FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This document explains how to verify whether traffic is hitting the correct explicit proxy policy.

When explicit proxy is not used, the policy ID can be viewed in the session table.

However, when explicit proxy is used, the policy ID shows as 0 in the session table because the session reflects the client-side session.  It is also not mentioned in "debug flow" output.

The solution is to enable traffic logging on the explicit proxy policy.  The policy ID is then observed in the traffic logs.


1. Enable Logging in Policy

Enable All session log on the Explicit Proxy policy under Policy & Objects > Policy > Explicit Proxy.

config firewall explicit-proxy-policy
    edit 1
        set proxy web
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set service "webproxy"
        set action accept
        set schedule "always"
        set logtraffic all

2. Topology

In the following example:
Client                             --            FortiGate           --             Server                         

3. Session Table

Session table only shows the session between client ( and FortiGate ( 
note: the destination port is 8080 (default port for explicit proxy)

session info: proto=6 proto_state=01 duration=191 expire=3574 timeout=3600 flags=00000000 sockflag=00000000
orgin->sink: org pre->in, reply out->post dev=3->13/13->3 gwy=
hook=pre dir=org act=noop>
hook=post dir=reply act=noop>
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=0 auth_info=0 chk_client_info=0 vd=0

4. Traffic Log

Sample traffic log output for the explicit proxy policy:

1: date=2015-03-31 time=21:54:41 logid=0000000010 type=traffic subtype=forward level=notice vd=root srcip= srcport=50797 srcintf="root.b" dstip= dstport=443 dstintf="root.b" sessionid=604204290 dstcountry="United States" srccountry="Reserved" service=HTTPS wanoptapptype=web-proxy proto=0 duration=0 policyid=1 wanin=5802 rcvdbyte=5802 wanout=1637 lanin=1809 sentbyte=1809 lanout=5874