Hi
I'm trying to figure out why my transparent proxy policies are allowing traffic when they shouldn't. I have a transparent proxy policy restricted to a single IP and FSSO group for testing, yet when I disable the policy, the test device/user still has internet access when no other transparent proxy policy should apply.
Fortigate 200E running 7.4.5
I've disabled fast-matching, and enabled WAD debug:
diag deb reset
diag wad debug enable category policy
diag wad deb enable level verbose
diag wad filter src <redacted>
diag deb ena
With the policy enabled, I see proxy policy 8 matching:
wad_http_req_check_policy :12911 start match policy vd=0(ses_ctx:t|Phx|Me|Hh|C|A1|O) (<redacted>:57019@19-><redacted>:80@20) absUrl=0
wad_fast_match_is_enable :3702 fast matching is disabled
wad_http_policy_get_cate_info :212 get category right away
wad_http_policy_match_one :454 fw_pol_id=8(pol_ctx:th|Acd|7|=p) pflag:H|W|U|Ac asyn_info=1
wad_vwl_has_intf :329 logic/phyical if_idx(20/20),fw_intf=virtual-wan-link,matched=1
__wad_fw_policy_match_user :4578 matched cached grp:NA
wad_fw_policy_async_match :5355 pol_ctx:th|Acd|7|=d
wad_http_req_policy_set :11195 match policy-id=0(pol_ctx:th|Acd|7|=d) vd=0(ses_ctx:t|Phx|Me|Hh|C|A1|O) (<redacted>:57019@19 -> <redacted>:80@20)
wad_http_req_proc_policy :10752 POLICY DENIED
With the policy disabled, I see:
wad_http_req_check_policy :12911 start match policy vd=0(ses_ctx:t|Ph|M|Hhf|C|A1|O) (<redacted>:57171@19-><redacted>:80@20) absUrl=0
wad_fast_match_is_enable :3702 fast matching is disabled
wad_fw_policy_async_match :5355 pol_ctx:th|Ad|7|=d
wad_http_req_policy_set :11195 match policy-id=0(pol_ctx:th|Ad|7|=d) vd=0(ses_ctx:t|Ph|Me|Hhf|C|A1|O) (<redacted>:57171@19 -> <redacted>:80@20)
wad_http_req_proc_policy :10752 POLICY DENIED
wad_http_req_check_policy :12911 start match policy vd=0(ses_ctx:t|Ph|M|Hhf|C|A1|O) (<redacted>:57185@19-><redacted>:80@20) absUrl=0
wad_fast_match_is_enable :3702 fast matching is disabled
wad_fw_policy_async_match :5355 pol_ctx:th|Ad|7|=d
wad_http_req_policy_set :11195 match policy-id=0(pol_ctx:th|Ad|7|=d) vd=0(ses_ctx:t|Ph|Me|Hhf|C|A1|O) (<redacted>:57185@19 -> <redacted>:80@20)
wad_http_req_proc_policy :10752 POLICY DENIED
wad_http_req_check_policy :12911 start match policy vd=0(ses_ctx:t|Ph|M|Hhf|C|A1|O) (<redacted>:57184@19-><redacted>:80@20) absUrl=0
wad_fast_match_is_enable :3702 fast matching is disabled
wad_fw_policy_async_match :5355 pol_ctx:th|Ad|7|=d
wad_http_req_policy_set :11195 match policy-id=0(pol_ctx:th|Ad|7|=d) vd=0(ses_ctx:t|Ph|Me|Hhf|C|A1|O) (<redacted>:57184@19 -> <redacted>:80@20)
wad_http_req_proc_policy :10752 POLICY DENIED
wad_http_req_check_policy :12911 start match policy vd=0(ses_ctx:t|Phx|Me|Hh|C|A1|O) (<redacted>:57185@19-><redacted>:80@20) absUrl=0
wad_fast_match_is_enable :3702 fast matching is disabled
wad_fw_policy_async_match :5355 pol_ctx:th|Ad|7|=d
wad_http_req_policy_set :11195 match policy-id=0(pol_ctx:th|Ad|7|=d) vd=0(ses_ctx:t|Phx|Me|Hh|C|A1|O) (<redacted>:57185@19 -> <redacted>:80@20)
wad_http_req_proc_policy :10752 POLICY DENIED
What does the "wad_http_req_proc_policy :10752 POLICY DENIED" mean? I see it in both log snippets.
The second snippet seems to only show policy 0, the implicit deny, matching, yet somehow my test device still has internet access?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
WAD debugs would require some extensive checks and it would better if you create a support ticket with TAC Team and share the WAD debug file to analyze and let you know the reason for the same.
Have a nice day!
Hello,
WAD debugs would require some extensive checks and it would better if you create a support ticket with TAC Team and share the WAD debug file to analyze and let you know the reason for the same.
Have a nice day!
Make sure the traffic being "allowed" is actually matching the IPv4 policy that performs proxy redirection (the policy having "Proxy HTTP(S) Traffic" option enabled).
Also try different websites. The one you're trying could simply be cached.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.