FortiProxy
FortiProxy provides enterprise-class protection against internet-borne threats and Advanced Web Content Caching
Adryan_you
Staff
Staff
Article Id 347031
Description This article describes how to use IPPool to change the egress IP@ of the proxied session at FortiProxy.
Scope FortiProxy.
Solution

This article describes how to use IPPool to change the egress IP@ of the proxied session at FortiProxy.  By default, in explicit proxy policy, the proxied session uses the egress interface IP source as a source IP address.

 

In this example, the proxied session match policy ID 1 egress with the source IP address 10.110.1.46 to reach the internet gateway (FortiGate).

 

computer <-> FortiProxy <-> FortiGate <-> Internet

 

  • Policy:


config firewall policy
    edit 1
      set type explicit-web
      set name "Test"
      set dstintf "port3" <<=== interface IP@ 10.110.1.46
      set srcaddr "all"
      set dstaddr "all"
      set action accept
      set schedule "always"
      set service "webproxy"
      set explicit-web-proxy "web-proxy"
    next
end

 

  • FortiProxy WAD session info:

 

dia wad session list

Session: explicit proxy 10.100.1.61:59818(10.110.1.46:54152)->93.184.215.14:443
id=379184883 worker=1 vd=0:0 fw-policy=1
duration=10 expire=3590 session-ttl=3600
state=3 app=http sub_type=0 wan_opt_mode=0 dd_method=0

 

  • FortiProxy Sniffer:

 

dia sni pac any 'host 93.184.215.14 or port 8080' 4 0 l

....[below are client-side proxy connection to port 8080]
2024-10-04 14:36:26.048451 port2 in 10.100.1.61.59818 -> 10.100.1.46.8080: syn 738242609
2024-10-04 14:36:26.048948 port2 out 10.100.1.46.8080 -> 10.100.1.61.59818: syn 1674756085 ack 738242610
2024-10-04 14:36:26.058942 port2 in 10.100.1.61.59818 -> 10.100.1.46.8080: ack 1674756086
2024-10-04 14:36:26.060031 port2 in 10.100.1.61.59818 -> 10.100.1.46.8080: psh 738242610 ack 1674756086
2024-10-04 14:36:26.060198 port2 out 10.100.1.46.8080 -> 10.100.1.61.59818: ack 738243099

.....[below are proxied-session from FPX to internet-gw]

2024-10-04 14:36:26.071176 port3 out 10.110.1.46.54152 -> 93.184.215.14.443: syn 2155551277
2024-10-04 14:36:26.263606 port3 in 93.184.215.14.443 -> 10.110.1.46.54152: syn 4136654216 ack 2155551278
2024-10-04 14:36:26.264142 port3 out 10.110.1.46.54152 -> 93.184.215.14.443: ack 4136654217

 

  • FortiGate (gateway) Sniffer:

 

dia sni pac any 'host 93.184.215.14' 4 0 l
2024-10-04 14:36:26.077983 port3 in 10.110.1.46.54152 -> 93.184.215.14.443: syn 2155551277
2024-10-04 14:36:26.078251 port1 out 10.47.1.75.54152 -> 93.184.215.14.443: syn 2155551277
2024-10-04 14:36:26.269567 port1 in 93.184.215.14.443 -> 10.47.1.75.54152: syn 4136654216 ack 2155551278
2024-10-04 14:36:26.269611 port3 out 93.184.215.14.443 -> 10.110.1.46.54152: syn 4136654216 ack 2155551278
2024-10-04 14:36:26.270949 port3 in 10.110.1.46.54152 -> 93.184.215.14.443: ack 4136654217
2024-10-04 14:36:26.270978 port1 out 10.47.1.75.54152 -> 93.184.215.14.443: ack 4136654217

 

The IPPool can be applied to the explicit proxy policy, to change the source IP address of egress proxied session.

In this example, the IP pool 'test-pool' is created and applied in policy ID 1 in FortiProxy. The egress IP address of proxied-session is translated to the IP address 10.110.1.108 (WAD debug: 'clt:10.100.1.61 got ip:10.110.1.108 from ip pool test-pool').

 

config firewall ippool
    edit "test-pool"
      set startip 10.110.1.100
      set endip 10.110.1.110

end

 

config firewall policy
    edit 1
      set poolname "test-pool"
end

 

FortiProxy WAD session info:

 

Session: explicit proxy 10.100.1.61:60353(10.110.1.108:35580)->93.184.215.14:443
id=379185277 worker=1 vd=0:0 fw-policy=1
duration=21 expire=3581 session-ttl=3600
state=3 app=http sub_type=0 wan_opt_mode=0 dd_method=0

 

FortiProxy Sniffer:

 

....[below are client-side proxy connection to port 8080]

2024-10-04 15:26:33.901187 port2 in 10.100.1.61.60353 -> 10.100.1.46.8080: syn 4040077146
2024-10-04 15:26:33.901748 port2 out 10.100.1.46.8080 -> 10.100.1.61.60353: syn 3774512860 ack 4040077147
2024-10-04 15:26:33.908283 port2 in 10.100.1.61.60353 -> 10.100.1.46.8080: ack 3774512861
2024-10-04 15:26:33.912210 port2 in 10.100.1.61.60353 -> 10.100.1.46.8080: psh 4040077147 ack 3774512861
2024-10-04 15:26:33.912247 port2 out 10.100.1.46.8080 -> 10.100.1.61.60353: ack 4040077354

.....[below are proxied-session from FPX to internet-gw]

2024-10-04 15:26:33.962695 port3 out 10.110.1.108.35580 -> 93.184.215.14.443: syn 2741619762
2024-10-04 15:26:34.150884 port3 in 93.184.215.14.443 -> 10.110.1.108.35580: syn 1242727566 ack 2741619763
2024-10-04 15:26:34.151063 port3 out 10.110.1.108.35580 -> 93.184.215.14.443: ack 1242727567

 

  • FortiProxy WAD debug:

 

[I][p:1057][s:379185277][r:16824928] wad_dump_http_request :2833 hreq=0x7ff86249c048 Received request from client: 10.100.1.61:60353

CONNECT example.com:443 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
Proxy-Connection: keep-alive
Connection: keep-alive
Host: example.com:443

[I][p:1057][s:379185277][r:16824928] wad_http_dns_request_done :14039 [0x7ff86249c048] DNS resolved: 93.184.215.14
[I][p:1057][s:379185277][r:16824928] wad_http_req_policy_set :11736 match policy-id=1(pol_ctx:xhcf|Ad|7?|=d) vd=0(ses_ctx:x|Phx|Mde|Hh|C|A7|O) (10.100.1.61:60353@4 -> 93.184.215.14:443@5)
[I][p:1057][s:379185277][r:16824928] wad_ip_pool__get_ip :1491 clt:10.100.1.61 got ip:10.110.1.108 from ip pool IPPool, logic/phy intf(5/5)

 

  • FortiGate Sniffer:

 

dia sni pac any 'host 93.184.215.14' 4 0 l
2024-10-04 15:26:33.954440 port3 in 10.110.1.108.35580 -> 93.184.215.14.443: syn 2741619762
2024-10-04 15:26:33.954531 port1 out 10.47.1.75.35580 -> 93.184.215.14.443: syn 2741619762
2024-10-04 15:26:34.142223 port1 in 93.184.215.14.443 -> 10.47.1.75.35580: syn 1242727566 ack 2741619763
2024-10-04 15:26:34.142291 port3 out 93.184.215.14.443 -> 10.110.1.108.35580: syn 1242727566 ack 2741619763
2024-10-04 15:26:34.142742 port3 in 10.110.1.108.35580 -> 93.184.215.14.443: ack 1242727567
2024-10-04 15:26:34.142766 port1 out 10.47.1.75.35580 -> 93.184.215.14.443: ack 1242727567

 

Contributors