Help
FortiProxy
FortiProxy provides enterprise-class protection against internet-borne threats and Advanced Web Content Caching
KC_Hing
Staff
Staff

Created on ‎01-16-2025 09:55 PM

Article Id 370737

Technical Tip: Bypassing WebSocket Secure (wss) connection through FortiProxy

Description This article describes a control to bypass a WebSocket Secure (wss) upgrade connection through FortiProxy.
Scope FortiProxy.
Solution

Proxy user requests to access a web socket application with a connection error shown on web developer tools output.

 

Example:

Firefox cannot establish a connection to the server at wss://web.whatsapp.com:5222/ws/chat?ED=CAIICA

 

Wss1.PNG

 

Perform a WAD debug to trace the traffic, the issue can be identified with a switching protocol error.

 

GET /ws/chat?ED=CAIICA HTTP/1.1
Host: web.whatsapp.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br, zstd
Sec-WebSocket-Version: 13
Origin: https://web.whatsapp.com
Sec-WebSocket-Extensions: permessage-deflate
Sec-WebSocket-Key: +KRNPwdjP3sgxQ/BOEASig==
Connection: keep-alive, Upgrade
Cookie: wa_ul=062af26a-cd07-4110-a7bf-f54871cb3bc6; wa_web_lang_pref=en_GB
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: websocket
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket

...

[W][p:1067][s:80313340][r:3713] wad_http_urlfilter_check :438 Switch Protocol Block.
[I][p:1067][s:80313340][r:3713] wad_http_parse_host :1667 host=[16]web.whatsapp.com
[I][p:1067][s:80313340][r:3713] wad_http_str_canonicalize :2186 enc=0 path=/ws/chat len=8 changes=0
[I][p:1067][s:80313340][r:3713] wad_http_str_canonicalize :2188 end=4 path=ED=CAIICA len=9 changes=0
[I][p:1067][s:80313340][r:3713] wad_http_req_domain_front_blk :10296 domain fronting chk uri host(is_abs=0 http_encap=1 connect=0):
web.whatsapp.com
[I][p:1067][s:80313340][r:3713] wad_fast_match_is_enable :3881 fast matching is enabled
[I][p:1067][s:80313340][r:3713] wad_fast_match_pol_array :3686 fw_pol_id=8(pol_ctx:xhf|Ad|7|=p) pol_id=0(pflag:H|W|U|Ai) asyn_
info=1
[I][p:1067][s:80313340][r:3713] wad_fw_policy_async_match :6559 pol_ctx:xhf|Ad|7|=d
[I][p:1067][s:80313340][r:3713] wad_http_req_policy_set :10791 match policy-id=8(pol_ctx:xhf|Ad|7|=d) vd=0(ses_ctx:cx|Phx|Mde|
Hfte|C|A1|Og) (10.169.2.76:52433@6 -> 163.70.132.60:443@3)
[I][p:1067][s:80313340][r:3713] wad_http_req_proc_policy :10422 ses_ctx:cx|Phx|Mde|Hfte|C|A1|Og conn_srv=1 fwd_srv=<nil>
[I][p:1067][s:80313340][r:3713] wad_http_req_proc_policy :10515 policy result:vf_id=0:0 sec_profile=0x7f85f6941748 set_cookie=0
[W][p:1067][s:80313340][r:3713] wad_fw_policy_async_match :6549 no policy to match.
[I][p:1067][s:80313340][r:3713] wad_http_urlfilter_check :394 uri_norm=1 inval_host=0 inval_url=0 scan-hdr/body=1/0 url local
=0 block=0 user-cat=0 allow=0 ftgd=0 keyword=0 wisp=0
[W][p:1067][s:80313340][r:3713] wad_http_urlfilter_check :438 Switch Protocol Block.
[I][p:1067][s:80313340][r:3713] __wad_http_build_replmsg_resp :789 Generating replacement message. Switching Protocol Block repmsg _id 28
[I][p:1067][s:80313340][r:3713] wad_dump_fwd_http_resp :2746 hreq=0x7f85f24c6d38 Forward response from Internal:

 

In this scenario, it is necessary to ensure a bypass connection when switching protocol has been enabled under the proxy protocol profile options.

 

config firewall profile-protocol-options
    edit <profile>
        config HTTP
            set switching-protocols bypass <<<
        end
820
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.