Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jammac
New Contributor III

Created on ‎05-06-2024 12:22 PM

Fortiproxy - how exactly is traffic processed? (questions and issues)

Can someone give a quick overview (or point me to docs please) of how FPX matches explicit proxy traffic it gets _in detail_?

 

From what I understand so far

* Policy looks at ACE of type explicit proxy and tries to match (interfaces,src,dst,schedule,service)
* After policy matches, a security profile can (but NEED NOT) be applied
** application control
** webfilter (a subset of what appcontrol does, mainly for web apps)
** ...
* If security profile is specified then it has to allow, otherwise traffic is denied even though policy is "allow".

For matching security profiles, URL categories and whatnot, SSL inspection has to be enabled.

 

Now to my questions:

 

1) I see that (at least in most recent versions) several other items can be specified before security profile (see screenshot)
* "Service" itself has "application service" i.e. a service of type "application" or "application group" (I guess that is ISDB)
* "application"
* "application category"
* "application group"
* "url category"

 

I guess this is part of the ACE evaluation?

Well I tried with some URL category and it seems so.

 

2) And now to a practical issue: "Howto" / "Not working"

 

We have a rule that contains a blacklist (URLs) which includes for example facebook.com.
Before that rule I want to specify exceptions for access to Facebook. I tried using "Application Facebook" as well as an "Application Service" matching facebook. Also a category matching social media. But policy is not hit. Instead, the blacklist that comes later is. How do I troubleshoot this?
(Yes I know I could include  facebook.com again from an URL list, but I would like to understand why the application match is not working)

 

Concerning 1)

facebook.jpg

 

Concerning 2)

policy.jpg

Labels:
399
0 Kudos
1 REPLY 1
Hatibi
Staff
Staff

Created on ‎05-07-2024 03:57 AM

Hi jammac,

 

you might refer to following doc/articles.

 

1. Rule matching and policy processing 

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/237189/proxy-authentication

 

2. Wad debugging for Explicit proxy

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Example-of-wad-debugging-for-Explici...

 

3. Troubleshooting example:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Troubleshoot-the-explicit-proxy-in-F...


Regards

356
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.