Description
This article describes the first steps to troubleshooting explicit proxy connections through FortiProxy.
Scope
FortiProxy.
Solution
Step 1 - Check the explicit proxy configuration.
- Configuration on the FortiProxy.
FortiProxy GUI: Navigate to Proxy Setting -> Explicit Proxy.
FortiProxy CLI:
config web-proxy explicit-proxy
edit "web-proxy" <-
set status enable
set interface "port2" <- port2 IP = 192.168.1.1.
set http-incoming-port 8080
set https-incoming-port 8080
next
end
- Configuration on the client machine.
Check in the Windows Proxy setting or the browser’s proxy setting.
Make sure the address should be matching with the interface IP of the explicit proxy, in this case, it is port2. Also, the port should match the configuration of the explicit proxy.
Step 2 - Check if the traffic is matching the configured policy.
- When the traffic is not matched, expect to see 'No policy matched!' in WAD debugs as shown below:
GET http://apple.com/ HTTP/1.1 <-
Host: apple.com
Proxy-Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 Edg/112.0.1722.34
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
[I]2023-04-07 11:03:59.155959 [p:11089][s:2060731322][r:592] __wad_dns_send_query :772 0:0: sending DNS request for remote peer apple.com id=0 IPv4
[I]2023-04-07 11:03:59.178897 [p:11089] wad_dns_parse_name_resp :205 0: DNS response received for remote host apple.com req-id=0 ipv4=1 <- DNS response received for host apple.com.
[V]2023-04-07 11:03:59.178929 [p:11089] wad_dns_parse_name_resp :324 apple.com: resp_type=1 notify=1 cdata=0 17.253.144.10
[I]2023-04-07 11:03:59.178932 [p:11089][s:2060731322][r:592] wad_http_dns_request_done :12241 [0x7fc5a1c8b1f8] DNS resolved: 17.253.144.10
[V]2023-04-07 11:03:59.179002 [p:11089][s:2060731322][r:592] wad_http_req_proc_dst :12160 HTTP req=0x7fc5a1c8b1f8 check destination/quarantine ret=0
[V]2023-04-07 11:03:59.179007 [p:11089][s:2060731322][r:592] wad_http_req_check_policy :11785 start match policy vd=0(ses_ctx:x|Phx|M|Hh|C|A7|O) (192.168.1.100
:63364@6->17.253.144.10:80@3) absUrl=1 <-
[I]2023-04-07 11:03:59.179011 [p:11089][s:2060731322][r:592] wad_fast_match_is_enable :3703 fast matching is enabled
[V]2023-04-07 11:03:59.179015 [p:11089][s:2060731322][r:592] wad_fast_match_get_addr :3440 Get key src:192.168.1.100 <- Source address.
[W]2023-04-07 11:03:59.179016 [p:11089][s:2060731322][r:592] wad_fast_match_one :3607 No policy matched!
The following is the proxy policy configuration in this case.
config firewall policy
edit 1 <-
set type explicit-web
set uuid b4e26394-cc23-51ed-a4d3-e79a5789c19e
set dstintf "port1"
set srcaddr "192.168.1.2/32" <-
set dstaddr "all"
set action accept
set schedule "always"
set service "webproxy"
set explicit-web-proxy "web-proxy" <-
set logtraffic all
set ssl-ssh-profile "certificate-inspection"
next
end
As the source address of the traffic does not match the source address in the policy, the traffic fails to match the policy.
- After correcting the policy, the following output can be expected:
[V]2023-04-20 11:34:55.530516 [p:1656][s:562102499][r:50331693] wad_http_req_proc_dst :12160 HTTP req=0x7f687632b0b0 check destination/quarantine ret=0
[V]2023-04-20 11:34:55.530522 [p:1656][s:562102499][r:50331693] wad_http_req_check_policy :11785 start match policy vd=0(ses_ctx:x|Phx|M|Hh|C|A7|O) (192.168.1.
100:58660@6->17.253.144.10:443@3) absUrl=1
[I]2023-04-20 11:34:55.530527 [p:1656][s:562102499][r:50331693] wad_fast_match_is_enable :3703 fast matching is enabled
[V]2023-04-20 11:34:55.530530 [p:1656][s:562102499][r:50331693] wad_fast_match_get_addr :3440 Get key src:192.168.1.100
[V]2023-04-20 11:34:55.530533 [p:1656][s:562102499][r:50331693] wad_fast_match_get_dst_intf :3470 Get key dst intf:1
[V]2023-04-20 11:34:55.530535 [p:1656][s:562102499][r:50331693] wad_fast_match_pol_array :3507 Try to maching pol:0, 0/1(pos/sz)
[V]2023-04-20 11:34:55.530537 [p:1656][s:562102499][r:50331693] wad_fw_policy_set_check_id :5335 pol_id=1 dev_cked=0
[I]2023-04-20 11:34:55.530541 [p:1656][s:562102499][r:50331693] wad_fw_policy_async_match :5466 pol_ctx:xhcf|Ad|7?|=d
[I]2023-04-20 11:34:55.530544 [p:1656][s:562102499][r:50331693] wad_http_req_policy_set :10206 match policy-id=1(pol_ctx:xhcf|Ad|7?|=d) vd=0(ses_ctx:x|Phx|Md <- Matched policy id = 1.
e|Hh|C|A7|O) (192.168.1.100:58660@6 -> 17.253.144.10:443@3)
[V]2023-04-20 11:34:55.530605 [p:1656][s:562102499][r:50331693] wad_http_connect_original_server :7051 [0x7f687632b0b0] Connect to server: 17.253.144.10:443/17.253.1
44.10:443
[I]2023-04-20 11:34:55.536133 [p:1656][s:562102499][r:50331693] wad_dump_fwd_http_resp :2694 hreq=0x7f687632b0b0 Forward response from Internal:
HTTP/1.1 200 Connection established
Proxy-Agent: Fortinet-Proxy/1.0
Step 3 - If there is authentication, check if the authentication is successful.
- Authentication rule configuration:
config authentication scheme
edit "Test-LDAP" <-
set method basic
set user-database "LDAP=LAB"
next
end
config authentication rule
edit "LDAP-Rule"
set srcintf "port2"
set srcaddr "all"
set dstaddr "all"
set active-auth-method "Test-LDAP" <-
next
end
config firewall policy
edit 1
set type explicit-web
set uuid b4e26394-cc23-51ed-a4d3-e79a5789c19e
set dstintf "port1"
set srcaddr "192.168.1.100/32" <-
set dstaddr "all"
set action accept
set schedule "always"
set service "webproxy"
set explicit-web-proxy "web-proxy"
set logtraffic all
set groups "LDAP-Group" <-
set ssl-ssh-profile "certificate-inspection"
next
end
- When authentication is not successful, the following can be expected:
[I]2023-04-20 12:36:15.460477 [p:1656][s:562102644][r:50331870] wad_fast_match_pol_array :3537 fw_pol_id=1(pol_ctx:xhf|Ad|7|=p) pol_id=0(pflag:H|W|U|A) asyn_
info=1
[V]2023-04-20 12:36:15.460479 [p:1656][s:562102644][r:50331870] wad_fw_policy_set_check_id :5335 pol_id=1 dev_cked=0 --> Checking policy id = 1 for this traffic.
[I]2023-04-20 12:36:15.460483 [p:1656][s:562102644][r:50331870] wad_http_req_get_user :11298 process=1656 auth-rule=LDAP-Rule user=/0/0 ip-based/auth-cooki ---> Found Authentication rule 'LDAP-Rule'.
e/transact=1/0/0 tp_proxy_auth=0 auth_req=0x7f68764b0480 auth_line=0x7f68764f9748
[I]2023-04-20 12:36:15.460492 [p:1656][s:562102644][r:50331870] wad_usr_pass_authenticate :532 try to authenticate abhi/ tfa=0 --> Found username=abhi.
[I]2023-04-20 12:36:15.460495 [p:1656][s:562102644][r:50331870] wad_hauth_is_sso_guest :1444 check guest for abhi/4
[V]2023-04-20 12:36:15.460498 [p:1656][s:562102644][r:50331870] wad_usr_info_clt_conn_connected :2825 user info connection:connected
[V]2023-04-20 12:36:15.460509 [p:1656][s:562102644][r:50331870] wad_auth_request :1378 user:abhi send auth reqest with no=1 ldaps
[I]2023-04-20 12:36:15.460512 [p:1656][s:562102644][r:50331870] wad_http_auth_status_proc :10582 ses_ctx: ses_ctx:cx|Phx|Me|Hh|C|A7|O authenticate result=pending
[V]2023-04-20 12:36:15.463403 [p:1644] wad_usr_info_get_msg :2106 user_info_svr recv msg type:4 size:35, id=2 --> WAD User_info handles authentication in explicit proxy, and it received the authentication request for the user.
[V]2023-04-20 12:36:15.463437 [p:1644] wad_usr_info_auth_req_handler :981 recv ldap auth request, username=abhi, n_ldaps=1
[V]2023-04-20 12:36:15.463444 [p:1644] wad_ldap_usr_dn_filter :1211 filter=(SAMAccountName=abhi)
[V]2023-04-20 12:36:15.463447 [p:1644] wad_ldap_build_dn_search_req :2111 dn is dc=abhineet,dc=com, filter is (SAMAccountName=abhi)
[I]2023-04-20 12:36:15.469755 [p:1656][s:562102644][r:50331870] wad_http_auth_status_proc :10582 ses_ctx: ses_ctx:cx|Phx|Me|Hh|C|A7|O authenticate result=failure <-
[I]2023-04-20 12:36:15.469923 [p:1656][s:562102644][r:50331870] wad_dump_fwd_http_resp :2694 hreq=0x7f687632abc8
Forward response from Internal:
Based on the above results, the authentication for user=abhi has failed. In this case, the password provided was incorrect.
- After providing the correct password, the following outputs were observed.
[V]2023-04-20 12:46:31.047982 [p:1644] wad_usr_info_proc_msg :2148 user info proc msg ret=1 <-
[V]2023-04-20 12:46:31.047848 [p:1656] wad_unix_stream_on_read_data :426 WAD unix stream socket 27 read (0,4080) <-
[1656] read [(0,12) (1f 00 00 00 02 00 00 00 00 00 00 00 )(............)] --> Received response from wad user_info.
[V]2023-04-20 12:46:31.047868 [p:1656] wad_authenticated_user_proc_msg_header:1472 msg=RespAdd code=OK seq=2 data_len=0
[I]2023-04-20 12:46:31.047871 [p:1656] wad_authenticated_proc_user_add_resp:712 code=0
[I]2023-04-20 12:46:31.047873 [p:1656][s:562102730][r:50331957] wad_inform_req_user_add_notify :669 Reponse Add-User from informer: succ auth_req=0x7f68764b20f0
[W]2023-04-20 12:46:31.047875 [p:1656][s:562102730][r:50331957] wad_basic_user_add_notify :1156 auth-st=7 add-auth-st=1 is-local=0
[I]2023-04-20 12:46:31.047879 [p:1656][s:562102730][r:50331957] wad_auth_membership_match :1292 grp(Guest-group): id=1 type=firewall member_sz=1; user(abhi@abhineet.com): type=firewall ms=0x7f68763d4828 ms-type=1 member_sz=7
[I]2023-04-20 12:46:31.047881 [p:1656][s:562102730][r:50331957] wad_auth_membership_match :1292 grp(LDAP-Group): id=2 type=firewall member_sz=1; user(abhi@abhineet.com): type=firewall ms=0x7f68763d4828 ms-type=1 member_sz=7 <-
[I]2023-04-20 12:46:31.047914 [p:1656][s:562102730][r:50331957] wad_usr_collect_usrgrp :2141 Match grp(LDAP-Group): SUCCESS
[I]2023-04-20 12:46:31.047917 [p:1656][s:562102730][r:50331957] wad_auth_membership_match :1292 grp(SSO_Guest_Users): id=16777215 type=guest member_sz=0; user
(abhi@abhineet.com): type=firewall ms=0x7f68763d4828 ms-type=1 member_sz=7
[I]2023-04-20 12:46:31.047958 [p:1656][s:562102730][r:50331957] wad_http_auth_status_proc :10582 ses_ctx: ses_ctx:x|Phx|M|Hh|C|A7|O authenticate result=success
[I]2023-04-20 12:46:31.052482 [p:1656][s:562102730][r:50331957] wad_dump_fwd_http_resp :2694 hreq=0x7f6876329d10 Forward response from Internal:
HTTP/1.1 200 Connection established
Proxy-Agent: Fortinet-Proxy/1.0
Some useful WAD debug commands:
diag debug disable
diag deb reset
diag wad filter clear
diag deb console time en
diag wad filter <filter-value> <- For example – diag wad filter src 192.168.1.1.
diag wad debug enable all
diag deb en
Check the WAD session:
diag wad session list
- With Filters:
diag wad filter <filter-value>
diag wad session list
- To clear WAD session:
diag wad session clear
To check authenticated users for explicit proxy connection:
- Run the following:
diag deb enable
diag wad user list
- Run the following:
diag deb en
diag test app wad 2400 <- To go into WAD Informer context.
diag test app wad 110
Related document:
