Explicit proxy concepts
The following is information that is specific to Explicit Proxy concepts. Any information that is common to Web
The FortiGate explicit web proxy
You can use the FortiGate explicit web proxy to enable explicit proxying of IPv4 and IPv6 HTTP, and HTTPS traffic on one or more FortiGate interfaces. The explicit web proxy also supports proxying FTP sessions from a web browser and proxy auto-config (PAC) to provide automatic proxy configurations for explicit web proxy users. From the CLI you can also configure the explicit web proxy to support SOCKS sessions from a web browser.
The explicit web and FTP proxies can be operating at the same time on the same or on different FortiGate interfaces.
In most cases you would configure the explicit web proxy for users on a network by enabling the explicit web proxy on the FortiGate interface connected to that network. Users on the network would configure their web browsers to use a proxy server for HTTP and HTTPS, FTP, or SOCKS and set the proxy server IP address to the IP address of the FortiGate interface connected to their network. Users could also enter the PAC URL into their web browser PAC configuration to automate their web proxy configuration using a PAC file stored on the FortiGate unit.
Enabling the explicit web proxy on an interface connected to the Internet is a security risk because anyone on the Internet who finds the proxy could use it to hide their source address.
If the FortiGate unit is operating in transparent mode, users would configure their browsers to use a proxy server with the FortiGate management IP address.
If the FortiGate unit is operating with multiple VDOMs the explicit web proxy is configured for each VDOM.
The web proxy receives web browser sessions to be proxied at FortiGate interfaces with the explicit web proxy enabled. The web proxy uses FortiGate routing to route sessions through the FortiGate unit to a destination interface. Before a session leaves the exiting interface, the explicit web proxy changes the source addresses of the session packets to the IP address of the exiting interface. When the FortiGate unit is operating in transparent mode the explicit web proxy changes the source addresses to the management IP address. You can configure the explicit web proxy to keep the original client IP address. See The FortiGate explicit web proxy on page 374.
For more information about explicit web proxy sessions, see The FortiGate explicit web proxy on page 374.
Example explicit web proxy topology
To allow all explicit web proxy traffic to pass through the FortiGate unit you can set the explicit web proxy default firewall policy action to accept. However, in most cases you would want to use security policies to control explicit web proxy traffic and apply security features such as access control/authentication, virus scanning, web filtering, application control, and traffic logging. You can do this by keeping the default explicit web proxy security policy action to deny and then adding web-proxy security policies.
You can also change the explicit web proxy default security policy action to accept and add explicit web proxy security policies. If you do this, sessions that match web-proxy security policies are processed according to the security policy settings. Connections to the explicit web proxy that do not match a web-proxy security policy are allowed with no restrictions or additional security processing. This configuration is not recommended and is not a best practice.
The explicit web-proxy can accept VIP addresses for destination address. If an external IP matches a VIP policy, the IP is changed to the mapped-IP of the VIP.
Web-proxy policies can selectively accept or deny traffic, apply authentication, enable traffic logging, and use security profiles to apply virus scanning, web filtering, IPS, application control, DLP, and SSL/SSH inspection to explicit web proxy traffic.
You cannot configure IPsec, SSL VPN, or Traffic shaping for explicit web proxy traffic. Web Proxy policies can only include firewall addresses not assigned to a FortiGate unit interface or with interface set to Any. (On the web-based manager you must set the interface to Any. In the CLI you must unset the associatedinterface.)
Authentication of explicit web proxy sessions uses HTTP authentication and can be based on the user’s source IP address or on cookies from the user’s web browser. For more information, see The FortiGate explicit web proxy on page 374.
To use the explicit web proxy, users must add the IP address of a FortiGate interface on which the explicit web proxy is enabled and the explicit web proxy port number (default 8080) to the proxy configuration settings of their web browsers.
On FortiGate units that support it, you can also enable web caching for explicit web proxy sessions.
Other explicit web proxy options
You can change the following explicit web proxy options as required by your configuration.
HTTP port, HTTPS port, FTP port, PAC port
The TCP port that web browsers use to connect to the explicit proxy for HTTP, HTTPS, FTP and PAC services. The default port is 8080 for all services. By default HTTPS, FTP. and PAC use the same port as HTTP. You can change any of these ports as required. Users configuring their web browsers to use the explicit web proxy should add the same port numbers to their browser configurations.
Multi-port support for Explicit Proxy
Support exists for the use of multiple ports and port range in the explicit FTP or Web proxies. These changes have been added in both CLI and GUI.
CLI: set http-incoming-port <port_low>[-<port_high>]
Where:
l port_low – the low value of the port l port_high – the high value of the port
The port_high value can be omitted if port_low and port_high are the same.
Proxy FQDN
Enter the fully qualified domain name (FQDN) for the proxy server. This is the domain name to enter into browsers to access the proxy server.
Max HTTP request length
Enter the maximum length of an HTTP request in Kbytes. Larger requests will be rejected.
Max HTTP message length
Enter the maximum length of an HTTP message in Kbytes. Larger messages will be rejected.
Multiple incoming ports and port ranges
Web proxy can be configured to listen on multiple ports on the same IP as well as listen for HTTP and HTTPS on those same (or different) ports. This is done in the CLI.
Define the IP ranges using a hyphen (–). As shown below, port_high is not necessary to specify if port_low is equal to port_high.
CLI syntax
config web-proxy explicit set http-incoming-port <port_low> [-<port_high>] end
Internet services
FortiOS can use the Internet Service Database (introduced in 5.4.1) as a web-proxy policy matching factor. This can only be done in the CLI.
CLI syntax:
config firewall proxy-policy edit 0 set internet-service <application-id> set internet-service-custom <application-name>
IP pools
IP Pools can be used with web proxy. When using this option of setting the IP pool name, the outgoing IP will be selected.
CLI syntax
config firewall proxy-policy edit <example> set poolname <name> end
Proxy chaining (web proxy forwarding servers)
For the explicit web proxy you can configure web proxy forwarding servers to use proxy chaining to redirect web proxy sessions to other proxy servers. Proxy chaining can be used to forward web proxy sessions from the FortiGate unit to one or more other proxy servers on your network or on a remote network. You can use proxy chaining to integrate the FortiGate explicit web proxy with an web proxy solution that you already have in place.
A FortiGate unit can forward sessions to most web proxy servers including a remote FortiGate unit with the explicit web proxy enabled. No special configuration of the explicit web proxy on the remote FortiGate unit is required.
You can deploy the explicit web proxy with proxy chaining in an enterprise environment consisting of small satellite offices and a main office. If each office has a FortiGate unit, users at each of the satellite offices can use their local FortiGate unit as an explicit web proxy server. The satellite office FortiGate units can forward explicit web proxy sessions to an explicit web proxy server at the central office. From here the sessions can connect to web servers on the Internet.
FortiGate proxy chaining does not support authenticating with the remote forwarding server.
Adding a web proxy forwarding server
To add a forwarding server, select Create New in the Web Proxy Forwarding Servers section of the Explicit Proxy page by going to Network > Explicit Proxy.
Server Name | Enter the name of the forwarding server. |
Proxy chaining (web proxy forwarding servers)
Proxy Address | Enter the IP address of the forwarding server. |
Proxy Address Type | Select the type of IP address of the forwarding server. A forwarding server can have an FQDN or IP address. |
Port | Enter the port number on which the proxy receives connections. Traffic leaving the FortiGate explicit web proxy for this server has its destination port number changed to this number. |
Server Down action | Select what action the explicit web proxy to take if the forwarding server is down.
Block means if the remote server is down block traffic. Use Original Server means do not forward traffic to the forwarding sever but instead forward it from the FortiGate to its destination. In other words operate as if there is no forwarding server configured. |
Enable Health Monitor | Select to enable health check monitoring and enter the address of a remote site. See “Web proxy forwarding server monitoring and health checking”. |
Health Check Monitor Site |
Use the following CLI command to add a web proxy forwarding server named fwd-srv at address proxy.example.com and port 8080.
config web-proxy forward-server edit fwd-srv set addr-type fqdn set fqdn proxy.example.com
set port 8080
end
Web proxy forwarding server monitoring and health checking
By default, a FortiGate unit monitors web proxy forwarding server by forwarding a connection to the remote server every 10 seconds. If the remote server does not respond it is assumed to be down. Checking continues and when the server does send a response the server is assumed to be back up. If you configure health checking, every 10 seconds the FortiGate unit attempts to get a response from a web server by connecting through the remote forwarding server.
You can configure health checking for each remote server and specify a different website to check for each one.
If the remote server is found to be down you can configure the FortiGate unit to block sessions until the server comes back up or to allow sessions to connect to their destination, bypassing the remote forwarding server. You cannot configure the FortiGate unit to fail over to another remote forwarding server.
Configure the server down action and enable health monitoring from the web-based manager by going to Network > Explicit Proxy, selecting a forwarding server, and changing the server down action and changing the health monitor settings.
Use the following CLI command to enable health checking for a web proxy forwarding server and set the server down option to bypass the forwarding server if it is down.
config web-proxy forward-server edit fwd-srv set healthcheck enable set monitor http://example.com set server-down-option pass
end
Grouping forwarding servers and load balancing traffic to them
You can add multiple web proxy forwarding servers to a forwarding server group and then add the server group to an explicit web proxy policy instead of adding a single server. Forwarding server groups are created from the FortiGate CLI but can be added to policies from the web-based manager (or from the CLI).
When you create a forwarding server group you can select a load balancing method to control how sessions are load balanced to the forwarding servers in the server group. Two load balancing methods are available:
l Weighted load balancing sends more sessions to the servers with higher weights. You can configure the weight for each server when you add it to the group. l Least-session load balancing sends new sessions to the forwarding server that is processing the fewest sessions.
When you create a forwarding server group you can also enable affinity. Enable affinity to have requests from the same client processed by the same server. This can reduce delays caused by using multiple servers for a single multi-step client operation. Affinity takes precedence over load balancing.
You can also configure the behavior of the group if all of the servers in the group are down. You can select to block traffic or you can select to have the traffic pass through the FortiGate explicit proxy directly to its destination instead of being sent to one of the forwarding servers.
Use the following command to add a forwarding server group that users weighted load balancing to load balance traffic to three forwarding servers. Server weights are configured to send most traffic to server2. The group has affinity enabled and blocks traffic if all of the forward servers are down:
config web-proxy forward-server edit server_1 set ip 172.20.120.12 set port 8080
next edit server_2 set ip 172.20.120.13 set port 8000
next edit server_3 set ip 172.20.120.14 set port 8090
next end
config web-proxy forward-server-group edit New-fwd-group set affinity enable set ldb-method weight set group-down-option block config server-list edit server_1 set weight 10
next edit server_2 set weight 40
next edit server_3 set weight 10
next end
Adding proxy chaining to an explicit web proxy policy
You enable proxy chaining for web proxy sessions by adding a web proxy forwarding server or server group to an explicit web proxy policy. In a policy you can select one web proxy forwarding server or server group. All explicit web proxy traffic accepted by this security policy is forwarded to the specified web proxy forwarding server or server group.
To add an explicit web proxy forwarding server – web-based manager:
- Go to Policy & Objects > Proxy Policy and select Create New.
- Configure the policy:
Explicit Proxy Type | Web |
Source Address | Internal_subnet |
Outgoing Interface | wan1 |
Destination Address | all |
Schedule | always |
Action | ACCEPT |
Web Proxy Forwarding
Server |
Select, fwd-srv |
- Select OK to save the security policy.
To add an explicit web proxy forwarding server – CLI:
- Use the following command to add a security policy that allows all users on the 10.31.101.0 subnet to use the explicit web proxy for connections through the wan1 interface to the Internet. The policy forwards web proxy sessions to a remote forwarding server named fwd-srv config firewall proxy-policy edit 0 set proxy explicit-web set dstintf wan1 set scraddr Internal_subnet
set dstaddr all set action accept set schedule always
set webproxy-forward-server fwd-srv end
Security profiles, threat weight, device identification, and the explicit web proxy
You can apply all security profiles to explicit web proxy sessions. This includes antivirus, web filtering, intrusion protection (IPS), application control, data leak prevention (DLP), and SSL/SSH inspection. Security profiles are applied by selecting them in an explicit web proxy policy or in authentication rules added to web proxy policies.
Traffic accepted by explicit web proxy policies contributes to threat weight data.
The explicit web proxy is not compatible with device identification.
Since the traffic accepted by the explicit web proxy is known to be either HTTP, HTTPS, or FTP over HTTP and since the ports are already known by the proxy, the explicit web proxy does not use all of the SSL/SSH inspection options. The explicit web proxy does support the following proxy options:
- Enable chunked bypass
- HTTP oversized file action and threshold
The explicit web proxy does not support the following proxy options:
- Client comforting l Server comforting l Monitor content information from dashboard. URLs visited by explicit web proxy users are not added to dashboard usage and log and archive statistics widgets.
For explicit web proxy sessions, the FortiGate unit applies antivirus scanning to HTTP POST requests and HTTP responses. The FortiGate unit starts virus scanning a file in an HTTP session when it receives a file in the body of an HTML request. The explicit web proxy can receive HTTP responses from either the originating web server or the FortiGate web cache module.
Explicit web proxy sessions and user limits
Web browsers and web servers open and close multiple sessions with the explicit web proxy. Some sessions open and close very quickly. HTTP 1.1 keepalive sessions are persistent and can remain open for long periods of time. Sessions can remain on the explicit web proxy session list after a user has stopped using the proxy (and has, for example, closed their browser). If an explicit web proxy session is idle for more than 3600 seconds it is torn down by the explicit web proxy. See RFC 2616 for information about HTTP keepalive/persistent HTTP sessions.
This section describes proxy sessions and user limits for both the explicit web proxy and the explicit FTP proxy. Session and user limits for the two proxies are counted and calculated together. However, in most cases if both proxies are active there will be many more web proxy sessions than FTP proxy sessions.
The FortiGate unit adds two sessions to its session table for every explicit proxy session started by a web browser and every FTP session started by an FTP client. An entry is added to the session table for the session from the web browser or client to the explicit proxy. All of these sessions have the same destination port as the explicit web proxy port (usually 8080 for HTTP and 21 for FTP). An entry is also added to the session table for the session between the exiting FortiGate interface and the web or FTP server destination of the session. All of these sessions have a FortiGate interface IP address and the source address of the session and usually have a destination port of 80 for HTTP and 21 for FTP.
Proxy sessions that appear in FortiView do not include the Policy ID of the web-proxy or ftp-proxy security policy that accepted them. However, the explicit proxy sessions include a destination port that matches the explicit Explicit web proxy sessions and user limits
proxy port number (usually 8080 for the web proxy and 21 for the FTP proxy). The proxied sessions from the FortiGate unit have their source address set to the IP address of the FortiGate unit interface that the sessions use to connect to their destinations (for example, for connections to the Internet the source address would be the IP address of the FortiGate interface connected to the Internet).
FortiOS limits the number of explicit proxy users. This includes both explicit FTP proxy and explicit web proxy users. The number of users varies by FortiGate model from as low as 10 to up to 18000 for high end models. You cannot raise this limit.
If your FortiGate unit is configured for multiple VDOMs you can go to System > Global Resourcesto view the maximum number of Concurrent explicit proxy users and optionally reduce the limit. You can also use the following command:
config global config system resource-limits set proxy 50
end
end
To limit the number of explicit proxy users for a VDOM, from the web-based manager enable multiple VDOMs and go to System > VDOM and edit a VDOM or use the following command to change the number of explicit web proxy users for VDOM_1:
config global config system vdom-property edit VDOM_1 set proxy 25
end
end
You can use the diagnose wad user list command to view the number of explicit web proxy users. Users may be displayed with this command even if they are no longer actively using the proxy. All idle sessions time out after 3600 seconds.
You can use the command diagnose wad user clear to clear current explicit proxy users. You can also use the command diagnose wad user clear <user-name> to clear individual users. This means delete information about all users and force them re-authenticate.
Users that authenticate with explicit web-proxy or ftp-proxy security policies do not appear in the Monitor > Firewall User Monitor list and selecting De-authenticate All Users has no effect on explicit proxy users.
How the number of concurrent explicit proxy users is determined depends on their authentication method:
- For session-based authenticated users, each authenticated user is counted as a single user. Since multiple users can have the same user name, the proxy attempts to identify users according to their authentication membership (based upon whether they were authenticated using RADIUS, LADAP, FSAE, local database etc.). If a user of one session has the same name and membership as a user of another session, the explicit proxy assumes this is one user.
- For IP Based authentication, or no authentication, or if no web-proxy security policy has been added, the source IP address is used to determine a user. All sessions from a single source address are assumed to be from the same user.
The explicit proxy does not limit the number of active sessions for each user. As a result the actual explicit proxy session count is usually much higher than the number of explicit web proxy users. If an excessive number of Explicit web proxy sessions and user limits
explicit web proxy sessions is compromising system performance you can limit the amount of users if the FortiGate unit is operating with multiple VDOMs.
Thanks for your article mike. Really is useful to enable IPS for web proxy policys? I have only the HTTP antivirus and another profiles enabled but IPS… Dou you think is usefull for web navigation from the users to internet?
Thanks ¡¡