Help
FortiProxy
FortiProxy provides enterprise-class protection against internet-borne threats and Advanced Web Content Caching
princes
Staff
Staff

Created on ‎02-21-2025 05:33 AM

Article Id 378077

Technical Tip: FortiProxy is not responding to explicit proxy traffic over listening interface

Description This article describes the issue when the explicit proxy is not listening even after configuring it under proxy settings.
Scope FortiProxy.
Solution

While configuring the explicit proxy feature in the FortiProxy device, the interface is not responding to proxy port traffic.

 

Even after configuring the proxy settings, the interface is not responding to proxy traffic:

 

Screenshot 2025-02-21 161410.png

 

Make sure to have the Explicit web proxy setting enabled under the port3 as per the above image:

 

Screenshot 2025-02-21 161827.png

 

Now to verify it take the below capture to verify the traffic on the proxy port:

 

kvm72 # diagnose sniffer packet any "port 8080" 4 0 l
interfaces=[any]
filters=[port 8080]
2025-02-21 16:21:37.027859 port3 in 10.162.13.127.50894 -> 10.162.15.165.8080: syn 3171090873
2025-02-21 16:21:37.027947 port3 out 10.162.15.165.8080 -> 10.162.13.127.50894: syn 954859384 ack 3171090874
2025-02-21 16:21:37.035307 port3 in 10.162.13.127.50894 -> 10.162.15.165.8080: ack 954859385
2025-02-21 16:21:37.035737 port3 in 10.162.13.127.50894 -> 10.162.15.165.8080: psh 3171090874 ack 954859385
2025-02-21 16:21:37.035782 port3 out 10.162.15.165.8080 -> 10.162.13.127.50894: ack 3171090975
2025-02-21 16:21:37.203306 port3 out 10.162.15.165.8080 -> 10.162.13.127.50894: psh 954859385 ack 3171090975
2025-02-21 16:21:37.209368 port3 in 10.162.13.127.50894 -> 10.162.15.165.8080: psh 3171090975 ack 954859457
2025-02-21 16:21:37.209403 port3 out 10.162.15.165.8080 -> 10.162.13.127.50894: ack 3171091190

 

The same can be verified through a HAR file on the user browser:

 

Screenshot 2025-02-21 162507.png

 

The GET request was sent to a proxy port over the 8080 port.

 

Now the traffic is hitting the proxy interface on the correct port.

If the user is still not able to browse the internet, verify the below:

 

Collect the WAD debug and look for the below keywords:

 

Log_search:1 (This ensures the CONNECT request was sent properly from the machine).

 

CONNECT yahoo.com:443 HTTP/1.1
Host: yahoo.com:443
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36

 

Log_search:2 (This makes sure that proxy connection was established, and traffic was tunneled to with connect method):


HTTP/1.1 200 Connection established
Proxy-Agent: Fortinet-Proxy/1.0

 

Log_search:3 (This ensures the DNS query was resolved through the proxy):

 

[I][p:1066] wad_dns_parse_name_resp :205 0: DNS response received for remote host consent.yahoo.com req-id=4 ipv4=1
[I][p:1066][s:203831718][r:16777286] wad_http_dns_request_done :14039 [0x7f29bb538b28] DNS resolved: 52.209.124.84

 

Log_search:4 (This ensures a correct policy match):

 

[I][p:1066][s:203831718][r:16777286] wad_http_req_policy_set :11736 match policy-id=1

 

Related articles: 

Technical Tip: Initial steps to troubleshoot Explicit Proxy on FortiProxy

Troubleshooting Tip: Troubleshoot the explicit proxy in FortiGate

 

51
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.