Description
This article describes the configuration procedure for enabling transparent web proxy forwarding from FortiGate.
In previous versions explicit proxy had to be configured but we would now be able to have the user traffic (HTTP/HTTPS) be forwarded without having to configure any proxy setting on the user/browser side.
This only explains the configuration part on the FortiGate, the proxy server configuration should already have been verified for the setup to work properly.
The policy needs to be setup in proxy inspection mode.
The ssl-ssh-inspection profile needs to be enabled for the device to be able to proxy HTTPS connection.
If same is disabled only HTTPS traffic will be proxied.
Solution
The normal debug flow trace or the session list will not show much details regarding the traffic as the wad daemon processes the traffic.
WAD debugs.
This article describes the configuration procedure for enabling transparent web proxy forwarding from FortiGate.
In previous versions explicit proxy had to be configured but we would now be able to have the user traffic (HTTP/HTTPS) be forwarded without having to configure any proxy setting on the user/browser side.
This only explains the configuration part on the FortiGate, the proxy server configuration should already have been verified for the setup to work properly.
The policy needs to be setup in proxy inspection mode.
The ssl-ssh-inspection profile needs to be enabled for the device to be able to proxy HTTPS connection.
If same is disabled only HTTPS traffic will be proxied.
Solution
Diagram.
# config web-proxy forward-server
edit "prxy-frwd"
set ip 192.168.200.2
set port 8080
next
end
# config firewall policy
edit 1
set name "internet-prxy-frwd"
set srcintf "port10"
set dstintf "port5"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set inspection-mode proxy
set ssl-ssh-profile "certificate-inspection"
set logtraffic all
set webproxy-forward-server "prxy-frwd"
set nat enable
next
end
The normal debug flow trace or the session list will not show much details regarding the traffic as the wad daemon processes the traffic.
WAD debugs.
WAD debug will show a lot of output and needs to be filtered properly. Below outputs are truncated to show only necessary details. The logs filtered with source IP, if source generating too much traffic then filter using destination IP.
# diag wad filter listWAD session list.
drop unknown sessions: enabled
source ip: 192.168.100.10-192.168.100.10
[p:214][s:459215611][r:1162]wad_http_parse_host(2359): len=11 example.com
[p:214][s:459215611][r:1162]wad_http_parse_check_uri(6469): ret=1
[p:214][s:459215611][r:1162]wad_http_proc_request(26471): http client 0x7ff61b29c360 content_len_status=0 body_len=0 uri-check=0 from-icap=0 special_path=0
[0x7ff61b3cb6b0] Received request from client: 192.168.100.10:50884
:
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
:
[0x7ff61b3cb6b0] Forward request to server:
GET http://example.com/ HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
:
[0x7ff61b3cb6b0] Received response from server:
HTTP/1.1 200 OK
Content-Encoding: gzip
Accept-Ranges: bytes
Age: 338554
Cache-Control: max-age=604800
Content-Type: text/html; charset=UTF-8
Date: Tue, 13 Jul 2021 05:22:38 GMT
Etag: "3147526947+gzip"
Expires: Tue, 20 Jul 2021 05:22:38 GMT
Last-Modified: Thu, 17 Oct 2019 07:18:26 GMT
Server: ECS (dcb/7EEC)
Vary: Accept-Encoding
X-Cache: HIT
Content-Length: 648
# diag wad session list
Session: transparent proxy 192.168.100.10:50920(192.168.200.1:16799)->192.168.200.2:8080
id=459250917 worker=0 vd=0:0 fw-policy=1
duration=4 expire=3587 session-ttl=3590
state=3 app=http sub_type=0 wan_opt_mode=0 dd_method=0
SSL disabled
to-client
TCP Port:
state=2 r_blocks=0 w_blocks=0 read_blocked=0
bytes_in=631 bytes_out=2039 shutdown=0x0
to-server
TCP Port:
state=2 r_blocks=0 w_blocks=0 read_blocked=0
bytes_in=2039 bytes_out=667 shutdown=0x0
port10 capture (client side) for 3-way handshake
2021-07-13 07:47:51.839894 port10 in 192.168.100.10.50920 -> 93.184.216.34.80: syn 2448334501
2021-07-13 07:47:51.839924 port10 out 93.184.216.34.80 -> 192.168.100.10.50920: syn 2787557449 ack 2448334502
2021-07-13 07:47:51.854300 port10 in 192.168.100.10.50919 -> 93.184.216.34.80: ack 214981158
port5 capture (proxy server side) for same connection 3-way handshake
Note that the destination IP and port changed as per configuration.
2021-07-13 07:47:51.854771 port5 out 192.168.200.1.16799 -> 192.168.200.2.8080: syn 3850260143
2021-07-13 07:47:51.856697 port5 in 192.168.200.2.8080 -> 192.168.200.1.16798: syn 928961452 ack 398123839
2021-07-13 07:47:51.856726 port5 out 192.168.200.1.16798 -> 192.168.200.2.8080: ack 928961453
