FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jgillies01
Staff
Staff
Description
While performing a tcp traceroute on a traffic inspected by profile in proxy mode you might get unexpected results.
The following command will perform the traceroute with TCP protocol on port 80.

user@kvm03:~$ sudo traceroute -q 1 -T -p 80 www.fortinet.com
traceroute to www.fortinet.com (13.56.33.144), 30 hops max, 60 byte packets
 1  10.10.10.10 (10.10.10.10)  0.199 ms
 2  ec2-13-56-33-144.us-west-1.compute.amazonaws.com (13.56.33.144)  0.174 ms
user@kvm03:~$
Actual path without proxy inspection:
user@kvm03:~$ sudo traceroute -q 1 -T -p 80 www.fortinet.com
traceroute to 13.56.33.144 (13.56.33.144), 30 hops max, 60 byte packets
 1  10.10.10.10 (10.10.10.10)  0.840 ms
 2  x.x.x.x (x.x.x.x)  0.773 ms
 3  x.x.x.x (x.x.x.x)  1.393 ms
 4  x.x.x.x (x.x.x.x)  2.723 ms
 5  x.x.x.x (x.x.x.x)  9.799 ms
 6  x.x.x.x (x.x.x.x)  12.712 ms
 7  ffm-bb3-link.telia.net (80.91.254.102)  165.381 ms
 8  prs-bb3-link.telia.net (62.115.123.13)  165.013 ms
 9  ldn-bb4-link.telia.net (62.115.114.228)  166.391 ms
10  nyk-bb3-link.telia.net (62.115.112.244)  93.870 ms
11  sjo-b21-link.telia.net (213.155.130.129)  163.137 ms
12  a100row-ic-300117-sjo-b21.c.telia.net (213.248.87.118)  179.177 ms
13  54.240.242.28 (54.240.242.28)  167.594 ms
14  54.240.242.127 (54.240.242.127)  169.147 ms
15  205.251.229.158 (205.251.229.158)  163.044 ms
16  *
17  *
18  *
19  *
20  *
21  ec2-13-56-33-144.us-west-1.compute.amazonaws.com (13.56.33.144)  168.771 suser@kvm03:~$
This applies to following inspections configured in proxy mode: Web filter, Antivirus, Data Leak Prevention, Anti-Spam, VoIP, Web Application Firewall

Notes:

- IP addresses are intentionally obfuscated.
- The 10.10.10.10 is the internal IP of the FortiGate.

Solution
This is expected behavior. List of possible workarounds:

1) Use flow based mode
2) Use other port, that is not used in any proxy inspection profile
3) Use other protocol, that is not being proxied, e.g. UDP or ICMP

Contributors