Created on 10-03-2012 08:08 AM Edited on 06-09-2022 09:11 PM By
The purpose of this article is to expose a solution to use Policy Based Routing (PbR) on traffic managed by the web-proxy of the FortiGate.
When you enable explicit proxy of the FortiGate, the concerned traffic is "proxied" on the FortiGate. That is to say that the FortiGate works as a termination for the ingress traffic, and a source for the egress traffic.
From an IP point of view, the source IP address of the egress traffic is no more the host generating the request, but the IP address of the interface selected through the routing lookup. Moreover, the ingress interface is no more a physical interface, but the a virtual interface called "web-proxy".
As a consequence, it is not possible to apply policy based routing (PbR), because it is not possible to select the "web-proxy" interface.
A solution is to create a separate VDOM, containing the explicit proxy. This VDOM will handle the HTTP traffic, and route this traffic to the "root" VDOM.
This article is related to the explicit proxy running in the FortiGate.
- user group 2 HTTP traffic should use Fortigate explicit proxy. For this traffic, explicit proxy should use port2 to reach internet.
- user group 2 non-HTTP traffic goes directly to internet using port1
- user group 1 all traffic go through default route on port1
It is supposed that you have already setup a dual-wan configuration, with port1 as primary interface, and port2 as a "secondary" interface, that will be used to handle the HTTP traffic from the web-proxy.
The routing table should looks like:
Find there after the configuration steps to add an EXPLICIT proxy VDOM, and allow traffic going from this VDOM to port2.
1/ enable multi-vdom mode, and create the "EXPLICIT" VDOM. Move the VLAN121 interface to the EXPLICIT vdom.
You need to login again at this step.
As the explicit proxy of the FortiGate listen on port 8080, you need to capture the debug on port 8080 (ingress traffic), and port 80 (egress traffic). Check that the traffic is going through port2, and not port1.
To troubleshoot this issue you can use the well-known commands:
diag sniffer packet should be used on 'any' interface, with the appropriate filter. You need to select ingress port (in general 8080), as well as egress port (in general 80). If you have the IP address of the destination, you should also include this address to limit the amount of logs displayed. The "diag sniffer packet" should be run on the "root" vdom.
diag debug flow should be used to ensure that the traffic is accepted in VDOM explicit, and is directed to the inter-vdom link. Then, the "diag debug flow" should show that the traffic is accepted on the "root" vdom, and is going through the port2.
in this example, a host from "user group 2" browses http://www.fortinet.com