FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
martinsd
Staff
Staff
Article Id 338449
Description This article describes an example of WAD Debug for a Virtual Server (HTTP Host Load Balancing).
Scope FortiGate and FortiProxy.
Solution

Diagram:

 

1.drawio (2).png

 

WAD Debug:

 

First, it is necessary to collect the debug logs and check which process is handling the interesting traffic (traffic hitting the firewall policy ID 26). In this case, it is PID 11340, as seen below. The output is very similar to the one shown here, which is why it was partially omitted. The focus of this article is the load-balancing mechanism.

 

DSRSD_FW # diagnose wad filter vd root
DSRSD_FW # diagnose wad filter firewall-policy 26
DSRSD_FW # diagnose debug console timestamp enable
DSRSD_FW # diagnose wad debug enable all
DSRSD_FW # diagnose wad debug display pid enable
DSRSD_FW # diagnose wad debug enable level verbose
DSRSD_FW # diagnose debug enable

 

Load Balancing based on HTTP Host.

 

CASE 1 - URI =  https://wss.dsrsd.pt:8443

 

[I]2024-09-02 15:06:20.975824 [p:11340][s:467757][r:3] wad_dump_http_request :2634 hreq=0x7f9cf0c048 Received request from client: 85.245.105.249:46864

GET / HTTP/1.1
Host: wss.dsrsd.pt:8444
sec-ch-ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
priority: u=0, i

[V]2024-09-02 15:06:20.975859 [p:11340][s:467757][r:3] wad_http_marker_uri :1272 path=/ len=1
[V]2024-09-02 15:06:20.975873 [p:11340][s:467757][r:3] wad_http_parse_host :1651 host_len=17  <-- (wss.dsrsd.pt:8444)
[V]2024-09-02 15:06:20.975883 [p:11340][s:467757][r:3] wad_http_parse_host :1687 len=12  <-- (wss.dsrsd.pt)
[V]2024-09-02 15:06:20.975892 [p:11340][s:467757][r:3] wad_http_parse_host :1696 len=4  <-- (8444)
[I]2024-09-02 15:06:20.975908 [p:11340][s:467757][r:3] wad_http_str_canonicalize :2198 enc=0 path=/ len=1 changes=0
[V]2024-09-02 15:06:20.975919 [p:11340][s:467757][r:3] wad_http_normalize_uri :2305 host_len=12 path_len=1 query_len=0
[I]2024-09-02 15:06:20.975929 [p:11340][s:467757][r:3] wad_http_req_detect_special :15166 captive_portal detected: false, preflight=(null)

 

  • Real Server Match

[I]2024-09-02 15:06:20.975943 [p:11340][s:467757][r:3] wad_http_vs_check_dst_ovrd :1193 2:DSRSD_VS:0: trying to find server for addr(192.168.20.18:443), ldb(6)
[I]2024-09-02 15:06:20.975961 [p:11340][s:467757][r:3] wad_http_vs_check_dst_ovrd :1215 2:DSRSD_VS:0: kernel choose the correct server, keep using original dst 192.168.20.18
[I]2024-09-02 15:06:20.975972 [p:11340][s:467757][r:3] wad_http_vs_check_dst_ovrd :1223 2:DSRSD_VS:0: found server: 192.168.20.18:443
[V]2024-09-02 15:06:20.975986 [p:11340][s:467757][r:3] wad_http_req_exec_act :13686 dst_addr_type=1 wc_nontp=0 sec_web=1 web_cache=0 req_bypass=1
[I]2024-09-02 15:06:20.976008 [p:11340][s:467757][r:3] wad_http_urlfilter_check :383 uri_norm=1 inval_host=0 inval_url=0 scan-hdr/body=1/0 url local=0 block=0 user-cat=0 allow=0 ftgd=0 keyword=0 wisp=0
[I]2024-09-02 15:06:20.976023 [p:11340][s:467757][r:3] wad_http_req_proc_waf :1309 req=0x7f9cf0c048 ssl.deep_scan=0 proto=10 exempt=0 waf=(nil) body_len=18446744073709551615 ua=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 skip_scan=0
[V]2024-09-02 15:06:20.976036 [p:11340][s:467757][r:3] wad_http_req_proc_antiphish :8383 No profile
[V]2024-09-02 15:06:20.976045 [p:11340][s:467757][r:3] wad_http_parse_auth_cookie :1306 cookie_parsed=0 strip=2 pid=11340
[V]2024-09-02 15:06:20.976064 [p:11340][s:467757][r:3] wad_http_session_disconn_srv :1677 hcs=0x7f9de96938 http_svr=(nil)

 

  • Real Server Connection

[I]2024-09-02 15:06:20.976074 [p:11340][s:467757][r:3] wad_http_connect_srv :260
http ses=0x7f9de96938 req=0x7f9cf0c048 ses_ctx=0x7f9ddf8bf8
nontp(0) dst_type(1)
req: dst:192.168.20.18:443, proto:10)
connect svr orig 85.245.105.249:46864->144.64.146.208:8444 out 85.245.105.249:0->192.168.20.18:443
[V]2024-09-02 15:06:20.976096 [p:11340][s:467757][r:3] wad_http_connect_srv :281 [0x7f9cf0c048] Connect to server: :0/192.168.20.18:443

 
CASE 2 - URI =  https://fgt.dsrsd.pt:8443

 

[I]2024-09-02 15:06:32.202424 [p:11340][s:467800][r:4] wad_dump_http_request :2634 hreq=0x7f9acb5048 Received request from client: 85.245.105.249:33170

GET / HTTP/1.1
Host: fgt.dsrsd.pt:8444
sec-ch-ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
priority: u=0, i

[V]2024-09-02 15:06:32.202458 [p:11340][s:467800][r:4] wad_http_marker_uri :1272 path=/ len=1
[V]2024-09-02 15:06:32.202472 [p:11340][s:467800][r:4] wad_http_parse_host :1651 host_len=17  <-- (fgt.dsrsd.pt:8444).
[V]2024-09-02 15:06:32.202482 [p:11340][s:467800][r:4] wad_http_parse_host :1687 len=12  <-- (fgt.dsrsd.pt).
[V]2024-09-02 15:06:32.202491 [p:11340][s:467800][r:4] wad_http_parse_host :1696 len=4  <-- (8444),
[I]2024-09-02 15:06:32.202507 [p:11340][s:467800][r:4] wad_http_str_canonicalize :2198 enc=0 path=/ len=1 changes=0
[V]2024-09-02 15:06:32.202517 [p:11340][s:467800][r:4] wad_http_normalize_uri :2305 host_len=12 path_len=1 query_len=0
[I]2024-09-02 15:06:32.202527 [p:11340][s:467800][r:4] wad_http_req_detect_special :15166 captive_portal detected: false, preflight=(null)

 

  • Real Server Match

[I]2024-09-02 15:06:32.202542 [p:11340][s:467800][r:4] wad_http_vs_check_dst_ovrd :1193 2:DSRSD_VS:0: trying to find server for addr(192.168.20.18:443), ldb(6)
[I]2024-09-02 15:06:32.202560 [p:11340][s:467800][r:4] wad_http_vs_check_dst_ovrd :1215 2:DSRSD_VS:0: kernel choose the correct server, keep using original dst 192.168.20.18
[I]2024-09-02 15:06:32.202572 [p:11340][s:467800][r:4] wad_http_vs_check_dst_ovrd :1223 2:DSRSD_VS:0: found server: 192.168.20.18:443
[V]2024-09-02 15:06:32.202585 [p:11340][s:467800][r:4] wad_http_req_exec_act :13686 dst_addr_type=1 wc_nontp=0 sec_web=1 web_cache=0 req_bypass=1
[I]2024-09-02 15:06:32.202608 [p:11340][s:467800][r:4] wad_http_urlfilter_check :383 uri_norm=1 inval_host=0 inval_url=0 scan-hdr/body=1/0 url local=0 block=0 user-cat=0 allow=0 ftgd=0 keyword=0 wisp=0
[I]2024-09-02 15:06:32.202624 [p:11340][s:467800][r:4] wad_http_req_proc_waf :1309 req=0x7f9acb5048 ssl.deep_scan=0 proto=10 exempt=0 waf=(nil) body_len=18446744073709551615 ua=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 skip_scan=0
[V]2024-09-02 15:06:32.202652 [p:11340][s:467800][r:4] wad_http_req_proc_antiphish :8383 No profile
[V]2024-09-02 15:06:32.202662 [p:11340][s:467800][r:4] wad_http_parse_auth_cookie :1306 cookie_parsed=0 strip=2 pid=11340
[V]2024-09-02 15:06:32.202681 [p:11340][s:467800][r:4] wad_http_session_disconn_srv :1677 hcs=0x7f9de96d40 http_svr=(nil)

 

  • Real Server Connection

[I]2024-09-02 15:06:32.202691 [p:11340][s:467800][r:4] wad_http_connect_srv :260
http ses=0x7f9de96d40 req=0x7f9acb5048 ses_ctx=0x7f9ddf9fd8
nontp(0) dst_type(1)
req: dst:192.168.20.18:443, proto:10)
connect svr orig 85.245.105.249:33170->144.64.146.208:8444 out 85.245.105.249:0->192.168.20.18:443

[V]2024-09-02 15:06:32.202714 [p:11340][s:467800][r:4] wad_http_connect_srv :281 [0x7f9acb5048] Connect to server: :0/192.168.20.18:443

 
Now, with all of this information, it is possible to analyze the WAD debug more easily.
Contributors