Staff

Technical Tip: FortiProxy - Packets pass though via a Transparent Policy with the action 'DENY' and 'set log-http-transaction enable'

Forum|Forum|1 year ago
May 21, 2025
0 replies
200 views

Description

This article describes when a transparent proxy policy with the action "DENY" may allow packets to be transmitted.

Scope

FortiProxy with transparent proxy policy earlier than v7.0.21, v7.2.14, v7.4.9, and v7.6.3.

Solution

The feature called 'Log HTTP Transaction' is used to log HTTP transactions.

When this feature is enabled in the Transparent Policy where the action 'DENY', the policy lets packets pass through until it sees 'HTTP Transactions'.

CLI Configurations:

config firewall policy
edit 45
set name "DENY_cmtinfo.co"
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "cmtinfo.co.kr_183.111.182.241" "http://www.cmtinfo.co.kr"
set schedule "always"
set service "ALL"
set logtraffic all
set logtraffic-start enable
set log-http-transaction enable
set extended-log enable
set ssl-ssh-profile "no-inspection"
next

Forward Traffic Log:

This has been identified as a bug and will be fixed in the upcoming v7.0.21, v7.2.14, v7.4.9, and v7.6.3.

Workaround:

Disable 'Log HTTP Transaction' in the policy with the action 'DENY'.

config firewall policy
edit 45
set name "DENY_cmtinfo.co"
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "cmtinfo.co.kr_183.111.182.241" "http://www.cmtinfo.co.kr"
set schedule "always"
set service "ALL"
set logtraffic all
set logtraffic-start enable
set log-http-transaction disable
set extended-log enable
set ssl-ssh-profile "no-inspection"
next

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded