Skip to Content

How to Match Explicit Proxy Sessions

By: Author Alex Lim

Posted on

Categories Troubleshooting

This article describes that in Explicit Proxy, there are two sessions:

  • One is initiated by the client and sent to FortiGate which is the proxy server.
  • The other is initiated by the FortiGate and connects to the destination server on the Internet.

The user wants to check both sessions for troubleshooting. Each session has its session ID, and has a common field to match these two sessions.

Scope

FortiGate.

Solution

FortiGate will generate two logs, one for the session initiated by the client and the other for the session initiated by the server. The client session is logged in forward traffic and the server session is logged in local traffic.

The common fields in both sessions are:

  • Both sessions have the same destination IP address.
  • The ‘transport’ (source NAT port) of the client session matches the ‘srcport’ of the server session.
date=2024-08-06 time=18:48:13 eventtime=1722995292349509766 tz="-0700" logid="0000000010" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.86.2 srcport=51280 srcintf="port3" srcintfrole="undefined" dstcountry="United States" srccountry="Reserved" dstip=151.101.131.5 dstport=443 dstintf="port1" dstintfrole="undefined" sessionid=2090205951 service="HTTPS" proxyapptype="web-proxy" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="6cf602fc-545d-51ef-4a5e-cb41890b9f8f" policyname="test" trandisp="snat" transip=10.9.10.188 transport=2502 duration=81 wanin=2232 rcvdbyte=2232 wanout=12628 lanin=12842 sentbyte=12842 lanout=2304 appcat="unscanned"

date=2024-08-06 time=18:48:18 eventtime=1722995297429118509 tz="-0700" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=10.9.10.188 srcport=2502 srcintf="root" srcintfrole="undefined" dstip=151.101.131.5 dstport=443 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=70118727 proto=6 action="client-rst" policyid=0 service="HTTPS" trandisp="noop" app="HTTPS" duration=86 sentbyte=13912 rcvdbyte=3356 sentpkt=25 rcvdpkt=21 appcat="unscanned"

To match the client session and the server session, look at the ‘transport’ (source NAT port) in the client session log to get the port number, then go to the local traffic log and match the ‘support’ number.

In the above log example, transport=2502 in the client session and srcport=2502 in the server session. Both have the same destination IP address 151.101.131.5, so they are the two sessions for one explicit proxy connection.

It is easier to check it in the log GUI.

Forward traffic log (client session):

Forward traffic log (client session)

Local traffic log (server session):

Local traffic log (server session)