Explicit web proxy (5.6)

Explicit web proxy (5.6)

New explicit web proxy features added to FortiOS 5.6.

Explicit proxy supports multiple incoming ports and port ranges (402775, 398687)

Explicit proxy can now be configured to listen on multiple ports on the same IP as well as listen for HTTP and HTTPS on those same (or different) ports.

Define the IP ranges using a hyphen (). As shown below, port_high is not necessary to specify if port_low is equal to port_high.

CLI syntax

config web-proxy explicit set http-incoming-port <port_low> [-<port_high>]

end

Explicit proxy supports IP pools (402221)

Added a new command, poolname, to config firewall explicit-proxy-policy. When setting the IP pool name with this command, the outgoing IP will be selected.

CLI syntax

config firewall explicit-proxy-policy edit <example> set poolname <name>

end

Option to remove unsupported encoding from HTTP headers (392908)

Added a new command to config web-proxy profile that, when enabled, allows the FortiGate to strip out unsupported encoding from request headers, and correctly block banned words. This is to resolve issues when attempting to successfully block content using Google Chrome.

CLI syntax:

config web-proxy profile edit <example> set strip-encoding {enable | disable}

end

New authentication process for explicit web proxying (386474, 404355)

While in Proxy inspection mode, explicit proxy options can be set under Network > Explicit Proxy. These settings will affect what options are available for creating proxy policies under Policy & Objects > Proxy Policy. From here you may create new policies with Proxy Type set to either Explicit Web, Transparent Web, or FTP.

Explicit web proxy (5.6)

Authentication will be triggered differently when configuring a transparent HTTP policy. Before such a policy can be configured, you must enable HTTP Policy Redirect under Security Profiles > Proxy Options.

Added Internet services to explicit proxy policies (386182)

Added two new commands to config firewall explicit-proxy-policy. FortiOS can use the Internet Service Database (introduced in 5.4.1) as the web-proxy policy matching factor.

CLI syntax:

config firewall explicit-proxy-policy edit <example> set internet-service <application-id> set internet-service-custom <application-name>

Virtual WAN link in an explicit proxy firewall policy (385849, 396780)

Virtual WAN link (VWL) interfaces may now be set as the destination interface in an explicit proxy policy, routing traffic properly using basic virtual WAN link load balance settings. This is now configurable through both the CLI under firewall explicit-proxy-policy and the GUI.

Added application ID and category setting on the explicit proxy enabled service (379330)

This feature introduces support for application ID/category in the service of explicit proxy as one policy selection factor. The intent is to identify the application type based on the HTTP request with IPS application type detection function. It is similar to the current firewall explicit address, but it is implemented as a service type, and you can select the application ID/ category to define explicit service. Of course, now it must be an HTTP-based application.

CLI syntax

config firewall service custom edit “name” set app-service-type [disable|app-id|app-category]

next

end

Explicit Proxy – populate pac-file-url in transparent mode (373977)

You can now use manageip to populate pac-file-url in transparent opmode. Previously, in the CLI, when displaying pac-file-url, the code only tries to get interface IP to populate pac-file-url.

CLI syntax

config vdom edit root config system settings set opmode transparent set manageip 192.168.0.34/24

end config web-proxy explicit set pac-file-server-status enable get pac-file-url [url.pac]

Explicit web proxy

end

SSL deep inspection OCSP support for Explicit Proxy (365843)

OCSP support for SSL deep inspection added for Explicit Proxy.

CLI syntax

config vpn certificate setting set ssl-ocsp-status [enable|disable] set ssl-ocsp-option [certificate|server]

end

Timed out authentication requests are now logged (357098)

CLI syntax

config web-proxy explicit set trace-auth-no-rsp [enable|disable] end

 

(5.6.1)

This entry was posted in FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.