Debugging Transparent Proxy Policy Matching

Question

HiI'm trying to figure out why my transparent proxy policies are allowing traffic when they shouldn't. I have a transparent proxy policy restricted to a single IP and FSSO group for testing, yet when I disable the policy, the test device/user still has internet access when no other transparent proxy policy should apply. Fortigate 200E running 7.4.5 I've disabled fast-matching, and enabled WAD debug: diag deb resetdiag wad debug enable category policydiag wad deb enable level verbosediag wad filter src diag deb ena With the policy enabled, I see proxy policy 8 matching: wad_http_req_check_policy :12911 start match policy vd=0(ses_ctx:t|Phx|Me|Hh|C|A1|O) (:57019@19->:80@20) absUrl=0wad_fast_match_is_enable :3702 fast matching is disabledwad_http_policy_get_cate_info :212 get category right awaywad_http_policy_match_one :454 fw_pol_id=8(pol_ctx:th|Acd|7|=p) pflag:H|W|U|Ac asyn_info=1wad_vwl_has_intf :329 logic/phyical if_idx(20/20),fw_intf=virtual-wan-link,matched=1__wad_fw_policy_match_user :4578 matched cached grp:NAwad_fw_policy_async_match :5355 pol_ctx:th|Acd|7|=dwad_http_req_policy_set :11195 match policy-id=0(pol_ctx:th|Acd|7|=d) vd=0(ses_ctx:t|Phx|Me|Hh|C|A1|O) (:57019@19 -> :80@20)wad_http_req_proc_policy :10752 POLICY DENIED With the policy disabled, I see: wad_http_req_check_policy :12911 start match policy vd=0(ses_ctx:t|Ph|M|Hhf|C|A1|O) (:57171@19->:80@20) absUrl=0wad_fast_match_is_enable :3702 fast matching is disabledwad_fw_policy_async_match :5355 pol_ctx:th|Ad|7|=dwad_http_req_policy_set :11195 match policy-id=0(pol_ctx:th|Ad|7|=d) vd=0(ses_ctx:t|Ph|Me|Hhf|C|A1|O) (:57171@19 -> :80@20)wad_http_req_proc_policy :10752 POLICY DENIEDwad_http_req_check_policy :12911 start match policy vd=0(ses_ctx:t|Ph|M|Hhf|C|A1|O) (:57185@19->:80@20) absUrl=0wad_fast_match_is_enable :3702 fast matching is disabledwad_fw_policy_async_match :5355 pol_ctx:th|Ad|7|=dwad_http_req_policy_set :11195 match policy-id=0(pol_ctx:th|Ad|7|=d) vd=0(ses_ctx:t|Ph|Me|Hhf|C|A1|O) (:57185@19 -> :80@20)wad_http_req_proc_policy :10752 POLICY DENIEDwad_http_req_check_policy :12911 start match policy vd=0(ses_ctx:t|Ph|M|Hhf|C|A1|O) (:57184@19->:80@20) absUrl=0wad_fast_match_is_enable :3702 fast matching is disabledwad_fw_policy_async_match :5355 pol_ctx:th|Ad|7|=dwad_http_req_policy_set :11195 match policy-id=0(pol_ctx:th|Ad|7|=d) vd=0(ses_ctx:t|Ph|Me|Hhf|C|A1|O) (:57184@19 -> :80@20)wad_http_req_proc_policy :10752 POLICY DENIEDwad_http_req_check_policy :12911 start match policy vd=0(ses_ctx:t|Phx|Me|Hh|C|A1|O) (:57185@19->:80@20) absUrl=0wad_fast_match_is_enable :3702 fast matching is disabledwad_fw_policy_async_match :5355 pol_ctx:th|Ad|7|=dwad_http_req_policy_set :11195 match policy-id=0(pol_ctx:th|Ad|7|=d) vd=0(ses_ctx:t|Phx|Me|Hh|C|A1|O) (:57185@19 -> :80@20)wad_http_req_proc_policy :10752 POLICY DENIED What does the "wad_http_req_proc_policy :10752 POLICY DENIED" mean? I see it in both log snippets. The second snippet seems to only show policy 0, the implicit deny, matching, yet somehow my test device still has internet access?

kgeorge · Accepted Answer

Hello,

WAD debugs would require some extensive checks and it would better if you create a support ticket with TAC Team and share the WAD debug file to analyze and let you know the reason for the same.

Have a nice day!

Theo4 · Answer

Make sure the traffic being "allowed" is actually matching the IPv4 policy that performs proxy redirection (the policy having "Proxy HTTP(S) Traffic" option enabled).

Also try different websites. The one you're trying could simply be cached.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded