Hi guys,
I'm crashing on a problem that are drive me crazy.
I Have a Fortigate 100D. I've configured explicit web proxy on it, listening on internal interface and using two parent proxy ( Proxy chain) to go out on internet: in fact this fortigate has not a direct internet connection. Anyway all work fine and the users can connect to internet with explicit proxy with their account. My problem is I can't trace the user web traffic evenif I've checked all the necessary log in the Explicit Proxy Policy. In the matter of fact I have not the menu Item "web log traffic". I'm using the version 5.2.6 Build 0711.
Tx in advance folk!
Sergio
In permit case, you should be expecting two Log Messages:
(a) at successful commencement (ie. a match of permit type policy within firewall explicit-proxy-policy):
Apr 8 14:18:16 foo-fgt60c.net.vu.edu.au date=2016-04-08 time=14:18:16 devname=FG60C devid=FGT60C3G11005571 logid=0000000010 type=traffic subtype=forward level=notice vd=root srcip=140.1XX.XX.XX srcport=51991 srcintf="root.b" dstip=9.9.9.9 dstport=80 dstintf="root.b" sessionid=1386830245 dstcountry="United States" srccountry="Australia" service=webproxy_dport_80 wanoptapptype=web-proxy proto=6 duration=4 policyid=1 wanin=0 rcvdbyte=0 wanout=72 lanin=176 sentbyte=176 lanout=72 appcat="unscanned"
and (b) at session conclusion:
Apr 8 14:20:16 foo-fgt60c.net.vu.edu.au date=2016-04-08 time=14:20:16 devname=FG60C devid=FGT60C3G11005571 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=140.1XX.XX.XX srcport=2686 srcintf="internal4" dstip=9.9.9.9 dstport=80 dstintf="wan1" sessionid=627684 proto=6 action=close policyid=0 dstcountry="United States" srccountry="Australia" trandisp=noop service="HTTP" duration=124 sentbyte=348 rcvdbyte=0 sentpkt=5 rcvdpkt=0 appcat="unscanned"
Notice, two different session ids.
In deny case, you should be expecting one Log Messages:
Apr 8 14:26:00 foo-fgt60c.net.vu.edu.au date=2016-04-08 time=14:26:00 devname=FG60C devid=FGT60C3G11005571 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=140.1XX.XX.XX srcport=52048 srcintf="root.b" dstip=9.9.9.9 dstport=81 dstintf=unknown-0 sessionid=0 proto=0 action=deny policyid=3 dstcountry="United States" srccountry="Australia" trandisp=noop service="other" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel=high msg="Explicit proxy policy match failed"
There's no log-able 'implicit' policy (that is, fall-through policy hit if none others hit) for explicit-proxy-policy, although, such implicit action can be specified using 'sec-default-action' (aka. "default firewall policy action" in GUI). You need to create your own deny policy and set its logtraffic.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.