Folks,
I would appreciate your advice in how I can understand what is going on with my issue.
I have a FortiGate 500D running v5.4.4, using the Firewall and Explicit Web Proxy (EWP) features. The internal users are connected to the Inside interface. There are a number of servers running HTTPD services connected to DMZ interfaces. The public are able to access the servers on the DMZ via the Outside interface. These HTTPD servers should also be able to be accessed internally (Inside interface) via ports 80 & 443.
I should mention that the current forward proxy is a Sophos appliance. There isn't any issues with internal users getting to the servers on the DMZ so this is a useful reference to what I should be able to do.
The dramas began when I turned on the EWP on the FortiGate, did some configuration and started testing. I initially had a policy on the EWP (Web Proxy - Outside) for internal users to reach the Internet. No issues with that. The policy wasn't anything complicated. Then I realised after some input from the web dev team that they were unable to access their internal servers. So I added a policy to the EWP (Web Proxy - DMZ) to allow all from the inside to reach specific servers on the DMZ. The list of specific servers came from a ping / nslookup on the internal network. The majority of servers on the DMZ can now be accessed from the Inside network.
However, there are a small handful of domains that still cannot be accessed. The browser displays a HTTP message, "403 Forbidden: incorrect proxy service was requested." This is puzzling because:
1. I can see from the Forward Traffic log that the traffic is being allowed through the appliance - I have a green tick and references a policy that looks like it belongs to the EWP. I could be wrong about which feature the policy belongs to)
2. The domains I cannot browse to appear to reside on the same IP address as domains that I can get to.
What am I missing? What more can I do to understand where this is falling over?
Thank you.
Timothy
This has been resolved. From the sniffer on the FortiGate, I could see that DNS was returning an external IP address for the two domains that weren't accessible, and an internal address for the domain that was working. What got me stuck was that from my desktop DNS was returning an internal address for all three domains. So the fix was understanding what DNS was returning and configuring a security policy on the explicit web proxy to match.
User | Count |
---|---|
2674 | |
1410 | |
810 | |
702 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.