Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sjoshi
Staff
Staff

Created on ‎09-04-2024 05:04 AM

Article Id 339007

Technical Tip: Unintended Traffic Routing: Resolving ZTNA Saas Based application Access Proxy Issues with Webex and Other SaaS Applications

Description

 

This article describes a behavior where only the Webex SaaS application was intended to route through a ZTNA proxy configured on a FortiGate and Forticlient EMS, but traffic from www.google.com, was also being redirected.

 

Scope

 

FortiGate, Forticlient EMS.

 

Solution

 

ZTNA SaaS-based application has been configured on both FortiGate and FortiClient EMS to route Webex traffic to the FortiGate acting as the ZTNA server. While Webex traffic is correctly routed through the ZTNA on FortiGate, other traffic, such as accessing www.google.com, is also being received on FortiGate via the ZTNA, despite only selecting the Webex application on FortiClient EMS.

 

On the FortiClient endpoint under ZTNA destination, only Webex SaaS is shown:

 

Capture.PNG

 

 

When taking the WAD debug on FortiGate:

 

[I][p:2071][s:177717][r:2] wad_dump_http_request :2621 hreq=0x7f432ec10048 Received request from client: 10.5.18.235:49785

GET /saas?address=www.google.com&port=443&tls=0 HTTP/1.1 >> got the google.com request on FortiGate from the forticlient 
Host: 10.5.21.72:9443
User-Agent: Forticlient
Accept: */*
Upgrade: tcp-forwarding/1.0
Connection: Upgrade
Cookie:
Authorization: Basic

[V][p:2071][s:177717][r:2] wad_http_marker_uri :1272 path=/saas len=5
[V][p:2071][s:177717][r:2] wad_http_parse_host :1651 host_len=15
[V][p:2071][s:177717][r:2] wad_http_parse_host :1687 len=10
[V][p:2071][s:177717][r:2] wad_http_parse_host :1696 len=4
[I][p:2071][s:177717][r:2] wad_http_str_canonicalize :2198 enc=0 path=/saas len=5 changes=0
[I][p:2071][s:177717][r:2] wad_http_str_canonicalize :2200 end=4 path=address=www.google.com&port=443&tls=0 len=37 changes=0
[V][p:2071][s:177717][r:2] wad_http_normalize_uri :2280 host_len=10 path_len=5 query_len=37
[I][p:2071][s:177717][r:2] wad_http_req_detect_special :15156 captive_portal detected: false, preflight=(null)
[I][p:2071][s:177717][r:2] wad_vs_proxy_match_gwy :4178 1:ZTNA-SaaS-VIP: matching gwy with vhost(_def_virtual_host_)
[V][p:2071][s:177717][r:2] wad_vs_proxy_match_vhost :4239 1:ZTNA-SaaS-VIP: matching vhost by: 10.5.21.72
[V][p:2071][s:177717][r:2] wad_vs_matcher_map_find :668 Empty matcher!
[V][p:2071][s:177717][r:2] wad_vs_proxy_match_vhost :4242 1:ZTNA-SaaS-VIP: no host matched.
[I][p:2071][s:177717][r:2] wad_vs_proxy_match_gwy :4197 1:ZTNA-SaaS-VIP: matching gwy by (/saas) with vhost(_def_virtual_host_).
[V][p:2071][s:177717][r:2] wad_pattern_matcher_search :1207 pattern-match succ:/saas
[I][p:2071][s:177717][r:2] wad_vs_proxy_match_gwy :4215 1:ZTNA-SaaS-VIP: Matched gwy(1) type(saas).
[I][p:2071][s:177717][r:2] wad_http_srv_selector_static_make :1014 make static server selector.
[I][p:2071][s:177717][r:2] wad_vs_gwy_saas_dst_ovrd :3384 1:ZTNA-SaaS-VIP:1: req(0x7f432ec10048) query(address=www.google.com&port=443&tls=0)
[I][p:2071][s:177717][r:2] wad_vs_gwy_tcp_get_parameters :2924 1:ZTNA-SaaS-VIP:1: got fqdn=www.google.com.
[V][p:2071][s:177717][r:2] wad_pattern_matcher_search :1207 pattern-match succ:www.google.com
[V][p:2071][s:177717][r:2] wad_saas_have_domain :486 domain 'www.google.com' matched saas app 'webex' acc '', match_main: 0, match_acc: 0 >> we can see www.google.com fqdn is matching the saas application webex
[W][p:2071][s:177717][r:2] wad_vs_proxy_dns_resolve :3070 req(0x7f432ec10048) vs DNS request name=www.google.com len=14 type/pref=0/0
[I][p:2071][s:177717][r:2] __wad_dns_send_query :771 0:0: sending DNS request for remote peer www.google.com id=0 IPv4
[V][p:2071][s:177717][r:2] wad_http_msg_strm_pause :1065 strm paused, flag=0x2 is_clt=1
[V][p:2071][s:177717][r:2] wad_http_clt_read_sync :1951 hs=0x7f432f24f228 pause=(1/0x2) ret=1 execute=wad_http_clt_read_req_line
[V][p:2071][s:177717][r:2] wad_tcp_port_out_read_block :1005 tcp_port 0x7f432efbc568 fd=105 on=1 n_out_block=0~>1 in(/out)_shutdown=0/0 closed=0 state=2.
[V][p:2071][s:177717][r:2] wad_tcp_port_transport_read_block :960 tcp_port 0x7f432efbc568 fd=105 on=1 n_out_block=0~>1 in(/out)_shutdown=0/0 closed=0 events=0x1.
[V][p:2071][s:177717][r:2] wad_tcp_port_transport_read_block :974 sock 105 read_block enforced, turn off readability.
[I][p:2071][s:177717][r:2] wad_tcp_port_on_event :1963 sock 105 remove readability events=0x0.
[V][p:2071][s:177717][r:2] wad_tcp_port_window_adjust :463 tcp_port 0x7f432efbc568 window-type 0 set 0 SNDBUF 131072 RCVBUF 492160
[I][p:2071][s:177718] wad_tcp_port_on_event :1887 start processing tcp event=0x1 events=0x1 fd=106 n_out_block=0 state=2 close/shut=0/0 n_out_block=0
[I][p:2071][s:177718] wad_tcp_port_on_read :1763 sock 106 read (189,3891)

 

On the Forticlient EMS:

 

Capture.PNG

 

Even the FQDN google.com falls under the Webex SaaS based application on Forticlient EMS. That is why, even if only Webex SaaS application is selected the google.com traffic gets diverted to the FortiGate acting as ZTNA server.

153
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.