Help
FortiProxy
FortiProxy provides enterprise-class protection against internet-borne threats and Advanced Web Content Caching
zromano
Staff
Staff

Created on ‎02-24-2025 05:14 AM Edited on ‎02-24-2025 05:15 AM By Moderator

Article Id 378535

Technical Tip: Checking the matching explicit proxy policy from the CLI on a FortiProxy

Description This article describes how to do an explicit proxy policy lookup from the CLI with the FortiProxy.
Scope FortiProxy.
Solution

On a FortiProxy, it is possible to run an explicit proxy policy lookup using the following command:

 

diagnose wad exp-fw-policy-test <SRC> <WEBPROXY> <REQ> <AUTH-TYPE> [<USERNAME/GROUP>] [<SERVER>]

 

  • <SRC> is the source IP of the traffic.
  • <WEBPROXY> is the webproxy configured in 'config web-proxy explicit-proxy' section (or in the GUI: 'Proxy Settings -> Explicit Proxy').
  • <REQ> is the requested IP/URI.
  • <AUTH-TYPE> is the Authentication type that can be none, user or group.
  • <USERNAME/GROUP> is the username or group to which the user belongs to.
  • <SERVER> is the name (as it appears in the configuration) of the remote authentication server, or the local authentication server.


Running just the first part will show examples on how to use it:

 

diagnose wad exp-fw-policy-test

Usage:
diagnose wad exp-fw-policy-test <SRC> <WEBPROXY> <REQ> <AUTH-TYPE> [<USERNAME/GROUP>] [<SERVER>]
Example 1: diagnose wad exp-fw-policy-test 1.1.1.1 web-proxy "uri=http://example.com/path" user user1 ldap_srv
Example 2: diagnose wad exp-fw-policy-test 1.1.1.1 web-proxy "ipport=2.2.2.2:8080" user user2 local
Example 3: diagnose wad exp-fw-policy-test 1.1.1.1 web-proxy "copy then paste exact http request here" none

 

The output will show the matching policy ID. If the traffic is accepted or blocked, source and destination addresses are configured in the policy and matching user/group.
In the following example, user1's traffic matches proxy policy 4 and the traffic is accepted:

 

diagnose wad exp-fw-policy-test 10.1.1.1 web-proxy "ipport=1.1.1.1:443" user user1 local
firewall policy id: 4
policy_action: accept
srcaddr: all
dstaddr: all
user(group): user1

 

In the following example, as user1 belongs to the group usr-grp, traffic will match policy 5 and will be denied:

 

diagnose wad exp-fw-policy-test 10.1.1.1 web-proxy "ipport=1.2.3.4:443" user user1 local
firewall policy id: 5
policy_action: deny
srcaddr: all
dstaddr: 1.2.3.4
user(group): usr-grp


If no authentication is used, 'none' can be used for the AUTH-TYPE at the end of the command:

 

diagnose wad exp-fw-policy-test 10.1.1.1 web-proxy "uri=https://google.com" none
firewall policy id: 3
policy_action: accept
srcaddr: all
dstaddr: wildcard.google.com
user(group): n/a

 

If no explicit proxy policy is matched, the implicit deny will match and the output will be as follow:

 

diagnose wad exp-fw-policy-test 1.1.1.1 web-proxy "uri=https://facebook.com" none
No policy matched
sec_default_action: deny

 

Note: This command will not work on a FortiGate, even if the FortiGate can have explicit proxy policies. It is only valid for FortiProxy.
60
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.