none' can be used for the AUTH-TYPE at the end of the command:

 

diagnose wad exp-fw-policy-test 10.1.1.1 web-proxy "uri=https://google.com" none
firewall policy id: 3
policy_action: accept
srcaddr: all
dstaddr: wildcard.google.com
user(group): n/a

 

If no explicit proxy policy is matched, the implicit deny will match and the output will be as follow:

 

diagnose wad exp-fw-policy-test 1.1.1.1 web-proxy "uri=https://facebook.com" none
No policy matched
sec_default_action: deny

 

Note: This command will not work on a FortiGate, even if the FortiGate can have explicit proxy policies. It is only valid for FortiProxy.
Terms & ConditionsAccessibility statement