Description |
This article describes that in FortiGate, the proxy-policy with FQDN configured only matches client requests with FQDN. Client requests with IP addresses will not match the proxy-policy with FQDN. This is the expected behavior. |
Scope | FortiGate. |
Solution |
In a web proxy, a web client is expected to send in HTTP request using the configured FQDN for the proxy-policy. This is unlike in normal firewall proxy (when FortiGate is not configured as an explicit web proxy), where FortiGate can perform reverse DNS lookup for the destination IP to get the FQDN to perform the policy matching.
For example, in explicit web proxy, following proxy-policy with FQDN is configured:
config firewall proxy-policy edit 10 set name "Test_Fortiguard" set proxy explicit-web set dstintf "port1" set srcaddr "ALL" set dstaddr "fds1.fortinet.com" <---- FQDNs were configured. set service "webproxy" set action accept set status disable set schedule "always" set logtraffic all set utm-status enable next
Result:
Following was the capture of debug wad.
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,a [I]2024-09-02 16:00:35.009769 [p:16157][s:86729651][r:1] wad_http_req_policy_set :10748 match policy-id=10(pol_ctx:xhf|Ad|7|=d) vd=0(ses_ctx:x|Ph|Mde|Hh|C|A7|O) (10.22.22.101:58728@4 -> 12.34.97.16:80@3)
… match policy-id=0(pol_ctx:xhf|A|7|=d) vd=0(ses_ctx:cx|Phx|Mde|Hh|C|A7|O) (10.22.22.101:58731@4 -> 173.243.138.71:80@3) [I]2024-09-02 16:00:38.493831 [p:16157][s:86729655][r:6] wad_http_req_proc_policy :10321 ses_ctx:cx|Phx|Mde|Hh|C|A7|O conn_srv=0 fwd_srv=<nil> [E]2024-09-02 16:00:38.493832 [p:16157][s:86729655][r:6] wad_http_req_proc_policy :10344 POLICY DENIED
The DNS entry for 'fds1.fortinet.com, 173.243.138.71' existed.
FGT-Lab # dia test application dnsproxy 6
2024-09-02 16:02:49 vfid=0 name=fds1.fortinet.com ver=IPv4 wait_list=0 timer=3423 min_refresh=60 min_ttl=3600 cache_ttl=0 slot=-1 num=3 wildcard=02024-09-02 16:02:49 2024-09-02 16:02:49 2024-09-02 16:02:49 12.34.97.16 (ttl=84067:83896:83896)2024-09-02 16:02:49 208.184.237.66 (ttl=84067:83896:83896)2024-09-02 16:02:49 173.243.138.71 (ttl=84067:83896:83896)2024-09-02 16:02:49 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.