Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SMGK74
New Contributor II

Logging Explicit Proxy Web Traffic

Hi guys,

I'm crashing on a problem that are drive me crazy. 

I Have a Fortigate 100D. I've  configured explicit web proxy on it, listening on internal interface and using two parent proxy ( Proxy chain) to go out on internet: in fact this fortigate has not a direct internet connection. Anyway all work fine and the users can connect to internet with explicit proxy with their account. My problem is I can't trace the user web traffic evenif I've checked all the necessary log in the  Explicit Proxy Policy. In the matter of fact I have not the menu Item "web log traffic". I'm using the version 5.2.6 Build 0711.

 

Tx in advance folk!

 

Sergio

 

Sergio Marchi
Sergio Marchi
1 REPLY 1
AlexFeren
New Contributor III

In permit case, you should be expecting two Log Messages:

(a) at successful commencement (ie. a match of permit type policy within firewall explicit-proxy-policy):

Apr  8 14:18:16 foo-fgt60c.net.vu.edu.au date=2016-04-08 time=14:18:16 devname=FG60C devid=FGT60C3G11005571 logid=0000000010 type=traffic subtype=forward level=notice vd=root srcip=140.1XX.XX.XX srcport=51991 srcintf="root.b" dstip=9.9.9.9 dstport=80 dstintf="root.b" sessionid=1386830245 dstcountry="United States" srccountry="Australia" service=webproxy_dport_80 wanoptapptype=web-proxy proto=6 duration=4 policyid=1 wanin=0 rcvdbyte=0 wanout=72 lanin=176 sentbyte=176 lanout=72 appcat="unscanned"

and (b) at session conclusion:

Apr  8 14:20:16 foo-fgt60c.net.vu.edu.au date=2016-04-08 time=14:20:16 devname=FG60C devid=FGT60C3G11005571 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=140.1XX.XX.XX srcport=2686 srcintf="internal4" dstip=9.9.9.9 dstport=80 dstintf="wan1" sessionid=627684 proto=6 action=close policyid=0 dstcountry="United States" srccountry="Australia" trandisp=noop service="HTTP" duration=124 sentbyte=348 rcvdbyte=0 sentpkt=5 rcvdpkt=0 appcat="unscanned"

Notice, two different session ids.

 

In deny case, you should be expecting one Log Messages:

Apr  8 14:26:00 foo-fgt60c.net.vu.edu.au date=2016-04-08 time=14:26:00 devname=FG60C devid=FGT60C3G11005571 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=140.1XX.XX.XX srcport=52048 srcintf="root.b" dstip=9.9.9.9 dstport=81 dstintf=unknown-0 sessionid=0 proto=0 action=deny policyid=3 dstcountry="United States" srccountry="Australia" trandisp=noop service="other" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel=high msg="Explicit proxy policy match failed"

 

There's no log-able 'implicit' policy (that is, fall-through policy hit if none others hit) for explicit-proxy-policy, although, such implicit action can be specified using 'sec-default-action' (aka. "default firewall policy action" in GUI). You need to create your own deny policy and set its logtraffic.

Labels
Top Kudoed Authors