Description
This article describes the configuration procedure for enabling transparent web proxy forwarding from FortiGate.
Scope
FortiGate.
Solution
This article only explains the configuration part on the FortiGate, the proxy server configuration should already have been verified for the setup to work properly.
The policy needs to be setup in proxy inspection mode.
The ssl-ssh-inspection profile needs to be enabled for the device to be able to proxy HTTPS connection.
If this is disabled, only HTTPS traffic will be proxied.
Diagram:
# config web-proxy forward-server
edit "prxy-frwd"
set ip 192.168.200.2
set port 8080
next
end
# config firewall policy
edit 1
set name "internet-prxy-frwd"
set srcintf "port10"
set dstintf "port5"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set inspection-mode proxy
set ssl-ssh-profile "certificate-inspection"
set logtraffic all
set webproxy-forward-server "prxy-frwd"
set nat enable
next
end
set dstintf "port5"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set inspection-mode proxy
set ssl-ssh-profile "certificate-inspection"
set logtraffic all
set webproxy-forward-server "prxy-frwd"
set nat enable
next
end
The normal debug flow trace or the session list will not show many details regarding the traffic as the WAD daemon processes the traffic.
WAD debugging:
WAD debug output will show a lot of output which must be filtered properly. The following example output is truncated to show only necessary details. The logs are filtered with source IP. If the source generates too much traffic, then filter using destination IP.
diagnose wad filter dst/src <destination_ip/source_ip>
diagnose debug console timestamp enable
diagnose wad debug enable category all
diagnose wad debug enable level verbose
diagnose debug enable
To stop debugging:
diagnose debug disable
diagnose debug reset
diagnose wad debug filter clear
diagnose wad filter list
drop unknown sessions: enabled
source ip: 192.168.100.10-192.168.100.10
[p:214][s:459215611][r:1162]wad_http_parse_host(2359): len=11 example.com
[p:214][s:459215611][r:1162]wad_http_parse_check_uri(6469): ret=1
[p:214][s:459215611][r:1162]wad_http_proc_request(26471): http client 0x7ff61b29c360 content_len_status=0 body_len=0 uri-check=0 from-icap=0 special_path=0
[0x7ff61b3cb6b0] Received request from client: 192.168.100.10:50884
:
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
:
[0x7ff61b3cb6b0] Forward request to server:
GET http://example.com/ HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
:
[0x7ff61b3cb6b0] Received response from server:
HTTP/1.1 200 OK
Content-Encoding: gzip
Accept-Ranges: bytes
Age: 338554
Cache-Control: max-age=604800
Content-Type: text/html; charset=UTF-8
Date: Tue, 13 Jul 2021 05:22:38 GMT
Etag: "3147526947+gzip"
Expires: Tue, 20 Jul 2021 05:22:38 GMT
Last-Modified: Thu, 17 Oct 2019 07:18:26 GMT
Server: ECS (dcb/7EEC)
Vary: Accept-Encoding
X-Cache: HIT
Content-Length: 648
WAD session list:
diagnose wad session list
Session: transparent proxy 192.168.100.10:50920(192.168.200.1:16799)->192.168.200.2:8080
id=459250917 worker=0 vd=0:0 fw-policy=1
duration=4 expire=3587 session-ttl=3590
state=3 app=http sub_type=0 wan_opt_mode=0 dd_method=0
SSL disabled
to-client
TCP Port:
state=2 r_blocks=0 w_blocks=0 read_blocked=0
bytes_in=631 bytes_out=2039 shutdown=0x0
to-server
TCP Port:
state=2 r_blocks=0 w_blocks=0 read_blocked=0
bytes_in=2039 bytes_out=667 shutdown=0x0
port10 capture (client side) for 3-way handshake
2021-07-13 07:47:51.839894 port10 in 192.168.100.10.50920 -> 93.184.216.34.80: syn 2448334501
2021-07-13 07:47:51.839924 port10 out 93.184.216.34.80 -> 192.168.100.10.50920: syn 2787557449 ack 2448334502
2021-07-13 07:47:51.854300 port10 in 192.168.100.10.50919 -> 93.184.216.34.80: ack 214981158
port5 capture (proxy server side) for same connection 3-way handshake
Note that the destination IP and port changed as per configuration.
2021-07-13 07:47:51.854771 port5 out 192.168.200.1.16799 -> 192.168.200.2.8080: syn 3850260143
2021-07-13 07:47:51.856697 port5 in 192.168.200.2.8080 -> 192.168.200.1.16798: syn 928961452 ack 398123839
2021-07-13 07:47:51.856726 port5 out 192.168.200.1.16798 -> 192.168.200.2.8080: ack 928961453
Session: transparent proxy 192.168.100.10:50920(192.168.200.1:16799)->192.168.200.2:8080
id=459250917 worker=0 vd=0:0 fw-policy=1
duration=4 expire=3587 session-ttl=3590
state=3 app=http sub_type=0 wan_opt_mode=0 dd_method=0
SSL disabled
to-client
TCP Port:
state=2 r_blocks=0 w_blocks=0 read_blocked=0
bytes_in=631 bytes_out=2039 shutdown=0x0
to-server
TCP Port:
state=2 r_blocks=0 w_blocks=0 read_blocked=0
bytes_in=2039 bytes_out=667 shutdown=0x0
port10 capture (client side) for 3-way handshake
2021-07-13 07:47:51.839894 port10 in 192.168.100.10.50920 -> 93.184.216.34.80: syn 2448334501
2021-07-13 07:47:51.839924 port10 out 93.184.216.34.80 -> 192.168.100.10.50920: syn 2787557449 ack 2448334502
2021-07-13 07:47:51.854300 port10 in 192.168.100.10.50919 -> 93.184.216.34.80: ack 214981158
port5 capture (proxy server side) for same connection 3-way handshake
Note that the destination IP and port changed as per configuration.
2021-07-13 07:47:51.854771 port5 out 192.168.200.1.16799 -> 192.168.200.2.8080: syn 3850260143
2021-07-13 07:47:51.856697 port5 in 192.168.200.2.8080 -> 192.168.200.1.16798: syn 928961452 ack 398123839
2021-07-13 07:47:51.856726 port5 out 192.168.200.1.16798 -> 192.168.200.2.8080: ack 928961453
