FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
osoleimani
Staff
Staff
Description
This document explains how to verify whether traffic is hitting the correct explicit proxy policy.

When explicit proxy is not used, the policy ID can be viewed in the session table.

However, when explicit proxy is used, the policy ID shows as 0 in the session table because the session reflects the client-side session.  It is also not mentioned in "debug flow" output.

The solution is to enable traffic logging on the explicit proxy policy.  The policy ID is then observed in the traffic logs.

Solution

1. Enable Logging in Policy

Enable All session log on the Explicit Proxy policy under Policy & Objects > Policy > Explicit Proxy.

config firewall explicit-proxy-policy
    edit 1
        set proxy web
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set service "webproxy"
        set action accept
        set schedule "always"
        set logtraffic all
    next

2. Topology

In the following example:
Client                             --            FortiGate           --             Server
172.77.97.125                         172.77.97.129                    207.46.15.253

3. Session Table

Session table only shows the session between client (172.77.97.125) and FortiGate (172.77.97.129). 
note: the destination port is 8080 (default port for explicit proxy)

session info: proto=6 proto_state=01 duration=191 expire=3574 timeout=3600 flags=00000000 sockflag=00000000
...
orgin->sink: org pre->in, reply out->post dev=3->13/13->3 gwy=172.77.97.129/0.0.0.0
hook=pre dir=org act=noop 172.77.97.125:50889->172.77.97.129:8080(0.0.0.0:0)
hook=post dir=reply act=noop 172.77.97.129:8080->172.77.97.125:50889(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=0 auth_info=0 chk_client_info=0 vd=0
...

4. Traffic Log

Sample traffic log output for the explicit proxy policy:

1: date=2015-03-31 time=21:54:41 logid=0000000010 type=traffic subtype=forward level=notice vd=root srcip=172.77.97.125 srcport=50797 srcintf="root.b" dstip=207.46.15.253 dstport=443 dstintf="root.b" sessionid=604204290 dstcountry="United States" srccountry="Reserved" service=HTTPS wanoptapptype=web-proxy proto=0 duration=0 policyid=1 wanin=5802 rcvdbyte=5802 wanout=1637 lanin=1809 sentbyte=1809 lanout=5874

Contributors