FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Sachin_Alex_Cherian_
Description
This article describes the configuration procedure for enabling transparent web proxy forwarding from FortiGate.
In previous versions explicit proxy had to be configured but we would now be able to have the user traffic (HTTP/HTTPS) be forwarded without having to configure any proxy setting on the user/browser side.


This only explains the configuration part on the FortiGate, the proxy server configuration should already have been verified for the setup to work properly.

The policy needs to be setup in proxy inspection mode.
The ssl-ssh-inspection profile needs to be enabled for the device to be able to proxy HTTPS connection.

If same is disabled only HTTPS traffic will be proxied.


Solution
Diagram.








# config web-proxy forward-server
    edit "prxy-frwd"
        set ip 192.168.200.2
        set port 8080
    next
end
# config firewall policy
    edit 1
        set name "internet-prxy-frwd"
        set srcintf "port10"
        set dstintf "port5"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set inspection-mode proxy
        set ssl-ssh-profile "certificate-inspection"
        set logtraffic all
        set webproxy-forward-server "prxy-frwd"
        set nat enable
    next
end

The normal debug flow trace or the session list will not show much details regarding the traffic as the wad daemon processes the traffic.

WAD debugs.

WAD  debug will show a lot of output and needs to be filtered properly. Below outputs are truncated to show only necessary details. The logs filtered with source IP, if source generating too much traffic then filter using destination IP.
# diag wad filter list
        drop unknown sessions: enabled
        source ip: 192.168.100.10-192.168.100.10

[p:214][s:459215611][r:1162]wad_http_parse_host(2359): len=11 example.com
[p:214][s:459215611][r:1162]wad_http_parse_check_uri(6469): ret=1
[p:214][s:459215611][r:1162]wad_http_proc_request(26471): http client 0x7ff61b29c360 content_len_status=0 body_len=0 uri-check=0 from-icap=0 special_path=0
[0x7ff61b3cb6b0] Received request from client: 192.168.100.10:50884
:
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
:
[0x7ff61b3cb6b0] Forward request to server:
GET http://example.com/ HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
:
[0x7ff61b3cb6b0] Received response from server:
HTTP/1.1 200 OK
Content-Encoding: gzip
Accept-Ranges: bytes
Age: 338554
Cache-Control: max-age=604800
Content-Type: text/html; charset=UTF-8
Date: Tue, 13 Jul 2021 05:22:38 GMT
Etag: "3147526947+gzip"
Expires: Tue, 20 Jul 2021 05:22:38 GMT
Last-Modified: Thu, 17 Oct 2019 07:18:26 GMT
Server: ECS (dcb/7EEC)
Vary: Accept-Encoding
X-Cache: HIT
Content-Length: 648
WAD session list.
# diag  wad session list

Session: transparent proxy 192.168.100.10:50920(192.168.200.1:16799)->192.168.200.2:8080
    id=459250917 worker=0 vd=0:0 fw-policy=1
    duration=4 expire=3587 session-ttl=3590
    state=3 app=http sub_type=0 wan_opt_mode=0 dd_method=0
    SSL disabled
    to-client
        TCP Port:
            state=2 r_blocks=0 w_blocks=0 read_blocked=0
            bytes_in=631 bytes_out=2039 shutdown=0x0
    to-server
        TCP Port:
            state=2 r_blocks=0 w_blocks=0 read_blocked=0
            bytes_in=2039 bytes_out=667 shutdown=0x0

port10 capture (client side) for 3-way handshake

2021-07-13 07:47:51.839894 port10 in 192.168.100.10.50920 -> 93.184.216.34.80: syn 2448334501
2021-07-13 07:47:51.839924 port10 out 93.184.216.34.80 -> 192.168.100.10.50920: syn 2787557449 ack 2448334502
2021-07-13 07:47:51.854300 port10 in 192.168.100.10.50919 -> 93.184.216.34.80: ack 214981158

port5 capture (proxy server side) for same connection 3-way handshake
Note that the destination IP and port changed as per configuration.

2021-07-13 07:47:51.854771 port5 out 192.168.200.1.16799 -> 192.168.200.2.8080: syn 3850260143
2021-07-13 07:47:51.856697 port5 in 192.168.200.2.8080 -> 192.168.200.1.16798: syn 928961452 ack 398123839
2021-07-13 07:47:51.856726 port5 out 192.168.200.1.16798 -> 192.168.200.2.8080: ack 928961453

Contributors