Help
FortiProxy
FortiProxy provides enterprise-class protection against internet-borne threats and Advanced Web Content Caching
duenlim
Staff
Staff

Created on ‎02-27-2023 11:49 PM Edited on ‎11-16-2023 10:27 PM By Community Manager

Article Id 247482

Troubleshooting Tip: WhatsApp Desktop cannot connect using FortiProxy or is unable to display QR code

Description This article describes an issue where the WhatsApp Desktop app does not work with FortiProxy and provides a solution.
Scope FortiProxy.
Solution

The WhatsApp Web (https://web.whatsapp.com/) is working fine with the Web browser through FortiProxy.

 

The WhatsApp Desktop can be installed in Windows 8.1 or newer refer to the WhatsApp FAQ.

 

A packet trace is taken when WhatsApp Desktop tries connecting or displaying a QR code.

 

The packet analysis results show client IP has sent and received DNS query/response with the DNS server directly.

 

duenlim_0-1677568009525.png

 

The DNS response shows the following IP addresses:

 

e12.whatsapp.net
15.197.206.217
15.197.210.208
3.33.221.48
3.33.252.61

 

a.whatapp.net
157.240.15.61

 

The client IP then initiates direct connections to the destination's IP without going through the FortiProxy which is highlighted in purple and green colors.

This is normally due to an application itself being a proxy-aware issue.


Make sure the application is proxy-aware software similar to browsers that continue to use the proxy settings as configured.

 

Workaround:

As the application does not reach the WhatsApp services from itself (the proxy configuration) or the Windows Operational System proxy configuration, it is necessary to create an exception traffic on the Firewall to permit the application to show the QR code on the client application. 

 

Assumed the traffic flows are Clients -> Explicit Proxy -> Firewall -> Internet OR In-line Transparent Proxy. 

 

To do this, create a source NAT policy and a transparent policy.

 

Below is an example of configuration:

 

Source NAT policy screen:

 

snat policy.png

 

Instead of 'all' in Source Address, use a subnet to restrict access.

The following destinations were captured from the packet capture (sniffer):

 

Source NAT policy from the CLI:

 

config firewall central-snat-map

edit 1

set srcintf "port3"

set dstintf "port2"

set src-addr "all"

set dst-addr "chat.cdn.whatsapp.net" "crashlogs.whatsapp.net" "dit.whatsapp.net" "e1.whatsapp.net" "g.whatsapp.net" "graph.whatsapp.com" "web.whatsapp.com"

next

end

 

Transparent policy:

 

Transparet policy.png

 

The source is the same as in the previous policy

Under the Destination, enter the Internet Service called Meta-Whatsapp, which is a database with the Whatsapp Server address.

Leave all the rest as default.

 

Transparent Policy from the CLI:

 

config firewall policy

edit 4

set name "internet-open"

set srcintf "port3"

set dstintf "port2"

set srcaddr "all"

set action accept

set schedule "always"

set internet-service enable

set internet-service-name "Meta-Whatsapp"

set logtraffic all

next

end

 

Note:

This workaround should work with the IP address or FQDN of other application servers too.
2383
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.