Help
FortiProxy
FortiProxy provides enterprise-class protection against internet-borne threats and Advanced Web Content Caching
KC_Hing
Staff
Staff

Created on ‎03-20-2025 11:35 PM Edited on ‎08-25-2025 03:44 AM By Moderator

Article Id 383547

Technical Tip: Policy matching with pass-through option enabled

Description This article describes FortiProxy policy matching behavior with the pass-through option enabled.
Scope FortiProxy.
Solution

By default, FortiProxy evaluates traffic using the first-matching technique from top to bottom to select a matching policy for particular traffic; the subsequent policies would be disregarded once the first policy matching applies.

 

From v7.0.1 onwards, FortiProxy allows continuing to match all policies by enabling pass-through options under policy configuration, and once all of the policies have been matched, the last matched policy will be used as the matching policy.

 

Below is an example of a policy pass-through-enabled policy setup.

 

GUI:

 

fpx1.PNG

 

CLI:

 

config firewall policy
    edit 1
        set type explicit-web
        set name "Rule1"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "webproxy"
        set explicit-web-proxy "web-proxy"
        set pass-through enable <<<
        set utm-status enable
        set logtraffic all
        set application 15832 <----- Facebook application.
        set ssl-ssh-profile "Custom-deep-inspection"
        set av-profile "default"
    next
end


    edit 2
        set type explicit-web
        set name "Rule2"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "webproxy"

        set pass-through disable
        set explicit-web-proxy "web-proxy"
        set utm-status enable
        set logtraffic all
        set ssl-ssh-profile "Custom-deep-inspection2"
        set av-profile "default"
        set webfilter-profile "default"
    next

 

In this scenario, the Facebook access traffic would match the bottom policy because the first policy has a pass-through option enabled.

 

WAD debug:

 

CONNECT static.xx.fbcdn.net:443 HTTP/1.1
Host: static.xx.fbcdn.net:443
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36

[I]wad_http_str_canonicalize :2200 enc=0 path=/ len=1 changes=0
[I]wad_http_conn_req_classify :6390 no security profile HTTPS/HTTP, tport=443
[I]wad_http_dns_resolve :8874 [0x7fdda825e608] DNS request name=static.xx.fbcdn.net len=19 type/pref/pref-strict=0/0/0
[I]wad_http_dns_request_done :14111 [0x7fdda825e608] DNS resolved: 163.70.132.23
[I]wad_fast_match_is_enable :4031 fast matching is enabled
[I]wad_fw_policy_async_match :7645 pol_ctx:xhcf|Ad|7?|=d
[I]wad_http_req_policy_set :11730 match policy-id=2(pol_ctx:xhcf|Ad|7?|=d) vd=0(ses_ctx:x|Phx|Mde|Hh|C|A7|O) (10.169.2.76:62811@6 -> 163.70.132.23:443@3)

 

WAD session list:

 

Session: explicit proxy 10.169.2.76:62811(10.47.18.157:35246)->163.70.132.23:443
id=1961065053 worker=0 vd=0:0 fw-policy=2
duration=53 expire=3547 session-ttl=3600
state=3 app=http sub_type=0 wan_opt_mode=0 dd_method=0
SSL enabled
to-client
SSL Port:
state=3
TCP Port:
state=2 r_blocks=1 w_blocks=0 read_blocked=0
bytes_in=2518 bytes_out=811 shutdown=0x0
to-server
SSL Port:
state=3
TCP Port:
state=2 r_blocks=1 w_blocks=0 read_blocked=0
bytes_in=465 bytes_out=516 shutdown=0x0
46
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.