Refer to the exhibit. The exhibit shows a CLI output of firewall policies, proxy policies, and proxy addresses. How does FortiGate process the traffic sent to http://www.fortinet.com?
A.
Traffic will be redirected to the transparent proxy and it will be denied by the proxy implicit deny policy.
B.
Traffic will be redirected to the transparent proxy and it will be allowed by proxy policy ID 3.
C.
Traffic will not be redirected to the transparent proxy and it will be allowed by firewall policy ID 1.
D.
Traffic will be redirected to the transparent proxy and it will be allowed by proxy policy ID 1.
Agreed. http-policy-redirect validates using the proxy policies. Since proxy policy 1 does not match fortinet.com and proxy policies 2 & 3 are disabled, the implicit proxy policy (deny) will deny the traffic.
https://kb.fortinet.com/kb/documentLink.do?externalID=FD40584
Host regex match - Once created, the hostname address can be selected as a destination of a proxy policy. This means that a policy will only allow or block requests that match the regular expression.
So because both of the other proxy-policies are set to disable, only proxy-policy 1 is applicable.
https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/720455/proxy-policy-addresses
I don't get this question / answer either. Policy ID 3 has its status disabled and so shouldn't be passing traffic? I did spin this up in a lab and confirmed the configuration, but after disabling the allow all policy I could still reach the internet, which makes me think that policy id 1 was passing the traffic.
In your lab you must have set your explicit proxy default firewall policy to accept. if you had it in deny it will block all http/https traffic but the matching EICAR.
A - if traffic is redirected to web proxy then srcintf port3, dstintf port1 and this matches proxy policy 3 (fortinet.com -dst all) but is disabled so it is implicitly denied
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
yadavarya97
Highly Voted 3 years, 8 months agoprenominal
3 years, 8 months agoNicolaeEast
Most Recent 2 years, 8 months agoSandroAlex
3 years, 1 month agoWachiturro
3 years, 1 month agoMiguex125
3 years, 4 months agojarz
3 years, 9 months agoMrSaintz
3 years, 4 months agoMrSaintz
3 years, 4 months agoMrSaintz
3 years, 4 months agoG33
3 years, 9 months agoGape4
3 years, 9 months agoxela2005
3 years, 9 months agofihocoy633
3 years, 9 months agoJancy_111
3 years, 10 months agothissiteisgreat
3 years, 10 months ago