Skip to main content
KC_Hing
Staff
KC_Hing
Staff
March 21, 2025

Technical Tip: Policy matching with pass-through option enabled

  • March 21, 2025
  • 0 replies
  • 350 views
Description This article describes FortiProxy policy matching behavior with the pass-through option enabled.
Scope FortiProxy.
Solution

By default, FortiProxy evaluates traffic using the first-matching technique from top to bottom to select a matching policy for particular traffic; the subsequent policies would be disregarded once the first policy matching applies.

 

From v7.0.1 onwards, FortiProxy allows continuing to match all policies by enabling pass-through options under policy configuration, and once all of the policies have been matched, the last matched policy will be used as the matching policy.

 

Below is an example of a policy pass-through-enabled policy setup.

 

GUI:

 

fpx1.PNG

 

CLI:

 

config firewall policy
    edit 1
        set type explicit-web
        set name "Rule1"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "webproxy"
        set explicit-web-proxy "web-proxy"
        set pass-through enable <<<
        set utm-status enable
        set logtraffic all
        set application 15832 <----- Facebook application.
        set ssl-ssh-profile "Custom-deep-inspection"
        set av-profile "default"
    next
end


    edit 2
        set type explicit-web
        set name "Rule2"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "webproxy"

        set pass-through disable
        set explicit-web-proxy "web-proxy"
        set utm-status enable
        set logtraffic all
        set ssl-ssh-profile "Custom-deep-inspection2"
        set av-profile "default"
        set webfilter-profile "default"
    next

 

In this scenario, the Facebook access traffic would match the bottom policy because the first policy has a pass-through option enabled.

 

WAD debug:

 

CONNECT static.xx.fbcdn.net:443 HTTP/1.1
Host: static.xx.fbcdn.net:443
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36

[I]wad_http_str_canonicalize :2200 enc=0 path=/ len=1 changes=0
[I]wad_http_conn_req_classify :6390 no security profile HTTPS/HTTP, tport=443
[I]wad_http_dns_resolve :8874 [0x7fdda825e608] DNS request name=static.xx.fbcdn.net len=19 type/pref/pref-strict=0/0/0
[I]wad_http_dns_request_done :14111 [0x7fdda825e608] DNS resolved: 163.70.132.23
[I]wad_fast_match_is_enable :4031 fast matching is enabled
[I]wad_fw_policy_async_match :7645 pol_ctx:xhcf|Ad|7?|=d
[I]wad_http_req_policy_set :11730 match policy-id=2(pol_ctx:xhcf|Ad|7?|=d) vd=0(ses_ctx:x|Phx|Mde|Hh|C|A7|O) (10.169.2.76:62811@6 -> 163.70.132.23:443@3)

 

WAD session list:

 

Session: explicit proxy 10.169.2.76:62811(10.47.18.157:35246)->163.70.132.23:443
id=1961065053 worker=0 vd=0:0 fw-policy=2
duration=53 expire=3547 session-ttl=3600
state=3 app=http sub_type=0 wan_opt_mode=0 dd_method=0
SSL enabled
to-client
SSL Port:
state=3
TCP Port:
state=2 r_blocks=1 w_blocks=0 read_blocked=0
bytes_in=2518 bytes_out=811 shutdown=0x0
to-server
SSL Port:
state=3
TCP Port:
state=2 r_blocks=1 w_blocks=0 read_blocked=0
bytes_in=465 bytes_out=516 shutdown=0x0
    Terms & ConditionsAccessibility statement