Proxy options
The Proxy Options menu allows you to configure settings for specific proxies, which can then be applied to policies.
Protocol options are configured in Policy & Objects > Policy > Proxy Options.
Configure the following settings:
| Create New | Select to open the New Proxy Options window, where you can create a new proxy option. |
| Clone | Clone the current policy option. |
| View List | View the proxy list.
The proxy options list lists all the proxy options. From the list, you can create new options, edit or delete existing options, and view the number of times the policy option is referenced to other objects. |
| Name | The name of the proxy option. |
| Comments | A description given to the option. This is an optional setting. |
| Protocol Port Mapping | Enable a protocol, then enter the inspections port or ports. |
| Common Options | |
| Comfort Clients | Select to enable. Configure the following:
l Interval (seconds) – enter the interval time in seconds. l Amount (bytes) – enter the amount in bytes. |
| Block Oversized
File/Email |
Enable to block oversized files or emails, and configure the size threshold:
l Threshold (MB) – enter the threshold amount for an oversized email message or file in MB. |
| Web Options | |
| Enable Chunked Bypass | Select to enable the chunked bypass setting. |
SSL inspection
To configure deep inspection options, go to Policy & Objects > Policy > SSL Inspection. SSL inspection options can be used in policies.
Select a deep or certificate inspection option from the drop-down list in the toolbar and edit the settings as required, or create new options, then select apply to apply your changes.
| Create New | Select to open the New Deep Inspection Options window, where you can create a new deep inspection option. |
| Name | The name of the deep inspection option. |
| Comments | A description given to the option. This is an optional setting. |
| SSL Inspection Options | SSL inspection options. |
| Enable
SSL Inspection of |
l Multiple Clients Connecting to Multiple Servers – The Exempt from SSL Inspection and Common Options options below are only available with this option enabled. l Protecting SSL Server |
| CA Certificate | Select a CA certificate from the drop-down menu. |
| Inspection Method | l SSL Certificate Inspection l Full SSL Inspection – you can optionally enable HTTPS and set which port the protocol uses. |
| Exempt from SSL Inspection | Exempt web categories or specific addresses from SSL inspection. |
| Web Categories | Add web categories to be exempt from SSL inspection. |
| Addresses | Add any pre-configured addresses to be exempt from SSL inspection. |
| Common Options | Common options. |
| Allow Invalid SSL
Certificates |
Select to allow invalid SSL certificates. |
| Log Invalid
Certificates |
Select to log invalid certificates. |
Objects
The firewall objects menu provides options for configuring addresses, services, schedules, explicit web proxy, forwarding servers, and web proxy settings. This chapter contains the following sections:
l Addresses l Services l Schedules l Explicit l Forward servers l Web proxy global
Addresses
Web cache addresses and address groups define network addresses that you use when configuring source and destination addresses for security policies. The FortiCache unit compares the IP addresses contained in packet headers with security policy source and destination addresses to determine if the security policy matches the traffic. Addresses can be IPv4 addresses and address ranges, IPv6 addresses, and fully qualified domain names (FQDNs).
Be careful if employing FQDN web cache addresses. Using a fully qualified domain name in a security policy, while convenient, does present some security risks because policy matching then relies on a trusted DNS server. If the DNS server should ever be compromised, security policies requiring domain name resolution may no longer function properly.
Web cache addresses in the address list are grouped by type: IP/Netmask, FQDN, or IPv6. A FortiCache unit’s default configurations include the all address, which represents any IPv4 IP address on any network. You can also add a firewall address list when configuring a security policy.
To view the address list, go to Policy & Objects > Objects > Addresses.
Configure the following settings:
| Create New > Address | Add a new address. |
| Edit Address | Edit the selected address. |
| Delete | Remove the selected address or addresses. This icon appears only if a policy or address group is not currently using the address. |
| Name | The name of the address. |
| Address | The IP address and mask, IP address range, or FQDN of the address. |
| Interface | The interface to which the address is bound. |
| Type | The type of address: Subnet, IP Range, FQDN. |
| Comments | Optional description of the address. |
| Ref. | Displays the number of times the address is referenced to other objects.
To view the location of the referenced address, select the number in Ref. The Object Usage window appears displaying the various locations of the referenced object. |
| Show in Address List | |
| Tags |
To create a new address:
- Go to Policy & Objects > Objects > Addresses and select Create New > Address. The New Address window opens.
- Configure the following settings:
| Name | Enter a name for the address. Addresses must have unique names. |
| Type | Select the type of address: Subnet, IP Range, or FQDN. You can enter either an IP range or an IP address with subnet mask. |
| Subnet / IP Range | Enter the IP address, followed by a forward slash (/), then subnet mask, or enter an IP address range separated by a hyphen. See Web cache policy address formats on page 68. |
| FQDN | Enter the FQDN. This option is only available when Type is FQDN. |
| Interface | Select the interface to which you want to bind the IP address. Select Any if you want to bind the IP address with the interface when you create a policy. |
| Comments | Optionally, enter a description of the address. |
- Select OK to create the new address.
To edit an address:
- Select the address you would like to edit then select Edit from the toolbar, or double-click on the address in the address table. The Edit Address window opens.
- Edit the address information as required and select OK to apply your changes.
To delete an address or addresses:
- Select the address or addresses that you would like to delete.
- Select Delete from the toolbar.
- Select OK in the confirmation dialog box to delete the selected address or addresses.
Address groups
You can organize multiple addresses into an address group to simplify your policy list. For example, instead of having five identical policies for five different but related addresses, you might combine the five addresses into a single address group, which is used by a single policy. To view the address group list, go to Policy & Objects > Objects > Addresses.
| Create New > Address Group | Add an address group. |
| Edit | Select the edit the address group. |
| Delete | Select to remove the address group. This icon appears only if the address group is not currently being used by a policy. |
| Group Name | The name of the address group. |
| Members | The addresses in the address group. |
| Comments | Option description of the address group. |
| Ref. | Displays the number of times the address group is referenced to other objects.
To view the location of the referenced address group, select the number in Ref. The Object Usage window appears displaying the various locations of the referenced object. |
| Show in Address List | Whether or not the group is shown in the address list. |
| Tags |
To create a new address group:
- Select Create New > Address Group. The New Address Group window opens.
- Configure the following information:
| Group Name | Enter a name to identify the address group. Addresses, address groups, and virtual IPs must have unique names. |
| Comments | Optionally, enter a description of the address group. |
| Show in Address List | Select to show the address group is the address list. |
| Members | Select the addresses to add to the address group. |
- Select OK to create the new address group.
To edit an address group:
- Select the group you would like to edit, then select Edit from the toolbar, or double-click on the address group. The Edit Address Group window opens.
- Edit the address group information as required and select OK to apply your changes.
To delete an address group or groups:
- Select the address or addresses that you would like to delete.
- Select Delete from the toolbar.
- Select OK in the confirmation dialog box to delete the selected address or addresses.