Forward servers
By default, the FortiCache unit monitors a web proxy forwarding server by forwarding a connection to the remote server every 10 seconds. If the remote server does not respond, it is assumed to be down. Checking will continue until, when the server does send a response, the server is assumed to be back up. If health checking is enabled, the FortiCache unit will attempt to get a response from a web server by connecting through the remote forwarding server every 10 seconds.
You can enable health checking for each remote server, and specify a different website to check for each one.
If the remote server is found to be down, you can configure the FortiCache unit to either block sessions until the server comes back up, or allow sessions to connect to their destination using the original server. You cannot configure the FortiCache unit to fail over to another remote forwarding server.
To configure the server down action and enable health monitoring, go to Policy & Objects > Objects > Forward Server.
Configure the following settings:
Create New | Create a new forwarding server. |
Edit | Edit a forwarding server. |
Delete | Remove a forwarding server setting from the list. |
Server Name | The name of the forwarding server. |
Address | The IP address of the forwarding server. |
Port | The port number of the forwarding server. |
Health Check | Indicates whether the health check is disabled or enabled for that forwarding server. A green checkmark indicates that health check is enabled; a gray x indicates that health check is disabled. |
Server Down | The action that the FortiCache unit will take when the server is down. |
Ref. | Displays the number of times the forwarding server is referenced to other objects.
To view the location of the referenced forwarding server, select the number in Ref.; the Object Usage window appears displaying the various locations of the referenced object. |
Use the following CLI command to enable health checking for a web proxy forwarding server and set the server down option to use the original server if it is down.
config web-proxy forward-server edit fwd-srv set healthcheck enable set monitor http://example.com set server-down-option pass
end
To create a new forwarding server:
- Go to Policy & Objects > Objects > Forward Server and select Create New. The Add Forwarding Server window opens.
- Configure the following settings:
Server Name | Enter the name of the forwarding server. |
Proxy Address Type | Select the type of IP address of the forwarding server, either IP or FQDN. |
Proxy Address | Enter the IP address or FQDN of the forwarding server. |
Port | Enter the port number. |
Server Down Action | Select what action the FortiCache unit will take if the forwarding server is down, either Block or Use Original Server. |
Enable Health Monitor | Select to enable health check monitoring. |
Health Check Monitor Site | Enter the URL address of the health check monitoring site. |
- Select OK to create the forwarding server.
To edit a forwarding server:
- Select the server you would like to edit then select Edit from the toolbar, or double-click on the schedule group in the table. The Edit Forwarding Server window opens.
- Edit the information as required, then select OK to apply your changes.
To delete forwarding servers:
- Select the server or servers that you would like to delete.
- Select Delete from the toolbar.
- Select OK in the confirmation dialog box to delete the selected server or servers.
Web proxy global
Use the global explicit web proxy settings to change the configuration of explicit web proxies.
Go to Policy & Objects > Objects > Web Proxy Global to change the global explicit web proxy settings.
Configure the following settings:
Proxy FQDN | The FQDN for the global proxy server. This is the domain name to enter into browsers to access the proxy server. |
Max HTTP request length | The maximum length of an HTTP request that can be cached, in Kb. Larger requests will be rejected (default = 4Kb). |
Max HTTP message length | The maximum length of an HTTP message that can be cached, in Kb. Larger messages will be rejected (default = 32Kb). |
Add Client IP Header to Forwarded Requests | Include the client IP header from the original HTTP request that is forwarded to the internal network. |
Add VIA Header to Forwarded Requests | Include the via Header from the original HTTP request that is forwarded to the internal network. |
Add X-Forwarded-For
Header to Forwarded Requests |
Include the X-Forwarded-For (XFF) HTTP header. The XFF HTTP header identifies the originating IP address of a web client or browser that is connecting through an HTTP proxy, and the remote addresses it has passed through to that point. |
Add Front-End-Https
Header to Forwarded Requests |
Include the front-end HTTP header from the original HTTPS request. |
Enable Strict Web Check | Close the connection if errors are found in the HTTP header. For example, the connection would be closed if a single line header becomes a multiple line header, or if a request header shows up in a response. |
Enable Forward Proxy
Authentication |
Include proxy-authentication information in packets sent to the HTTP proxy behind the FortiCache explicit proxy. |
Proxy auto-config configuration
A PAC file defines how a web browser can select a proxy server for receiving HTTP content. PAC files include the FindProxyForURL (url, host) JavaScript function that returns a string with one or more access method specifications. These specifications cause the web browser to either use a particular proxy server, or to connect directly to retrieve the content.
The FortiCache can be configured to serve a PAC file to define the proxy network and how it should be used by the client. The browser must be configured appropriately to point at the FortiCache device to retrieve the PAC file, for example:
http://<FortiCache IP>:8080/proxy.pac
Web proxy auto-discovery protocol
The Web Proxy Auto-Discovery Protocol (WPAD) is a method for a browser to automatically discover the proxy configuration file, without any browser configuration, using settings in DNS or DHCP. For more information about this method, refer to the following Internet Engineering Task Force (IETF) draft:
http://tools.ietf.org/html/draft-ietf-wrec-wpad-01
When using DNS, the most widely supported resolution method, an entry is made in the local authoritative zone to map the name wpad (such as wpad.example.com) to one or more IP addresses. The browser is configured to automatically look in the following locations to find the WPAD configuration, which is in effect a PAC file, as described in Proxy auto-config configuration on page 85:
http://wpad.department.branch.example.com/wpad.dat http://wpad.branch.example.com/wpad.dat http://wpad.example.com/wpad.dat
To configure the FortiCache unit to issue a wpad.dat file, use the following CLI commands:
config web-proxy explicit edit “web-proxy” set ftp-over-http enable set interface “port1” set pac-file-name “wpad.dat” set pac-file-server-port 80 set pac-file-server-status enable
set pac-file-data “<Put your PAD file content here, escaping quotes with \>”
next
85
Security Profiles
The Security Profiles menu provides access to antivirus, web filter, and ICAP profiles, as well as DLP sensors and filters, and ICAP server settings. This chapter includes the following sections:
- Antivirus l Web Filter l Data Leak Prevention l ICAP
- Content Analysis
Antivirus
A profile is specific configuration information that defines how the traffic within a policy is examined and what action may be taken based on the examination. Multiple antivirus profiles can be created for different antivirus scanning requirements. These profiles can then be applied to firewall policies.
To manage antivirus profiles, go to Security Profiles > Antivirus > View List.
To enable antivirus scanning:
- Go to Policy & Objects > Policy > Policy and either add or select the security policy that accepts the traffic to be virus scanned. See Configuring policies on page 62.
- In the New Policy or Edit Policy window, under Security Profiles, select AntiVirus, then select an antivirus profile from the drop-down list.
- Select OK to save the policy.
To create a new antivirus profile:
- Go to Security Profiles > AntiVirus > View List and select Create New. The New AntiVirus Profile Server window opens.
- Configure the following settings:
Name | Enter the name of the antivirus profile. | ||
Comments | Optional enter a description of the profile. | ||
Protocol | The protocols for which virus scan and removal can be enabled. | ||
Virus Scan
Monitor |
and | Block | Select to enable virus scan and monitoring. |
- Select OK to create the antivirus profile.
To edit an antivirus profile:
- Select the profile you would like to edit then select Edit from the toolbar, or double-click on the schedule group in the table. The Edit AntiVirus Server window opens.
- Edit the information as required, then select OK to apply your changes.
To delete antivirus profiles:
- Select the profile or profiles that you would like to delete.
- Select Delete from the toolbar.
- Select OK in the confirmation dialog box to delete the selected profile or profiles.
Web Filter
This section describes how to configure web filters for HTTP traffic, and URL filters to allow or block caching of specific URLs.
The web filter profiles menu allows you to configure a web filter profile to apply to a policy. A profile is specific information that defines how the traffic within a policy is examined and what action may be taken based on the examination.
To configure web filter profiles, go to Security Profiles > Web Filter. The Edit Web FilterProfile page is displayed.
Configure the following settings, then select Apply to apply any changes:
Name | The name of the web filter profile. |
Comments | Optional description of the profile. |
FortiGuard Categories | Select to enable Fortiguard categories. If the device is not licensed for the FortiGuard web filtering service, traffic may be blocked by enabling this option. |
Show | In the category list, right-click on a specific category, then select the action to take from the pop-up menu: Allow, Block, Monitor, Warning, or Authenticate. |
Quota | Quotas can be configured on categories set to the Monitor, Warning, or Authenticate actions.
1. Expand the quota list then select Create New in the table to open the New/Edit Quota window. 2. Select categories from the list 3. Select the length of the quota, 4. Select OK to create the new quota. Quotas can also be edited and deleted as required. |
Enable Safe Search | Select to enable safe search. |
Search Engine… | When enabled, the supported search engines exclude offensive material from search results.
Supported search engines include: Google, Yahoo!, Bing, and Yandex. |
YouTube
Education Filter |
Select to enable YouTube education filter, then enter the filter in the text field. |
Log All Search Keywords | Enable to log all searched keywords. |
Block Invalid URLs | Enable to block web sites when their SSL certificate CN field does not contain a valid domain name. |
Enable URL Filter | Select to enable URL or web site filters. See Web site filters on page 92. |
Enable Web Content Filter | Enable to block access to web pages that include the words included in the selected web content filter list. |
Allow Websites When a Rating Error Occurs | Enable to allow access to web pages that return a rating error from the web filter service.
If your unit is temporarily unable to contact the FortiGuard service, this setting determines what access the unit allows until contact is reestablished. If enabled, users will have full unfiltered access to all web sites. If disabled, users will not be allowed access to any web sites. |
Rate URLs by Domain and IP Address | Enable to have the unit request site ratings by URL and IP address separately, providing additional security against attempts to bypass the FortiGuard Web Filter.
FortiGuard Web Filter ratings for IP addresses are not updated as quickly as ratings for URLs. This can sometimes cause the unit to allow access to sites that should be blocked, or to block sites that should be allowed. |
Block HTTP Redirects by Rating | Enable to block HTTP redirects.
Many web sites use HTTP redirects legitimately, but, in some cases, redirects may be designed specifically to circumvent web filtering, as the initial web page could have a different rating than the destination web page of the redirect. |
Rate Images by URL (Blocked images will be replaced with blanks) | Enable to have the unit retrieve ratings for individual images in addition to web sites. Images in a blocked category are not displayed even if they are part of a site in an allowed category.
Blocked images are replaced on the originating web pages with blank place-holders. Rated image file types include GIF, JPEG, PNG, BMP, and TIFF. |
Restrict Google Account Usage to Specific Domains | Enable to have users logged in to their Google account to browse only specific domains or web sites. |
Web Resume Download
Block |
Enable to prevent a download from resuming after it has been interrupted. With this filter enabled, any attempt to restart an aborted download will download the file from the beginning rather than resuming from where it left off. This prevents the unintentional download of viruses hidden in fragmented files.
Some types of files, such as PDF, fragment files to increase download speed. Enabling this option can cause download interruptions and may also break certain applications that use the Range Header in the HTTP protocol, such as YUM, a Linux update manager. |
Provide Details for Blocked HTTP 4xx and 5xx Errors | Enable to have the unit to display its own replacement message for 400 and 500-series HTTP errors . If the server error is allowed through, malicious or objectionable sites can use these common error pages to circumvent web filtering. See . |
HTTP POST Action | Select the action to take with HTTP POST traffic. HTTP POST is the command used by your browser when you send information, such as a filled out form or a file you are uploading, to a web server. The available actions include:
l Comfort: Use client comforting to slowly send data to the web server as the FortiCache unit scans the file. This option prevents a server time-out when scanning or other filtering is enabled for outgoing traffic. l The client comforting settings used are those defined in the protocol options profile selected in the security policy. l Block: Block the HTTP POST command. This will limit users from sending information and files to web sites. l When the post request is blocked, the unit sends the http-post-block replacement message to the web browser attempting to use the command. |
Remove Java Applet Filter | Enable to filter java applets from web traffic. Web sites using java applets may not function properly when this filter is enabled. |
Remove ActiveX Filter | Enable to filter ActiveX scripts from web traffic. Web sites using ActiveX may not function properly when this filter is enabled. |
Remove Cookie Filter | Enable to filter cookies from web traffic. Web sites using cookies may not function properly when this filter is enabled. |
Profile list
The web filter profile list can be viewed by selecting View List in the Edit Web FilterProfile page toolbar.
Create New | Create a new web filter profile. |
Edit | Modify the web filter profile. |
Delete | Remove the web filter profile. |
Name | The name of the web filter profile. |
Comments | An optional description of the web filter profile. |
Ref. | Displays the number of times the profile is referenced to other objects. To view the location of the referenced profile, select the number in Ref.; the Object Usage window appears displaying the various locations of the referenced object. |
Managing web filter profiles
Web filter profiles can be added, edited, cloned, and deleted as required.
To create a new web filter profile:
- From either the Edit Web FilterProfile page or the web filter profile list, select Create New.
- Enter the required information, then select OK to create the new web filter profile.
To edit a web filter profile:
- From the Edit Web FilterProfile page, select the profile you need to edit from the profile drop-down list. From the profile list, either select the profile you would like to edit then select Edit from the toolbar, or double-click on the profile name in the list.
The Edit Web FilterProfile window opens.
- Edit the information as required, then select Apply to apply your changes.
To clone a web filter profile:
- From the Edit Web FilterProfile page, select the profile you need to clone from the profile drop-down list.
- Select Clone from the toolbar.
- Enter a name for the profile in the dialog box, then select OK. The profile list opens, with the clone added.
- Edit the clone as required.
To delete a profile or profiles:
- From the profile list, select the profile or profiles that you would like to delete.
- Select Delete from the toolbar.
- Select OK in the confirmation dialog box to delete the selected profile or profiles.