|
The following topology is used for deployment:
The topology above can be used by the end user to route WAN traffic as per the requirement, the traffic originating from the end-user is in Transparent mode with UTM inspection option and with minimum routing change with no browser settings changes required
Step 1:
LAN interface configuration:
config system interface
edit "port2"
set vdom "root"
set ip 10.30.40.1 255.255.255.0
set allowaccess ping https http
set type physical
set snmp-index 2
next
end
WAN interface configuration:
config system interface
edit "port1"
set vdom "root"
set ip 10.9.11.217 255.255.240.0
set allowaccess ping https ssh http telnet
set type physical
set snmp-index 1
next
end
Step 2:
Routing configuration:
config router static
edit 1
set status enable
set dst 0.0.0.0 0.0.0.0
set gateway 10.9.15.254
set weight 0
set priority 1
set device "port1"
set comment ''
next
end
Step 3:
FortiProxy policy configuration:
config firewall policy
edit 1
set uuid fb2d5420-a7eb-51f0-f628-1c0367dbb24d
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end
Step 4:
Verify the internet on the end user:
For traffic flow confirmation:
Packet sniffer:
diag sniffer packet any ' icmp ' 4 0 l
interfaces=[any]
filters=[ icmp ]
2025-10-13 15:00:42.079866 port2 in 10.30.40.2 -> 1.1.1.1: icmp: echo request
2025-10-13 15:00:42.079901 port1 out 10.9.11.217 -> 1.1.1.1: icmp: echo request
2025-10-13 15:00:42.086416 port1 in 1.1.1.1 -> 10.9.11.217: icmp: echo reply
2025-10-13 15:00:42.086448 port2 out 1.1.1.1 -> 10.30.40.2: icmp: echo reply
Debug flow filter:
diagnose debug reset
diagnose debug console timestamp enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 50
diagnose debug enable
Proxy# 2025-10-13 15:03:33 id=20085 trace_id=29 func=__dump_flowi4 line=54 msg="ip_route_input_slow:2241 flowi4 saddr=10.30.40.2 daddr=1.1.1.1 sport=0 dport=0 iif=4 oif=0 proto=0 mark=0x0 flag=0x0 ready to route packet"
2025-10-13 15:03:33 id=20085 trace_id=29 func=ip_route_input_slow line=2251 msg="route found type=1 table_id=254 pol_route=0"
2025-10-13 15:03:34 id=20085 trace_id=29 func=ip_forward line=165 msg="proceed with forwarding skb"
2025-10-13 15:03:34 id=20085 trace_id=29 func=shared_shaper_handler line=737 msg="ct 000000008b47f1f8 forward shaper <none>(0000000000000000) result accept"
2025-10-13 15:03:35 id=20085 trace_id=29 func=shaper_handler line=836 msg="shaping check finished for ct 000000008b47f1f8, result accept"
2025-10-13 15:03:35 id=20085 trace_id=30 func=print_pkt_detail line=112 msg="vd-root at hook-fpx_setup_flow_pre_route received a packet(proto=1, 1.1.1.1:0->10.9.11.217:0) from port1. type=0, code=0, id=1, seq=15043."
2025-10-13 15:03:36 id=20085 trace_id=30 func=ip_route_input_slow line=2173 msg="start input route 1.1.1.1->10.30.40.2 dev port1 vfid 0"
2025-10-13 15:03:36 id=20085 trace_id=30 func=__dump_flowi4 line=54 msg="ip_route_input_slow:2241 flowi4 saddr=1.1.1.1 daddr=10.30.40.2 sport=0 dport=0 iif=3 oif=0 proto=0 mark=0x0 flag=0x0 ready to route packet"
2025-10-13 15:03:37 id=20085 trace_id=30 func=ip_route_input_slow line=2251 msg="route found type=1 table_id=254 pol_route=0"
2025-10-13 15:03:37 id=20085 trace_id=30 func=ip_forward line=165 msg="proceed with forwarding skb"
2025-10-13 15:03:38 id=20085 trace_id=30 func=shared_shaper_handler line=737 msg="ct 000000008b47f1f8 reverse shaper <none>(0000000000000000) result accept"
2025-10-13 15:03:38 id=20085 trace_id=30 func=shaper_handler line=836 msg="shaping check finished for ct 000000008b47f1f8, result accept"
2025-10-13 15:03:39 id=20085 trace_id=31 func=print_pkt_detail line=112 msg="vd-root at hook-fpx_setup_flow_pre_route received a packet(proto=1, 10.30.40.2:0->1.1.1.1:0) from port2. type=8, code=0, id=1, seq=15044."
|
