Description

This article explains how to configure the debug in real time for web proxy and explicit proxy, specifying the destination website.

Scope

FortiGate.

Solution

To enable web proxy real-time debug, first configure the destination website in the configuration file by issuing the command:

config web-proxy debug-url
    edit <entry-name>
      set url-pattern <pattern> (Pattern is the destination, e.g. www.fortinet.com)
      set status enable
      set exact enable
    next
  end

Run the debug commands:

diagnose wad debug-url enable
diagnose wad console-log enable
diagnose debug enable

The traffic to the website destination will be displayed.

Or Method #2 can be used for full debugging:

WAD debug filters can be used in many variations to narrow down the generated logs on the device.

For example:

diagnose debug console timestamp enable
diagnose wad debug enable category all
diagnose wad debug enable level verbose
diagnose wad debug display pid enable
diagnose wad filter src 192.168.1.1
diagnose wad filter dst 8.8.8.8

To check the WAD debug status:

diagnose wad debug show

Category: ssl
Level: verbose
Save debug on crash: disabled
Display: pid enabled

To check WAD debug filters:

diagnose wad filter list

drop unknown sessions: disabled
source ip: 192.168.1.1-192.168.1.1
dest ip: 8.8.8.8-8.8.8.8

Debugging can be enabled with:

diagnose debug enable

To stop debugging and clear the filters :

diagnose debug disable
diagnose debug reset
diagnose wad debug filter clear

Note:

This will produce huge output depending on the destination traffic. In the moment of the debug process, there will be a delay in forwarding packets.