1. Accessing the HTTP website gets 403 incorrect services as shown in the picture. 

2. Attached is the Explicit Proxy configuration with PAC file enabled (sample pac file hosted on FortiProxy). The HTTPS Port has been set to Specify Port 80 and the PAC file has specified Port 80 as well. It means that any applications or browsers that use that PAC file will eventually use the HTTPS Port via Explicit Proxy. 

3. Packet capture analyzed results and Wad debug log.

• The pcap analyzed results show getting a 'Forbidden' message when access to http://dlptest.com from Client IP 10.176.2.144 sends HTTP request:

142 0.000681 10.176.2.144 12466 10.176.2.91 80 HTTP 530 476 GET http://dlptest.com/ HTTP/1.1
GET http://dlptest.com/ HTTP/1.1
Host: dlptest.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

• FortiProxy response 403 Forbidden:

144 0.001918 10.176.2.91 80 10.176.2.144 12466 HTTP 7354 7300 HTTP/1.1 403 Forbidden (text/html)[Packet size limited during capture]
HTTP/1.1 403 Forbidden
Connection: close
Content-Type: text/html
Cache-Control: no-cache

• The wad debug log shows the same when Client IP 10.176.2.144 sends an HTTP request:

diagnose wad filter clear
diagnose wad filter src 10.176.2.144
diagnose wad debug enable category http
diagnose wad debug enable level information
diagnose wad debug enable level verbose
diagnose debug enable

[I][p:10246][s:1030707510][r:16926] wad_dump_http_request :2731 hreq=0x7fae88251048 Received request from client: 10.176.2.144:12466

GET http://dlptest.com/ HTTP/1.1
Host: dlptest.com
Proxy-Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

• FortiProxy response 403 Forbidden:

[V][p:10246][s:1030707510][r:16926] wad_http_marker_uri :1303 scheme=http
[I][p:10246][s:1030707510][r:16926] wad_http_dns_resolve :8227 [0x7fae88251048] DNS request name=dlptest.com len=11 type/pref=0/0
[I][p:10246][s:1030707510][r:16926] wad_http_dns_request_done :12925 [0x7fae88251048] DNS resolved: 35.209.95.242
[V][p:10246][s:1030707510][r:16926] wad_http_req_get_dst_intf :12632 vd=0 dst=35.209.95.242 ifidx=3
[I][p:10246][s:1030707510][r:16926] __wad_http_build_replmsg_resp :789 Generating replacement message. incorrect service repmsg_id 2 ---> Generate Incorrect Service for replacement message
[I][p:10246][s:1030707510][r:16926] wad_dump_fwd_http_resp :2746 hreq=0x7fae88251048 Forward response from Internal:

HTTP/1.1 403 Forbidden
Connection: close
Content-Type: text/html
Cache-Control: no-cache

To stop debug:

diagnose debug disable

diagnose debug reset

4. The right configuration in Explicit Proxy shall use the same port number for HTTP and HTTPS. Also, make sure the PAC file configuration is followed.

5. Alternatively, it can be modified the PAC file to specifically process some HTTP websites with Explicit Proxy Port 8080. The HTTPS Port in Explicit Proxy only processed HTTPS web pages.