Troubleshooting transparent proxy on fortigate

Several command are available to diagnose issue when using this function on fortios.
Traditionnal diag debug flow may be irrelevant if proxy policy is blocking the website. You will not see anything with this command.

Instead you can use:
diag wad debug enable category all
diag wad debug clear

Host: forum-auto.caradisiac.com
[...]
 Referer: http://forum-auto.caradisiac.com/
 […]
 wad_http_request_policy_set(24453): match pid=5572 policy-id=4 vd=0 in_if=18, out_if=10 172.31.254.2:50708 -> 13.226.42.110:80
 wad_http_sec_proc_policy(24272): web_cache(http/https=0/0, forward_server=.
 wad_http_sec_proc_policy(24279): POLICY DENIED
 __wad_http_build_replmsg_resp(18136): Generating replacement message. Policy denied

You are able to see which policy is involved. This is the policy proxy ID, not the IPv4 policy.

Next command you can use for easy readibility :
diag wad session list

Session: transparent proxy 172.31.254.2:52743->151.101.0.217:443
     id=956604 vd=0:0 fw-policy=1
     state=3 app=http sub_type=0 dd_mode=0 dd_method=0
     SSL enabled
     to-client
         SSL Port:
             state=3
         TCP Port:
             state=2 r_blocks=1 w_blocks=0 read_blocked=0
             bytes_in=2008 bytes_out=6137 shutdown=0x0
     to-server
         SSL Port:
             state=3
         TCP Port:
             state=2 r_blocks=0 w_blocks=0 read_blocked=0
             bytes_in=3838 bytes_out=292 shutdown=0x0

However, I was unable to correlate the fw–policy id in the previous output. The only unsefull info is dest–IP and policy result r_block

Networking-Labs&Co

Troubleshooting transparent proxy on fortigate

Author: Kévin SAS

Leave a Reply Cancel reply

Recent Posts

Archives

Categories