Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
michale65
New Contributor

Correlation Source Port of local-in to forward policy - Fortigate Explicit Proxy

Hi!

I am just struggeling with the correlation of my logs. Currently, I am using Fortigate 6.4.11 with Explicit proxy

Local-In-Policy is showing the "original" source port and IP of every connection.

But: I am not able to do any correlation between the outgoing "forward-proxy-policy"-log entry and the original "local-in-policy"-log-entry.

Are you aware of any possibility to do this?

Background: I am using Linux terminalservers. As there is no Linux-terminalserver-agent, I have to find out which user did open e.g. a malicious URL. The linux EDR is showing the source-port for every user, but the source-port of the "forward-policy", that is showing up, that the malicious URL has been opened is not the original source-port

Thank you for your help

VidMate
1 REPLY 1
gfleming
Staff
Staff

If i understand your issue correctly you can try setting "set fixedport enable" in your firewall policy. This will prevent the FortiGate from changing the source port in the outbound, Source-NATted packet.

Cheers,
Graham
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors