In this post, we will explore explicit proxy setup and diagnostics in v7.2 since it has some simple changes
- this is non-authentication proxy
- I have the proxy client ranges limited to a single PC for this blog posting
- http/https
- port 3128
Okay let's enable proxy on an SDWAN interface and globally
config system interface
edit "wan2"
set vdom "root"
set ip 20.14.20.2 255.255.255.240
set allowaccess ping
set type physical
set explicit-web-proxy enable
set alias "internet2 XO"
set role wan
set snmp-index 4
next
end
and
config web-proxy explicit
set status enable
set ftp-over-http enable
set http-incoming-port 3128
set https-incoming-port 3128
set pac-file-server-status enable
set pac-file-server-port 7888
set pac-file-name "socpuppetproxyaccessconf"
end
Now for our policy creation, the fortiOS uses proxy-policy
config firewall proxy-policy
edit 1
set proxy explicit-web
set dstintf "upg-zone-wan2"
set srcaddr "HOME_PC"
set dstaddr "all"
set service "webproxy"
set action accept
set schedule "always"
set logtraffic all
next
end
Diagnostics tips
If you are getting timeout , any by using the "diag sniffer packet any "port 3128" you see no packets, your problem is way before the proxy. Fix your local issues 1st. diagnose wad stats common.ses_stats
diag wad worker policy # p_id:xxxx ( the xxxx would be your policy id )
diag wad session list
diag wad debug enable all # this will generate a lot of messages
NSE ( network security expert) and Route/Switching Engineer
No comments:
Post a Comment