FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mtse
Staff
Staff
Article Id 340493
Description

This article describes that in FortiGate, the proxy-policy with FQDN configured only matches client requests with FQDN.

Client requests with IP addresses will not match the proxy-policy with FQDN. This is the expected behavior.

Scope FortiGate.
Solution

In a web proxy, a web client is expected to send in HTTP request using the configured FQDN for the proxy-policy.

This is unlike in normal firewall proxy (when FortiGate is not configured as an explicit web proxy), where FortiGate can perform reverse DNS lookup for the destination IP to get the FQDN to perform the policy matching.

 

For example, in explicit web proxy, following proxy-policy with FQDN is configured:

 

config firewall proxy-policy

    edit 10

        set name "Test_Fortiguard"

        set proxy explicit-web

        set dstintf "port1"

        set srcaddr "ALL"

        set dstaddr "fds1.fortinet.com"  <---- FQDNs were configured.

        set service "webproxy"

        set action accept

        set status disable

        set schedule "always"

        set logtraffic all

        set utm-status enable

    next

 

Result:

  • The Client HTTP request to FQDN could match the proxy-policy 10.
  • The Client HTTP request to the IP address could not match the proxy-policy 10 and was denied even though there was a DNS entry for the DNS entry (fds1.fortinet.com, 173.243.138.71).

 

Following was the capture of debug wad.

 

  1. GET http://fds1.fortinet.com/fdsupdate HTTP/1.1  <-----  Result: ALLOWED, match-policy-id=10

 

text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,a

[I]2024-09-02 16:00:35.009769 [p:16157][s:86729651][r:1] wad_http_req_policy_set           :10748 match policy-id=10(pol_ctx:xhf|Ad|7|=d) vd=0(ses_ctx:x|Ph|Mde|Hh|C|A7|O) (10.22.22.101:58728@4 -> 12.34.97.16:80@3)

 

  1. GET http://173.243.138.71/favicon.ico HTTP/1.1  <-----  Result: POLICY DENIED.

 

match policy-id=0(pol_ctx:xhf|A|7|=d) vd=0(ses_ctx:cx|Phx|Mde|Hh|C|A7|O) (10.22.22.101:58731@4 -> 173.243.138.71:80@3)

[I]2024-09-02 16:00:38.493831 [p:16157][s:86729655][r:6] wad_http_req_proc_policy          :10321 ses_ctx:cx|Phx|Mde|Hh|C|A7|O conn_srv=0 fwd_srv=<nil>

[E]2024-09-02 16:00:38.493832 [p:16157][s:86729655][r:6] wad_http_req_proc_policy          :10344 POLICY DENIED

 

 

The DNS entry for 'fds1.fortinet.com, 173.243.138.71' existed.

 

FGT-Lab # dia test application dnsproxy 6

 

2024-09-02 16:02:49 vfid=0 name=fds1.fortinet.com ver=IPv4 wait_list=0 timer=3423 min_refresh=60 min_ttl=3600 cache_ttl=0 slot=-1 num=3 wildcard=02024-09-02 16:02:49

2024-09-02 16:02:49   2024-09-02 16:02:49  12.34.97.16 (ttl=84067:83896:83896)2024-09-02 16:02:49  208.184.237.66 (ttl=84067:83896:83896)2024-09-02 16:02:49  173.243.138.71 (ttl=84067:83896:83896)2024-09-02 16:02:49

Contributors