Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
acvaldez
Staff
Staff

Created on ‎07-15-2024 11:50 PM Edited on ‎07-16-2024 03:10 AM By Moderator

Article Id 326165

Technical Tip: Why Implicit Deny in Forward Traffic Logs Shows Bytes Despite the Block in a explicit proxy setup

Description This article explains via session list and debug output why Implicit Deny in Forward Traffic Logs shows bytes Despite the Block in an explicit proxy setup.
Scope FortiGate.
Solution

Diagram:

EXPLICIT PROXY DIAGRAM.drawio.png

Traffic Implicit Deny with bytes:

implicit deny with bytes.png

 

date=2024-07-16 time=12:04:14 eventtime=1721102654885922463 tz="+0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.47.19.61 srcport=5288 srcintf="root" srcintfrole="undefined" dstip=104.244.42.130 dstport=443 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=15043 proto=6 action="close" policyid=0 policytype="policy" service="HTTPS" trandisp="noop" duration=1 sentbyte=803 rcvdbyte=4333 sentpkt=9 rcvdpkt=7 appcat="unscanned"

 

date=2024-07-16 time=12:04:14 eventtime=1721102654885915753 tz="+0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.47.19.61 srcport=5290 srcintf="root" srcintfrole="undefined" dstip=104.244.42.130 dstport=443 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=15044 proto=6 action="close" policyid=0 policytype="policy" service="HTTPS" trandisp="noop" duration=1 sentbyte=809 rcvdbyte=4333 sentpkt=9 rcvdpkt=7 appcat="unscanned"

 


In this scenario, the FortiGate interface for proxy traffic is port 2, with an IP address of 10.115.3.61. A test machine is generating traffic towards the website with IP address 104.244.42.130.

Here is the output of the WAD debug for that traffic:

  • The request is received from the test machine (IP address 10.118.4.202, port 8080) for the destination 104.244.42.130.
  • Traffic flow: <10.118.4.202:53888 -> 10.115.3.61:8080 out 10.118.4.202:53888 -> 104.244.42.130:8080>.
  • FortiGate, acting as a proxy, forwards this traffic from its external interface (10.47.19.61) to connect to 104.244.42.130.
  • Connection flow: <connecting 10.47.19.61:5392 -> 104.244.42.130:443> <connected 10.47.19.61:5392 -> 104.244.42.130:443>.


The transition from 10.115.3.61 to 10.47.19.61 is considered local traffic and hits policy ID 0. Since the FortiGate processes the traffic from the ingress to the egress interface,  bytes are recorded for it.

 

WAD Debug:

 

Line 8116: [V][p:2492] wad_dns_parse_name_resp :323 api.twitter.com: resp_type=1 notify=1 cdata=1 104.244.42.130
Line 8117: [I][p:2492][s:328546664][r:174] wad_http_dns_request_done :12646 [0x7f7a2a38b048] DNS resolved: 104.244.42.130
Line 8123: [V][p:2492][s:328546664][r:174] wad_http_req_get_dst_intf :12379 vd=0 dst=104.244.42.130 ifidx=3
Line 8125: [V][p:2492][s:328546664][r:174] wad_http_req_check_policy :12249 start match policy vd=0(ses_ctx:x|Ph|M|Hh|C|A7|O) (10.118.4.202:53888@4->104.244.42.130:443@3) absUrl=1
Line 8131: [I][p:2492][s:328546664][r:174] wad_http_req_policy_set :10748 match policy-id=1(pol_ctx:xhcf|Ad|7?|=d) vd=0(ses_ctx:x|Ph|Mde|Hh|C|A7|O) (10.118.4.202:53888@4 -> 104.244.42.130:443@3)
Line 8142: req: dst:104.244.42.130:443, proto:10)
Line 8143: connect svr orig 10.118.4.202:53888->10.115.3.61:8080 out 10.118.4.202:53888->104.244.42.130:8080
Line 8145: [V][p:2492][s:328546664][r:174] wad_http_connect_srv :281 [0x7f7a2a38b048] Connect to server: 104.244.42.130:443/104.244.42.130:443
Line 8148: [I][p:2492][s:328546664][r:174] wad_tcp_port_connect_with_fd :2261 TCP port=0x7f7a2a43aa90 sock=164 vrf=0 connecting 10.47.19.61:5392->104.244.42.130:443
Line 8385: [I][p:2492][s:328546664] wad_tcp_port_on_connect :2035 TCP connection 0x7f7a2a43aa90 fd=164 connected 10.47.19.61:5392->104.244.42.130:443
Line 8388: [V][p:2492][s:328546664][r:174] wad_http_srv_run_by_task :7216 addr:104.244.42.130:443, proto=10 req=0x7f7a2a38b048 tun_non_http=1 expect_tun=0
Line 8408: [I][p:2492][s:328546664][r:174] wad_ssl_port_open :21112 wsp=0x7f7a2a2c7b40/7 SSL-port open succ type=7 port=0x7f7a2a43aa90 vd=0 svr=104.244.42.130:443: succ
Line 8411: [I][p:2492][s:328546664][r:174] wad_ssl_port_open :21112 wsp=0x7f7a2a2c7048/6 SSL-port open succ type=6 port=0x7f7a2a4418c0 vd=0 svr=104.244.42.130:443: succ
Line 8568: [V][p:2492][s:328546664] wad_ssl_cic_oid_gen :560 vfid=0 sni=api.twitter.com 10.47.19.61->104.244.42.130
Line 8570: cic-ret=hit: vfid=0 oid=17173420592301255232 tp=0 ointf=3 vrf=0 sni=api.twitter.com 10.47.19.61->104.244.42.130 

 

WAD Session List:

 

Session: explicit proxy 10.118.4.202:53857(10.47.19.61:5278)->104.244.42.130:443
id=328546633 worker=0 vd=0:0 fw-policy=1
duration=397 expire=3430 session-ttl=3600
state=3 app=http sub_type=0 wan_opt_mode=0 dd_method=0
SSL enabled
to-client
SSL Port:
state=1
TCP Port:
state=2 r_blocks=1 w_blocks=0 read_blocked=0
bytes_in=17822 bytes_out=25229 shutdown=0x0
to-server
SSL Port:
state=1
TCP Port:
state=2 r_blocks=0 w_blocks=0 read_blocked=0
bytes_in=25157 bytes_out=17612 shutdown=0x0


Diag Sys Session List:

 

session info: proto=6 proto_state=01 duration=321 expire=3505 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255
state=log local
statistic(bytes/packets/allow_err): org=24468/94/1 reply=28745/68/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org out->post, reply pre->in dev=14->3/3->14 gwy=0.0.0.0/0.0.0.0
hook=out dir=org act=noop 10.47.19.61:5278->104.244.42.130:443(0.0.0.0:0)
hook=in dir=reply act=noop 104.244.42.130:443->10.47.19.61:5278(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=0 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=0
serial=00003abe tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=00000000
no_ofld_reason: local

 

session info: proto=6 proto_state=01 duration=109 expire=3492 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255
state=log local
statistic(bytes/packets/allow_err): org=2621/14/1 reply=4143/12/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org out->post, reply pre->in dev=14->3/3->14 gwy=0.0.0.0/0.0.0.0 
hook=out dir=org act=noop 10.47.19.61:5392->104.244.42.130:443(0.0.0.0:0)
hook=in dir=reply act=noop 104.244.42.130:443->10.47.19.61:5392(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=0 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=0
serial=00003d2b tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=00000000
no_ofld_reason: local
total session 2
494
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.