Wednesday, March 13, 2024

Fortigate as a explicit proxy v7.2.x

In this post, we will explore explicit proxy setup and diagnostics in v7.2 since it has some simple changes

  • this is non-authentication proxy
  • I have the proxy client ranges limited to a single PC for this blog posting
  • http/https  
  • port 3128 

Okay let's enable proxy on an SDWAN interface and globally 

config system interface

    edit "wan2"

        set vdom "root"

        set ip 20.14.20.2 255.255.255.240

        set allowaccess ping  

        set type physical

        set explicit-web-proxy enable

        set alias "internet2 XO"

        set role wan

        set snmp-index 4

    next

end


and


config web-proxy explicit

    set status enable

    set ftp-over-http enable

    set http-incoming-port 3128

    set https-incoming-port 3128

    set pac-file-server-status enable

    set pac-file-server-port 7888

    set pac-file-name "socpuppetproxyaccessconf"

end



Now for our policy creation, the fortiOS uses proxy-policy 


config firewall proxy-policy

    edit 1

        set proxy explicit-web

        set dstintf "upg-zone-wan2"

        set srcaddr "HOME_PC"

        set dstaddr "all"

        set service "webproxy"

        set action accept

        set schedule "always"

        set logtraffic all

    next

end



Diagnostics tips


If you are getting timeout , any by using the "diag sniffer packet any "port 3128"  you see no packets, your problem is way before the proxy. Fix your local issues 1st. 

This is most likely a local firewall, downstream firewall/filters, or filtering. Also ensure the client has the right proxy IP and port#.


Helpful diagnostics cmds

diagnose wad stats common.ses_stats

diag wad worker policy # p_id:xxxx ( the xxxx would be your policy id )

diag wad session list 

diag wad debug enable all # this will generate a lot of messages





NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \
Posted by at  No comments:  



Posted by at No comments:

Thursday, February 1, 2024

Generating HTTP request to a website by using openssl

 Have you ever been on a system with no GUI, no text browser, wget, or CuRL but need to test HTTP access? 

If you have openssl you can craft a GET or HEAD request and generate HTTP traffic

example

   echo -e "HEAD / HTTP/1.1\r\nHost: www.example.com\r\nUser-Agent: SocPuppets\r\nConnection: Close\r\n\r\n" | openssl s_client  -quiet  -state -connect www.example.com:443  




 So if you ever need to test HTTPS access and the device has no standard web-browser use openssl.




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \
Posted by at No comments:
Subscribe to: Posts (Atom)