Web proxy configuration

Web proxy configuration

General web proxy configuration steps

You can use the following general steps to configure the explicit web proxy.

To enable the explicit web proxy – web-based manager:

  1. Go to Network > Explicit Proxy and enable Explicit Web Proxy. From here you can optionally change the HTTP port that the proxy listens on (the default is 8080) and optionally specify different ports for HTTPS, FTP, PAC, and other options.
  2. Optionally enable IPv6 Explicit Proxy to turn on the explicit web proxy for IPv6 traffic.

If you enable both the IPv4 and the IPv6 explicit web proxy you can combine IPv4 and IPv6 addresses in a single explicit web proxy policy to allow both IPv4 and IPv6 traffic through the proxy.

  1. Select Apply.
  2. Go to Network > Interfaces and select one or more interfaces for which to enable the explicit web proxy. Edit the interface. Under the Miscellaneous heading select Enable Explicit Web Proxy.

Enabling the explicit web proxy on an interface connected to the Internet is a security risk because anyone on the Internet who finds the proxy could use it to hide their source address. If you enable the proxy on such an interface make sure authentication is required to use the proxy.

  1. Go to Policy & Objects > Addresses and select Create New to add a firewall address that matches the source address of packets to be accepted by the explicit proxy.
Category Address
Name Internal_subnet
Type IP Range
Subnet / IP Range 10.31.101.1 – 10.31.101.255
Interface any*

*The Interface must be set to Any.

You can also set the Type to URL Pattern (Explicit Proxy) to add a destination URL that is only used by the explicit proxy. For example, to create an explicit policy that only allows access to Fortinet.com:

Category Address
Name Fortinet-web-sites
Type URL Pattern (Explicit Proxy)
URL Pattern fortinet.com
Interface any
  1. Go to Policy & Objects > Proxy Policyand select Create New. Configure the policy as required to accept the traffic that you want to be allowed to use the explicit web proxy.
  2. Set the Outgoing Interface parameter by selecting the field with the “+” next to the field label. Selecting the field will slide out a window from the right where you can select from the available interfaces. You can select one or more specific interfaces For more information on interfaces, check the Concepts section called Interfaces and Zones.
  3. The Source of the policy must match the client’s source IP addresses. The interface of this firewall address must be set to any.
  4. The Destination field should match the addresses of web sites that clients are connecting to. Usually the destination address would be all if proxying Internet web browsing. You could also specify a URL firewall address to limit the policy to allowing access to this URL.
  5. Set the Schedule parameter by using the drop down menu to select a preconfigured schedule. The “+” icon next to the Search field is a shortcut for creating a new schedule object. For more information on addresses, check the Firewall Objects section called Firewall schedules
  6. If Default Firewall Policy Action is set to Deny (under Network > Explicit Proxy), traffic sent to the explicit web proxy that is not accepted by a web-proxy policy is dropped. If Default Firewall Policy Action is set to Allow then all web-proxy sessions that don’t match with a security policy are allowed.

For example, the following security policy allows users on an internal network to access fortinet.com websites through the wan1 interface of a FortiGate unit.

Explicit Proxy Type Web
Source Address Internal_subnet
Outgoing Interface wan1
Destination Address Fortinet-web-sites
Schedule always
Action ACCEPT
  1. Set the Disclaimer Options

You can configure a disclaimer for each Authentication Rule by enabling one of the options here. The

choices are:

Disable No disclaimer (default setting)
By Domain The disclaimer will be displayed on different domains. The explicit web proxy will check the referring header to mitigate the javascript/css/images/video/etc page.
By Policy The disclaimer will be displayed if the HTTP request matches a different explicit firewall policy.
By User The disclaimer will be displayed when a new user logs on.

If you chose a disclaimer option other than Disable, you will have the option to enable Customize Messages. If enabled, select the Edit Disclaimer Message button to customize the message to your needs. This can be done as text or as HTML. The default HTML version is there if you just want to make minor changes.

  1. Enable Security Profiles as required. Once the profile type is toggled to enabled, you can use the drop down menu to select a specific profile. The available profile types are:
    • AntiVirus l WebFilter l Application Control l IPS l DLP Sensor
    • ICAP
    • Web Application Firewall

Just like with a regular policy, as soon as any of the Security Profiles is enabled, the following fields, with their own drop down menus for specific profiles will appear:

  • Proxy Options l SSL/SSH Inspection
  1. Select OK.

To enable the explicit web proxy – CLI:

  1. Enter the following command to turn on the IPv4 and IPv6 explicit web proxy for HTTP and HTTPS traffic.

config web-proxy explicit set status enable set ipv6-status enable

end

You can also enter the following command to enable the web proxy for FTP sessions in a web browser.

config web-proxy explicit set ftp-over-http enable

end

The default explicit web proxy configuration has sec-default-action set to deny and requires

you to add a security policy to allow access to the explicit web proxy.

  1. Enter the following command to enable the explicit web proxy for the internal interface.

config system interface edit internal set explicit-web-proxy enable

end

end

  1. Use the following command to add a firewall address that matches the source address of users who connect to the explicit web proxy.

config firewall address edit Internal_subnet set type iprange set start-ip 10.31.101.1 set end-ip 10.31.101.255

end

The source address for a web-proxy security policy cannot be assigned to a FortiGate interface.

  1. Optionally use the following command to add a destination URL that is only used by the explicit proxy. For example, to create an explicit policy that only allows access to Fortinet.com:

config firewall address edit Fortinet-web-sites set type url set url fortinet.com

end

  1. Use the following command to add an explicit web proxy policy that allows all users on the internal subnet to use the explicit web proxy for connections through the wan1 interface to the Internet.

config firewall proxy-policy edit 0 set proxy explicit-web set dstintf wan1 set scraddr Internal_subnet

set dstaddr all set action accept set service webproxy set schedule always

end

  1. Use the following command to add an explicit web proxy policy that allows authenticated users on the internal subnet to use the explicit web proxy for connections through the wan1 interface to the Internet.

config firewall proxy-policy edit 0 set proxy explicit-web set dstintf wan1 set scraddr Internal_subnet set dstaddr Fortinet-web-sites set action accept set service webproxy set schedule always set groups <User group>

end

end

  1. Use the following command to change global web proxy settings, for example to set the maximum request length for the explicit web proxy to 10:

config web-proxy global set max-request-length 10

end

  1. Determine whether or not to use Botnet feature.

The option scan-botnet-connections uses the following syntax:

config firewall proxy-policy edit <policy id> set scan-botnet-connections [disable|block|monitor] end

Where:

l disable means do not scan connections to botnet servers l block means block connection to botnet servers l monitor means log connections to botnet servers

Logging options in web proxy profiles

There is an option on what action to take regarding the authenticated user’s name in the header information for reading by upstream proxies and systems. This option can be used when a FortiGate is operating as an explicit proxy and authenticating users. The header is the x-authenticated-user and is used by the upstream proxy to ensure correct policy enforcement and to log the user’s activity.

The log-header-change option enables the logging of any header changes in the web-proxy profile, including changes to authenticated users or groups.

Syntax

config web-proxy profile edit <profile ID#> set header-x-authenticated-user {pass|add|remove} set header-x-authenticated-groups {pass|add|remove} set log-header-change {enable|disable} end

Option Description
header-x-authenticateduser Action to take on the HTTP x-authenticated-user header in forwarded requests:

l pass – Forward the same HTTP header l add – Add the HTTP header l remove – Remove the HTTP header

Option Description
header-x-authenticatedgroups Action to take on the HTTP x-authenticated-groups header in forwarded requests:

l pass – Forward the same HTTP header l add – Add the HTTP header l remove – Remove the HTTP header

log-header-change enable or disable the logging of HTTP header changes

Policy matching based on referrer headers and query strings

Web proxy policies support creating web proxy addresses to match referrer headers and query strings.

Matching referrer headers

For example, to create a web proxy address to match the referrer header to block access to the following YouTube URL http://youtube.com/user/test321. The http request will have the following format:

GET /user/test321 HTTP/1.1

Host: www.youtube.com

User-Agent: curl/7.52.1

Accept: */*

Create the following web proxy addresses to match this page:

config firewall proxy-address edit youtube set type host-regex set host-regex “.*youtube.com”

next edit test321 set host “youtube” set path “/user/test321” set referrer enable

end

Then create two proxy policies, one that allows access to all traffic and a second one that blocks access to the page that matches the referrer header:

config firewall proxy-policy edit 1 set uuid 92273e4e-8c53-51e7-a7bd-f26e6e15fc98 set proxy explicit-web set dstintf “wan2” set srcaddr “all” set dstaddr “all” set service “webproxy-connect” set action accept set schedule “always” set utm-status enable set profile-protocol-options “test” set ssl-ssh-profile “test”

next edit 2 set uuid d35ad06a-8c53-51e7-8511-17200f682a4a set proxy explicit-web set dstintf “wan2” set srcaddr “all” set dstaddr “test321” set service “webproxy” set action accept set schedule “always” set utm-status enable set av-profile “default” set profile-protocol-options “test” set ssl-ssh-profile “test”

end

Matching query strings

To match the video with URL youtube.com/watch?v=XXXXXXXXX, (where XXXXXXXXX is an example YouTube query string) you need to match an HTTP request with the following format:

GET /user/watch?v=GLCHldlwQsg HTTP/1.1

Host: www.youtube.com

User-Agent: curl/7.52.1

Accept: */*

Create the following web proxy addresses to match this video or query string:

config firewall proxy-address edit “youtube” set uuid 4ad63880-971e-51e7-7b2e-c69423ac6314

set type host-regex set host-regex “.*youtube.com”

next

edit “query-string” set uuid 7687a8c0-9727-51e7-5063-05edda03abbf

set host “youtube” set path “/watch” set query “v=XXXXXXXXX”

end

Then create two proxy policies, one that allows access to all traffic and a second one that blocks access to the page that matches the query string

config firewall proxy-policy

edit 1

set uuid 92273e4e-8c53-51e7-a7bd-f26e6e15fc98 set proxy explicit-web set dstintf “wan2” set srcaddr “all” set dstaddr “all” set service “webproxy-connect” set action accept set schedule “always” set utm-status enable set profile-protocol-options “test” set ssl-ssh-profile “test”

next edit 2 set uuid d35ad06a-8c53-51e7-8511-17200f682a4a set proxy explicit-web set dstintf “wan2”

set srcaddr “all” set dstaddr “query-string” set service “webproxy” set action accept set schedule “always” set utm-status enable set av-profile “default” set profile-protocol-options “test” set ssl-ssh-profile “test”

next end

Multiple web proxy PAC files in one VDOM

Proxy auto-config (PAC) files automatically choose the appropriate proxy server for browsers and other user agents. Not every user in an organization has the same proxy server requirements. Supporting multiple PAC files provides granular control. To manage multiple PAC files, you use PAC policies.

This capability is available only when the FortiGate is in Proxy-based inspection mode.

If there is no matching PAC policy (by name), in the PAC policies, the global PAC file is used by default.

To enable Proxy mode:

GUI

  1. Go to System > Settings.
  2. In System Operation Settings, set the Inspection Mode to Proxy.

CLI

config system settings set inspection-mode proxy end

To configure a PAC policy

config web-proxy explicit set status enable

set pack-file-server-status enable config pac-policy edit <policy ID#> set srcaddr <name of IPv4 address object> set srcaddr6 <name of IPv6 address object> set dstaddr <name of address object> set pac-file-name <string> set pac-file-data “<PAC-file>”

end

Option Description
srcaddr or srcaddr6 This address must conform to the following criteria:

l a range, mask or wildcard mask type of address or address group l source type proxy-address or group It can be either IPv4 or IPv6.

dstaddr This address must conform to the following criteria:

l a range, mask or wildcard type of address or address group l it must be resolved as the FortiGate address

pacfilename Name of the PAC file.
pacfiledata Enter the contents of the PAC file enclosed in quotes. It is permissible to use the Return key when entering the contents. Place the closing quote at the end of the last line. If quotes are used within the content of the file, use the escape character \ before the quote. Example: \”

The pack-file-server-status setting must be set to enable in order for the config pac-policy command to work.

 

This entry was posted in Administration Guides, FortiGate, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.