Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- PAC file configuration loss
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PAC file configuration loss
Hi There,
I am experiencing this weird issue where my PAC file which was configured asper my requirements has lost all its custom configs and changed to default by its own. I have checked the logs but found nothing.
This has happened multiple times now. I am using FortiOS 6.2
Thanks for your help.
Null0
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How are you delivering the pac file to your hosts? And is it just one or all of your hosts? If you're doing explicit web-proxy, are you using the FortiGate for the delivery of the pac file ?
e.g
show web-proxy explicit | grep -f pac
I would start by looking at that cfg and figuring out how you are delivered of the pac file. You haven't given us enough details in order to help.
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Ken,
user machines are managed by group policy - the proxy setting is enabled and set to http://proxy.aaa.com:8080/proxy.pac aaa.com is an example
http://proxy.aaa.com is the FQDN of the Fortigate Firewall and the explicit proxy is enabled on the Inside and DMZ Interfaces
Thanks
Null0
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then it sounds like your GPO is not working or something is trampling the proxyaccesscontrols. IIRC gpo can be trump by local machine policy but I'm not a windows Admin expert. I would look at group-policy and machine or user policies 1st and if you have two or more GPO colliding in your ms-domain.
The fortigate does NOT sound like the root of your issues fwiw.
if all else fails load the pac manually
i.e
copy the pac.file to your user directory and in your browser-proxy-setting for pac location URL
e.g
file:///C:\Users\kenfelix\pac.file
if that stays, than you know the issues and the path to diagnose.
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Ken,
Thanks for your reply.
The pac file is a custom file asper the below statements which I took it from Fortinet handbook"
You can edit the default PAC file from the GUI or use the following command to upload a custom PAC file:
config web-proxy explicitset pac-file-server-status enableset pac-file-data <pac_file_str>endWhere <pac_file_str> is the contents of the PAC file. Enter the PAC file text in quotes. You can copy the contents of a PAC text file and paste the contents into the CLI using this option. Enter the command followed by two sets of quotes then place the cursor between the quotes and paste the file content.
The maximum PAC file size is 256 kbytes. If your FortiGate unit is operating with multiple VDOMs each VDOM has its own PAC file. The total amount of FortiGate memory available to store all of these PAC files 2 MBytes. If this limit is reached you will not be able to load any additional PAC files.
"
my custom pac file is changed to default by its own. I checked the FGT memory and I found it was sitting at 1.8 Mb after reloading the correct pac file but I am still not sure why the custom file changed to default by its own.
Thanks
Null0
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So what are you using GPO and a URl on the FGT or some window Host? You mention this before;
user machines are managed by group policy - the proxy setting is enabled and set to http://proxy.aaa.com:8080/proxy.pac aaa.com is an example
But now you're mentioning the fgt as serving the PAC file ( yes I have a confused look , on my face right about now ;) )
If you distributing the pac-file and the fortigate is the URL for the pac file, can you download it ? and from an end-user machine?
( make sure the end machine(s) can reach the pac file ( no acl , l3 router, lack of routing, local host-firewall, endpoint -controls,etc...... } I did a customer engagement maybe 5 years ago and they had internal filters that kep the machine from getting the pac-file.
i.e
# windows macos linux
# I would test using curl also for the pacfile
cmd.exe curl http://url-pacfile_blahblah/yourmpacfile.pac
if the pac file is delivered by the FortiGate, does it work? ( did you use any of the online pac file tester or pactester and test the pacfile ) ?
e.g
config system interface edit "wan2" set vdom "root" set ip x.x.x.x 255.255.255.254 set allowaccess ping set type physical set explicit-web-proxy enable set alias "internet-comcast ACT###########" set role wan next end
config web-proxy explicit set status enable set ftp-over-http disable set socks disable set http-incoming-port 8080 unset https-incoming-port set incoming-ip 0.0.0.0 set ipv6-status disable set strict-guest disable set unknown-http-version reject set realm "default" set sec-default-action deny set https-replacement-message enable set message-upon-server-error enable set pac-file-server-status enable set pac-file-server-port 7888 set pac-file-name "pacman.pac" set pac-file-data "{ if (url.substring(0, 5) == \"http:\") { return \"PROXY 1.1.1.1:80\"; }
else if (url.substring(0, 6) == \"https:\") { return \"PROXY 1.1.1.1:8080\"; } else { return \"DIRECT\"; } }" set ssl-algorithm low set trace-auth-no-rsp disable end
curl [link]http://x.x.x.x:7888/[/link]pacman.pac { if (url.substring(0, 5) == "http:") { return "PROXY 1.1.1.1:80"; }
else if (url.substring(0, 6) == "https:") { return "PROXY 1.1.1.1:8080"; } else { return "DIRECT"; } }
Can you place the JS pac-file here ? Does it match what your machine has? And fwiw I never heard of a default pac-file , the URL that you serve the pac-file is what is stored by the OS unless I'm missing something from your configuratiion. So before you go back in the GPP do the above test and then define the GPO and client url in the GPOManager
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- How to Modify convergence times in... 143 Views
- #FortiPAM Launcher Multi-Port Configuration 192 Views
- Prevent randomization of source port 312 Views
- Configuring SAML SSO Entra Login 1026 Views
- FortiClient VPN Config profile fails to... 560 Views
Labels
-
FortiGate
8,472 -
FortiClient
1,716 -
5.2
801 -
FortiManager
712 -
5.4
639 -
FortiAnalyzer
547 -
FortiSwitch
457 -
FortiAP
457 -
6.0
416 -
FortiClient EMS
407 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
222 -
FortiWeb
199 -
5.0
196 -
IPsec
186 -
FortiNAC
177 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
98 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
75 -
Firewall policy
71 -
4.0MR3
64 -
FortiProxy
59 -
Fortivoice
53 -
FortiADC
53 -
High Availability
52 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
DNS
40 -
Routing
39 -
BGP
38 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
24 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
SSL SSH inspection
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1661 | |
| 1077 | |
| 752 | |
| 443 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.