Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hillsitsupp
New Contributor III

Debugging Transparent Proxy Policy Matching

Hi

I'm trying to figure out why my transparent proxy policies are allowing traffic when they shouldn't. I have a transparent proxy policy restricted to a single IP and FSSO group for testing, yet when I disable the policy, the test device/user still has internet access when no other transparent proxy policy should apply.

 

Fortigate 200E running 7.4.5

 

I've disabled fast-matching, and enabled WAD debug:

 

diag deb reset

diag wad debug enable category policy

diag wad deb enable level verbose

diag wad filter src <redacted>

diag deb ena

 

With the policy enabled, I see proxy policy 8 matching:

 

wad_http_req_check_policy :12911 start match policy vd=0(ses_ctx:t|Phx|Me|Hh|C|A1|O) (<redacted>:57019@19-><redacted>:80@20) absUrl=0
wad_fast_match_is_enable :3702 fast matching is disabled
wad_http_policy_get_cate_info :212 get category right away
wad_http_policy_match_one :454 fw_pol_id=8(pol_ctx:th|Acd|7|=p) pflag:H|W|U|Ac asyn_info=1
wad_vwl_has_intf :329 logic/phyical if_idx(20/20),fw_intf=virtual-wan-link,matched=1
__wad_fw_policy_match_user :4578 matched cached grp:NA
wad_fw_policy_async_match :5355 pol_ctx:th|Acd|7|=d
wad_http_req_policy_set :11195 match policy-id=0(pol_ctx:th|Acd|7|=d) vd=0(ses_ctx:t|Phx|Me|Hh|C|A1|O) (<redacted>:57019@19 -> <redacted>:80@20)
wad_http_req_proc_policy :10752 POLICY DENIED

 

With the policy disabled, I see:

 

wad_http_req_check_policy :12911 start match policy vd=0(ses_ctx:t|Ph|M|Hhf|C|A1|O) (<redacted>:57171@19-><redacted>:80@20) absUrl=0
wad_fast_match_is_enable :3702 fast matching is disabled
wad_fw_policy_async_match :5355 pol_ctx:th|Ad|7|=d
wad_http_req_policy_set :11195 match policy-id=0(pol_ctx:th|Ad|7|=d) vd=0(ses_ctx:t|Ph|Me|Hhf|C|A1|O) (<redacted>:57171@19 -> <redacted>:80@20)
wad_http_req_proc_policy :10752 POLICY DENIED
wad_http_req_check_policy :12911 start match policy vd=0(ses_ctx:t|Ph|M|Hhf|C|A1|O) (<redacted>:57185@19-><redacted>:80@20) absUrl=0
wad_fast_match_is_enable :3702 fast matching is disabled
wad_fw_policy_async_match :5355 pol_ctx:th|Ad|7|=d
wad_http_req_policy_set :11195 match policy-id=0(pol_ctx:th|Ad|7|=d) vd=0(ses_ctx:t|Ph|Me|Hhf|C|A1|O) (<redacted>:57185@19 -> <redacted>:80@20)
wad_http_req_proc_policy :10752 POLICY DENIED
wad_http_req_check_policy :12911 start match policy vd=0(ses_ctx:t|Ph|M|Hhf|C|A1|O) (<redacted>:57184@19-><redacted>:80@20) absUrl=0
wad_fast_match_is_enable :3702 fast matching is disabled
wad_fw_policy_async_match :5355 pol_ctx:th|Ad|7|=d
wad_http_req_policy_set :11195 match policy-id=0(pol_ctx:th|Ad|7|=d) vd=0(ses_ctx:t|Ph|Me|Hhf|C|A1|O) (<redacted>:57184@19 -> <redacted>:80@20)
wad_http_req_proc_policy :10752 POLICY DENIED
wad_http_req_check_policy :12911 start match policy vd=0(ses_ctx:t|Phx|Me|Hh|C|A1|O) (<redacted>:57185@19-><redacted>:80@20) absUrl=0
wad_fast_match_is_enable :3702 fast matching is disabled
wad_fw_policy_async_match :5355 pol_ctx:th|Ad|7|=d
wad_http_req_policy_set :11195 match policy-id=0(pol_ctx:th|Ad|7|=d) vd=0(ses_ctx:t|Phx|Me|Hh|C|A1|O) (<redacted>:57185@19 -> <redacted>:80@20)
wad_http_req_proc_policy :10752 POLICY DENIED

 

 

What does the "wad_http_req_proc_policy :10752 POLICY DENIED"  mean? I see it in both log snippets.

 

The second snippet seems to only show policy 0, the implicit deny, matching, yet somehow my test device still has internet access?

1 Solution
kgeorge
Staff
Staff

Hello,

 

WAD debugs would require some extensive checks and it would better if you create a support ticket with TAC Team and share the WAD debug file to analyze and let you know the reason for the same.

 

Have a nice day!

 

Regards,
Klint George

View solution in original post

2 REPLIES 2
kgeorge
Staff
Staff

Hello,

 

WAD debugs would require some extensive checks and it would better if you create a support ticket with TAC Team and share the WAD debug file to analyze and let you know the reason for the same.

 

Have a nice day!

 

Regards,
Klint George
Theo4
New Contributor II

Make sure the traffic being "allowed" is actually matching the IPv4 policy that performs proxy redirection (the policy having "Proxy HTTP(S) Traffic" option enabled). 

 

Also try different websites. The one you're trying could simply be cached.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors