| Description | This article describes that due to the migration or some mistake in the configuration, the default ports defined under the profile protocol options might no longer be the default ports. |
| Scope | FortiOS. |
| Solution |
To configure a transparent proxy in the CLI:
The setting 'HTTP Policy Redirect' affects only web (HTTP and HTTPS) traffic.
HTTP traffic is defined by the port(s) configured in 'Proxy Options' (profile-protocol-options). Traffic for any other ports will be forwarded to the regular firewall policy.
In general traffic to the transparent proxy will hit the regular firewall policy first and then it will be redirected to the transparent proxy policy.
Sometimes the ports defined under the protocol options might no longer be default ports. For example, the port number for HTTP might have been changed to 400, in such cases it is necessary to create a custom protocol options profile and set the HTTP port to default port 80 on the regular firewall policy so that the policy redirection will happen properly.
It is possible to create new custom protocol options as given below: Navigate to regular firewall policy by going to policy and objects, select the Protocol Options -> Create new.
Create a custom protocol options profile (make sure the default port for HTTP is set to 80) and apply it to the firewall policy.
After changing these settings, the traffic hitting the regular firewall policy will be redirected to the transparent proxy policy.
It is possible to verify from the forward traffic logs.
To confirm the flow, it is possible to use the debug flow, packet captures with verbose 4 and 6, and the session list.
Debugging: diagnose wad filter src <x.x.x.x> diagnose wad filter dst <Destination IP> <-- If Destination IP is unknown then this command can be skipped. diagnose wad debug enable category all diagnose wad debug enable level verbose diag debug console timestamp enable diag deb enable |
