Troubleshooting transparent proxy on fortigate

Several command are available to diagnose issue when using this function on fortios.
Traditionnal diag debug flow may be irrelevant if proxy policy is blocking the website. You will not see anything with this command.

Instead you can use:
diag wad debug enable category all
diag wad debug clear

Host: forum-auto.caradisiac.com
[...]
Referer: http://forum-auto.caradisiac.com/
[…]
wad_http_request_policy_set(24453): match pid=5572 policy-id=4 vd=0 in_if=18, out_if=10 172.31.254.2:50708 -> 13.226.42.110:80
wad_http_sec_proc_policy(24272): web_cache(http/https=0/0, forward_server=.
wad_http_sec_proc_policy(24279): POLICY DENIED
__wad_http_build_replmsg_resp(18136): Generating replacement message. Policy denied

You are able to see which policy is involved. This is the policy proxy ID, not the IPv4 policy.

Next command you can use for easy readibility :
diag wad session list

Session: transparent proxy 172.31.254.2:52743->151.101.0.217:443
id=956604 vd=0:0 fw-policy=1
state=3 app=http sub_type=0 dd_mode=0 dd_method=0
SSL enabled
to-client
SSL Port:
state=3
TCP Port:
state=2 r_blocks=1 w_blocks=0 read_blocked=0
bytes_in=2008 bytes_out=6137 shutdown=0x0
to-server
SSL Port:
state=3
TCP Port:
state=2 r_blocks=0 w_blocks=0 read_blocked=0
bytes_in=3838 bytes_out=292 shutdown=0x0

However, I was unable to correlate the fwpolicy id in the previous output. The only unsefull info is destIP and policy result r_block

Author: Kévin SAS

I am Kévin SAS and live in France. I am an engineer in network and security. I worked for a lot of customers in these domains : Wireless, LAN, Datacenter, VoIP with several brands like Cisco, HPE, Aruba, Palo Alto amongst others. Previously working for a service provider. I currently work for an integrator while giving me lots of opportunity to learn. This blog stores some technicals notes I wanted to share.

1 thought on “Troubleshooting transparent proxy on fortigate

Leave a Reply

Your email address will not be published. Required fields are marked *