Technical Tip: Explicit proxy traffic from other VDOMs to access the Internet

AndrewX · ‎12-16-2024

Description

This article describes which interface is used for exiting out when proxy traffic from other VDOMs.

Scope

FortiGate v6.4,v7.0, v7.2.

Solution

Traffic flow:

Src [10.167.1.113,VDOM11] >>> (10.1.1.2,11-120,VDOM11) Vdom Link (11-121,VDOM12, 10.1.1.1) >>> Explicit_Proxy[Loopback, 172.17.17.17, VDOM12] >>> Internet [port17,10.56.241.113, VDOM12]

Background:

On the PC client site (Gateway is 10.167.1.113, Proxy server is 172.17.17.17, port is 8080).
VDOM12 web-proxy explicit is set up 'set sec-default-action accept'
Root VDOM is using mgmt1(10.56.245.113) to access the Internet.
On VDOM12 to show output with the CLI command 'diagnose sys session list'

V6.4.12:

session info: proto=6 proto_state=01 duration=4 expire=3595 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255
state=local
statistic(bytes/packets/allow_err): org=11210/150/1 reply=346251/249/1 tuples=2
tx speed(Bps/kbps): 2469/19 rx speed(Bps/kbps): 76266/610
orgin->sink: org out->post, reply pre->in dev=0->3/3->52 gwy=0.0.0.0/10.56.245.113 <---3 is mgmt1
hook=out dir=org act=noop 10.56.245.113:12865->220.233.67.203:10443(0.0.0.0:0) <---10.56.245.113 is mgmt interface IP
hook=in dir=reply act=noop 220.233.67.203:10443->10.56.245.113:12865(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=00179ded tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=00000000
no_ofld_reason: local
total session 1

V7.0.12: hitting port17 not mgmt1 anymore:

session info: proto=6 proto_state=01 duration=23 expire=3577 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255
state=local
statistic(bytes/packets/allow_err): org=10221/137/1 reply=348568/251/1 tuples=2
tx speed(Bps/kbps): 439/3 rx speed(Bps/kbps): 14985/119
orgin->sink: org out->post, reply pre->in dev=0->17/17->72 gwy=0.0.0.0/10.56.241.113 <--17 is wan interface
hook=out dir=org act=noop 10.56.241.113:14472->220.233.67.203:10443(0.0.0.0:0) <--10.56.241.113 is wan interface IP
hook=in dir=reply act=noop 220.233.67.203:10443->10.56.241.113:14472(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=0 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=5
serial=00000cc7 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=00000000
no_ofld_reason: local
total session 1

V7.2.9: hitting port17 not mgmt1 anymore:

session info: proto=6 proto_state=01 duration=25 expire=3574 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255
state=log local
statistic(bytes/packets/allow_err): org=10461/142/1 reply=348441/249/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org out->post, reply pre->in dev=72->17/17->72 gwy=0.0.0.0/10.56.241.113 <--17 is wan interface
hook=out dir=org act=noop 10.56.241.113:28950->220.233.67.203:10443(0.0.0.0:0) <--10.56.241.113 is wan interface IP
hook=in dir=reply act=noop 220.233.67.203:10443->10.56.241.113:28950(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=0 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=5
serial=00001a87 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=00000000
no_ofld_reason: local
total session 1

Conclusion:

Proxy traffic from other VDOMs using root VDOM`s management interface for exiting out only happened on v6.4, while other VDOMs have default routes on their RIB/FIB.
Proxy traffic from other VDOMs using its interface for exiting out is on v7.0, v7.2.