- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: WCCP intercept + Squid - Seeing WAN IP instead...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
WCCP intercept + Squid - Seeing WAN IP instead of true client IP
Hi folks, I have an 80F (6.4.6) configured to intercept HTTP traffic and forward to Squid via WCCP. Everything works, except one issue - all Squid sees is the WAN IP instead of the individual client machines. Fortinet has a kb article on how to set all this up, and I basically followed it to a T. The architecture/topology in their example is essentially the same as my environment: Outside zone (WAN - PAT'ed) Trusted zone (end client machines that will have HTTP intercepted) Restricted zone (where Squid resides) I have nat enabled on the wccp intercept policy, and turning off nat simply breaks http traffic for the end client machines. Oddly, the kb article even has a note that says "If the preferred behavior is not to deliver the traffic to user if the cache is not reachable, a simple trick is to disable natting on policy 3." Yet this simply does not work...? I'm at a loss, any help would be appreciated. Here are the relevant configs: Interface configs: edit "wan1" set vdom "root" set mode pppoe set type physical set role wan set snmp-index 1 set dns-server-override disable next edit "restricted" set vdom "root" set ip 10.10.10.1 255.255.255.0 set allowaccess ping set type hard-switch set role dmz set snmp-index 11 set wccp enable next edit "trusted_switch" set vdom "root" set ip 192.168.48.1 255.255.255.0 set allowaccess ping https ssh http set type hard-switch set device-identification enable set lldp-transmission enable set role lan set snmp-index 13 next Policy to intercept HTTP traffic: edit 26 set name "WCCP-Intercept-Trusted" set uuid 6f7674f8-0a6e-51ec-fbe0-ce5d0ddb17d5 set srcintf "trusted_zone" set dstintf "outside_zone" set srcaddr "trusted_switch address" set dstaddr "all" set action accept set schedule "always" set service "HTTP" set logtraffic all set wccp enable set nat enable next Policy on Trusted zone to allow other traffic: edit 1 set name "Trusted-to-Outside" set uuid 59618638-05d4-51ec-11c8-7da9ac447b72 set srcintf "trusted_zone" set dstintf "outside_zone" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "Allowed_Trusted_Services" set logtraffic all set nat enable next Policy to allow Squid out: edit 23 set name "Restricted-to-Outside" set uuid 8b29980a-06c3-51ec-600e-efda35307a42 set srcintf "restricted_zone" set dstintf "outside_zone" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic all set nat enable next
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You probably want to enable in squid.conf via header on but I would try something like and then check with https://www.xmyip.com/proxy-check to see what headers are detected
via on
follow_x_forwarded_for allow all
forwarded_for on
http://socpuppet.blogspot.com/2018/09/squid-for-fortios.html
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey thank you for the input. I specifically delete all the Squid headers but commented out my custom settings and inputted those suggested config values, however no changes to the behavior. I even see my WAN IP in the X-Forwarded-For header oddly.
FWIW, the 80F replaced an ASA, and the ASA didn't have this problem. So I was leaning towards a firewall config issue, but I also understand the technology is different so could very well be a Squid --> FG compatibility issue where I do in fact need custom Squid settings.
I am thinking my next troubleshooting step is disabling nat on the wccp policy, and then figure out why that breaks http traffic (because seemingly it should not). Do you know of any diagnostic commands off hand that will point me in the right direction? Been using ASAs for last 13 years and this is my first Fortigate so still learning. Thanks again.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A firewall alone does NOT add XFF or VIA headers unless it's acting like a forward proxy or reverse proxy. So in your cisco ASA you need to see what your doing but I haven't done squid with cisco.
back to fortios+squid you need to look at the options in squid for your version
So XFF is typically used for "reverse" proxy to a web-server
So VIA is used for "forward" proxy as and additional header to show and tell what the client and the forward proxy or chain or proxies in the path.
e.g i wrote about this many years ago where we injected XFF in a A10 SLB
http://socpuppet.blogspot.com/2013/05/x-forwarded-proto.html
So I would capture the packet at the squid host and review your squid.conf options for that version.
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Related Posts
Labels
-
FortiGate
6,637 -
FortiClient
1,323 -
5.2
801 -
5.4
639 -
FortiManager
573 -
FortiAnalyzer
418 -
6.0
416 -
5.6
362 -
FortiSwitch
340 -
FortiAP
338 -
FortiClient EMS
270 -
6.2
251 -
FortiMail
250 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
154 -
6.4
128 -
FortiNAC
109 -
FortiGuard
105 -
FortiSIEM
91 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
76 -
FortiToken
72 -
Customer Service
70 -
SSL-VPN
65 -
4.0MR3
64 -
Wireless Controller
58 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
SD-WAN
29 -
Firewall policy
28 -
FortiConnect
24 -
High Availability
23 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
FortiAuthenticator
20 -
ZTNA
19 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
DNS
13 -
FortiGate v5.0
13 -
Interface
13 -
FortiDDoS
13 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Logging
12 -
LDAP
11 -
VDOM
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.