Hello Ken,

 

user machines are managed by group policy - the proxy setting is enabled and set to http://proxy.aaa.com:8080/proxy.pac     aaa.com is an example

 

http://proxy.aaa.com is the FQDN of the Fortigate Firewall and the explicit proxy is enabled on the Inside and DMZ Interfaces

 

Thanks

Null0

Then it sounds like your GPO is not working or something is trampling the proxyaccesscontrols. IIRC gpo can be trump by local machine policy but I'm not a windows Admin expert. I would look at group-policy and machine  or user policies 1st and if you have two or more GPO colliding in your ms-domain.

 

The fortigate does NOT sound like the root of your issues fwiw.

 

if all else fails load the pac manually 

 

i.e 

 

copy the pac.file to your user directory and in your browser-proxy-setting for pac location URL

 

e.g

 

   file:///C:\Users\kenfelix\pac.file

 

if that stays, than you know the issues and the path to diagnose.

 

Ken Felix

Hello Ken,

 

Thanks for your reply.

 

The pac file is a custom file asper the below statements which I took it from Fortinet handbook"

You can edit the default PAC file from the GUI or use the following command to upload a custom PAC file:

config web-proxy explicit

set pac-file-server-status enable

set pac-file-data <pac_file_str>

end

Where <pac_file_str> is the contents of the PAC file. Enter the PAC file text in quotes. You can copy the contents of a PAC text file and paste the contents into the CLI using this option. Enter the command followed by two sets of quotes then place the cursor between the quotes and paste the file content.

The maximum PAC file size is 256 kbytes. If your FortiGate unit is operating with multiple VDOMs each VDOM has its own PAC file. The total amount of FortiGate memory available to store all of these PAC files 2 MBytes. If this limit is reached you will not be able to load any additional PAC files.

"

 

my custom pac file is changed to default by its own. I checked the FGT memory and I found it was sitting at 1.8 Mb after reloading the correct pac file but I am still not sure why the custom file changed to default by its own.

 

Thanks

Null0

 

 

So what are you using GPO and a  URl on the FGT or some window Host? You mention this before;

 

user machines are managed by group policy - the proxy setting is enabled and set to http://proxy.aaa.com:8080/proxy.pac     aaa.com is an example

 

But now you're mentioning the fgt as  serving the PAC file ( yes I have a confused look , on my face  right about now ;) ) 

 

If you distributing the pac-file and the fortigate is the URL for the pac file,   can you download it ? and from an end-user machine?

 

( make sure the end machine(s) can reach the pac file ( no acl , l3 router, lack of routing, local host-firewall, endpoint -controls,etc...... } I did a customer engagement maybe 5 years ago and they had internal filters that kep the machine from getting the pac-file.

 

i.e

 

# windows macos linux

# I would test using curl also for the pacfile 

  cmd.exe  curl http://url-pacfile_blahblah/yourmpacfile.pac

 

if the pac file is delivered by the FortiGate, does it work?  ( did you use any of the online pac file tester or pactester and test the pacfile  ) ?

 

e.g

 

 

config system interface edit "wan2" set vdom "root" set ip x.x.x.x 255.255.255.254 set allowaccess ping set type physical set explicit-web-proxy enable set alias "internet-comcast ACT###########" set role wan next end

 

 

 

config web-proxy explicit set status enable set ftp-over-http disable set socks disable set http-incoming-port 8080 unset https-incoming-port set incoming-ip 0.0.0.0 set ipv6-status disable set strict-guest disable set unknown-http-version reject set realm "default" set sec-default-action deny set https-replacement-message enable set message-upon-server-error enable set pac-file-server-status enable set pac-file-server-port 7888 set pac-file-name "pacman.pac" set pac-file-data "{ if (url.substring(0, 5) == \"http:\") { return \"PROXY 1.1.1.1:80\"; }

else if (url.substring(0, 6) == \"https:\") { return \"PROXY 1.1.1.1:8080\"; } else { return \"DIRECT\"; } }" set ssl-algorithm low set trace-auth-no-rsp disable end

 

 

 

curl [link]http://x.x.x.x:7888/[/link]pacman.pac { if (url.substring(0, 5) == "http:") { return "PROXY 1.1.1.1:80"; }

else if (url.substring(0, 6) == "https:") { return "PROXY 1.1.1.1:8080"; } else { return "DIRECT"; } }

 

 

Can you place the JS pac-file here ? Does it match what your machine has? And fwiw I never heard of a default pac-file , the   URL that you serve the pac-file is what is stored by the OS unless I'm missing something from your configuratiion. So before you go back in the GPP do the above test and then define the GPO and client url in the GPOManager

 

Ken Felix