This article describes how to use IPPool to change the egress IP@ of the proxied session at FortiProxy. By default, in explicit proxy policy, the proxied session uses the egress interface IP source as a source IP address.
In this example, the proxied session match policy ID 1 egress with the source IP address 10.110.1.46 to reach the internet gateway (FortiGate).
computer <-> FortiProxy <-> FortiGate <-> Internet
config firewall policy edit 1 set type explicit-web set name "Test" set dstintf "port3" <<=== interface IP@ 10.110.1.46 set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "webproxy" set explicit-web-proxy "web-proxy" next end
- FortiProxy WAD session info:
dia wad session list
Session: explicit proxy 10.100.1.61:59818(10.110.1.46:54152)->93.184.215.14:443 id=379184883 worker=1 vd=0:0 fw-policy=1 duration=10 expire=3590 session-ttl=3600 state=3 app=http sub_type=0 wan_opt_mode=0 dd_method=0
dia sni pac any 'host 93.184.215.14 or port 8080' 4 0 l
....[below are client-side proxy connection to port 8080] 2024-10-04 14:36:26.048451 port2 in 10.100.1.61.59818 -> 10.100.1.46.8080: syn 738242609 2024-10-04 14:36:26.048948 port2 out 10.100.1.46.8080 -> 10.100.1.61.59818: syn 1674756085 ack 738242610 2024-10-04 14:36:26.058942 port2 in 10.100.1.61.59818 -> 10.100.1.46.8080: ack 1674756086 2024-10-04 14:36:26.060031 port2 in 10.100.1.61.59818 -> 10.100.1.46.8080: psh 738242610 ack 1674756086 2024-10-04 14:36:26.060198 port2 out 10.100.1.46.8080 -> 10.100.1.61.59818: ack 738243099
.....[below are proxied-session from FPX to internet-gw]
2024-10-04 14:36:26.071176 port3 out 10.110.1.46.54152 -> 93.184.215.14.443: syn 2155551277 2024-10-04 14:36:26.263606 port3 in 93.184.215.14.443 -> 10.110.1.46.54152: syn 4136654216 ack 2155551278 2024-10-04 14:36:26.264142 port3 out 10.110.1.46.54152 -> 93.184.215.14.443: ack 4136654217
- FortiGate (gateway) Sniffer:
dia sni pac any 'host 93.184.215.14' 4 0 l 2024-10-04 14:36:26.077983 port3 in 10.110.1.46.54152 -> 93.184.215.14.443: syn 2155551277 2024-10-04 14:36:26.078251 port1 out 10.47.1.75.54152 -> 93.184.215.14.443: syn 2155551277 2024-10-04 14:36:26.269567 port1 in 93.184.215.14.443 -> 10.47.1.75.54152: syn 4136654216 ack 2155551278 2024-10-04 14:36:26.269611 port3 out 93.184.215.14.443 -> 10.110.1.46.54152: syn 4136654216 ack 2155551278 2024-10-04 14:36:26.270949 port3 in 10.110.1.46.54152 -> 93.184.215.14.443: ack 4136654217 2024-10-04 14:36:26.270978 port1 out 10.47.1.75.54152 -> 93.184.215.14.443: ack 4136654217
The IPPool can be applied to the explicit proxy policy, to change the source IP address of egress proxied session.
In this example, the IP pool 'test-pool' is created and applied in policy ID 1 in FortiProxy. The egress IP address of proxied-session is translated to the IP address 10.110.1.108 (WAD debug: 'clt:10.100.1.61 got ip:10.110.1.108 from ip pool test-pool').
config firewall ippool edit "test-pool" set startip 10.110.1.100 set endip 10.110.1.110
end
config firewall policy edit 1 set poolname "test-pool" end
FortiProxy WAD session info:
Session: explicit proxy 10.100.1.61:60353(10.110.1.108:35580)->93.184.215.14:443 id=379185277 worker=1 vd=0:0 fw-policy=1 duration=21 expire=3581 session-ttl=3600 state=3 app=http sub_type=0 wan_opt_mode=0 dd_method=0
FortiProxy Sniffer:
....[below are client-side proxy connection to port 8080]
2024-10-04 15:26:33.901187 port2 in 10.100.1.61.60353 -> 10.100.1.46.8080: syn 4040077146 2024-10-04 15:26:33.901748 port2 out 10.100.1.46.8080 -> 10.100.1.61.60353: syn 3774512860 ack 4040077147 2024-10-04 15:26:33.908283 port2 in 10.100.1.61.60353 -> 10.100.1.46.8080: ack 3774512861 2024-10-04 15:26:33.912210 port2 in 10.100.1.61.60353 -> 10.100.1.46.8080: psh 4040077147 ack 3774512861 2024-10-04 15:26:33.912247 port2 out 10.100.1.46.8080 -> 10.100.1.61.60353: ack 4040077354
.....[below are proxied-session from FPX to internet-gw]
2024-10-04 15:26:33.962695 port3 out 10.110.1.108.35580 -> 93.184.215.14.443: syn 2741619762 2024-10-04 15:26:34.150884 port3 in 93.184.215.14.443 -> 10.110.1.108.35580: syn 1242727566 ack 2741619763 2024-10-04 15:26:34.151063 port3 out 10.110.1.108.35580 -> 93.184.215.14.443: ack 1242727567
[I][p:1057][s:379185277][r:16824928] wad_dump_http_request :2833 hreq=0x7ff86249c048 Received request from client: 10.100.1.61:60353
CONNECT example.com:443 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0 Proxy-Connection: keep-alive Connection: keep-alive Host: example.com:443
[I][p:1057][s:379185277][r:16824928] wad_http_dns_request_done :14039 [0x7ff86249c048] DNS resolved: 93.184.215.14 [I][p:1057][s:379185277][r:16824928] wad_http_req_policy_set :11736 match policy-id=1(pol_ctx:xhcf|Ad|7?|=d) vd=0(ses_ctx:x|Phx|Mde|Hh|C|A7|O) (10.100.1.61:60353@4 -> 93.184.215.14:443@5) [I][p:1057][s:379185277][r:16824928] wad_ip_pool__get_ip :1491 clt:10.100.1.61 got ip:10.110.1.108 from ip pool IPPool, logic/phy intf(5/5)
dia sni pac any 'host 93.184.215.14' 4 0 l 2024-10-04 15:26:33.954440 port3 in 10.110.1.108.35580 -> 93.184.215.14.443: syn 2741619762 2024-10-04 15:26:33.954531 port1 out 10.47.1.75.35580 -> 93.184.215.14.443: syn 2741619762 2024-10-04 15:26:34.142223 port1 in 93.184.215.14.443 -> 10.47.1.75.35580: syn 1242727566 ack 2741619763 2024-10-04 15:26:34.142291 port3 out 93.184.215.14.443 -> 10.110.1.108.35580: syn 1242727566 ack 2741619763 2024-10-04 15:26:34.142742 port3 in 10.110.1.108.35580 -> 93.184.215.14.443: ack 1242727567 2024-10-04 15:26:34.142766 port1 out 10.47.1.75.35580 -> 93.184.215.14.443: ack 1242727567
|