Proxy policy addresses

Proxy policy addresses

Proxy addresses are designed to be used only by proxy policies.

Fast policy match

The fast policy match function improves the performance of IPv4 explicit and transparent web proxies on FortiGate devices.

When enabled, after the proxy policies are configured, the FortiGate builds a fast searching table based on the different proxy policy matching criteria. When fast policy matching is disabled, web proxy traffic is compared to the policies one at a time from the beginning of the policy list.

Fast policy matching is enabled by default, and can be configured with the following CLI command:

config web-proxy global set fast-policy-match {enable | disable} end

Host regex match

In this address type, a user can create a hostname as a regular expression. Once created, the hostname address can be selected on the destination tab of an explicit proxy policy. This means that a policy will only allow or block requests that match the regular expression.

This example creates a host regex match address with the pattern qa.[a-z]*.com.

To create a host regex match address in the GUI:

  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Set the following:

l Category to Proxy Address, l Name to Host Regex, l Type to Host Regex Match, and l Host Regex Pattern to qa.[a-z]*.com.

  1. Click OK.

To create a host regex match address in the CLI:

config firewall proxy-address edit “Host Regex” set uuid 8e374390-57c9-51e9-9353-ee4469629df8

set type host-regex set host-regex “qa.[a-z]*.com”

next

end

URL pattern

In this address type, a user can create a URL path as a regular expression. Once created, the path address can be selected in the destination tab of an explicit proxy policy. This means that a policy will only allow or block requests that match the regular expression.

This example creates a URL pattern address with the pattern /filetypes/.

To create a URL pattern address in the GUI:

  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Set the following:

l Category to Proxy Address, l Name to URL Regex, l Type to URL Pattern, l Host to all, and l URL Path Regex to /filetypes/.

  1. Click OK.

To create a URL pattern address in the CLI:

config firewall proxy-address edit “URL Regex” set uuid 267dc8e4-57cb-51e9-0cfe-27877bff51d3

set type url set host “all” set path “/filetypes/”

next

end

URL category

In this address type, a user can create a URL category based on a FortiGuard URL ID. Once created, the address can be selected in the destination tab of an explicit proxy policy. This means that a policy will only allow or block requests that match the URL category.

The example creates a URL category address for URLs in the Education category. For more information about categories, see https://fortiguard.com/webfilter/categories.

To create a URL category address in the GUI:

  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Set the following:

l Category to Proxy Address, l Name to url-category, l Type to URL Category, l Host to all, and l URL Category to Education.

  1. Click OK.

To create a URL category address in the CLI:

config firewall proxy-address edit “url-category” set uuid 7a5465d2-57cf-51e9-49fd-0c6b5ad2ff4f

set type category set host “all” set category 30

next

end

To see a list of all the categories and their numbers, when editing the address, enter set category ?.

HTTP method

In this address type, a user can create an address based on the HTTP request methods that are used. Multiple method options are supported, including: CONNECT, DELETE, GET, HEAD, OPTIONS, POST, PUT, and TRACE. Once created, the address can be selected in the source tab of an explicit proxy policy. This means that a policy will only allow or block requests that match the selected HTTP method.

The example creates a HTTP method address that uses the GET method.

To create a HTTP method address in the GUI:

  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Set the following:
    • Category to Proxy Address, l Name to method_get,
    • Type to HTTP Method, l Host to all, and l Request Method to GET.
  4. Click OK.

To create a HTTP method address in the CLI:

config firewall proxy-address edit “method_get” set uuid 1e4d1a02-57d6-51e9-a5c4-73387925b7de

set type method set host “all” set method get

next

end

HTTP header

In this address type, a user can create a HTTP header as a regular expression. Once created, the header address can be selected in the source tab of an explicit proxy policy. This means that a policy will only allow or block requests where the HTTP header matches the regular expression.

This example creates a HTTP header address with the pattern Q[A-B].

To create a HTTP header address in the GUI:

  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Set the following:
    • Category to Proxy Address, l Name to HTTP-header, l Type to HTTP Header, l Host to all,
    • HeaderName to Header_Test, and l HeaderRegex to Q[A-B].
  4. Click OK.

To create a HTTP header address in the CLI:

config firewall proxy-address edit “method_get” set uuid a0f1b806-57e9-51e9-b214-7a1cfafa9bb3

set type header set host “all”

set header-name “Header_Test” set header “Q[A-B]”

next

end

User agent

In this address type, a user can create an address based on the names of the browsers that are used as user agents. Multiple browsers are supported, such as Chrome, Firefox, Internet Explorer, and others. Once created, the address can be selected in the destination tab of an explicit proxy policy. This means that a policy will only allow or block requests from the specified user agent.

This example creates a user agent address for Google Chrome.

To create a user agent address in the GUI:

  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Set the following:

l Category to Proxy Address, l Name to UA-Chrome, l Type to UserAgent, l Host to all, and l UserAgent to Google Chrome.

  1. Click OK.

To create a user agent address in the CLI:

config firewall proxy-address edit “UA-Chrome” set uuid e3550196-57d8-51e9-eed0-115095a7920b

set type ua set host “all” set ua chrome

next

end

Advanced (source)

In this address type, a user can create an address based on multiple parameters, including HTTP method, User Agent, and HTTP header. Once created, the address can be selected in the source tab of an explicit proxy policy. This means that a policy will only allow or block requests that match the selected address.

This example creates an address that uses the get method, a user agent for Google Chrome, and an HTTP header with the pattern Q[A-B].

To create an advanced (source) address in the GUI:

  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Set the following:

l Category to Proxy Address, l Name to advanced_src, l Type to Advanced (Source), l Host to all, l Request Method to GET, l UserAgent to Google Chrome, and l HTTP header to Header_Test : Q[A-B].

  1. Click OK.

To create an advanced (source) address in the CLI:

config firewall proxy-address edit “advance_src” set uuid fb9991d0-57e3-51e9-9fed-855e0bca16c3 set type src-advanced set host “all” set method get set ua chrome config header-group edit 1 set header-name “Header_Test” set header “Q[A-B]”

next

end

next

end

Advanced (destination)

In this address type, a user can create an address based on URL pattern and URL category parameters. Once created, the address can be selected in the destination tab of an explicit proxy policy. This means that a policy will only allow or block requests that match the selected address.

This example creates an address with the URL pattern /about that are in the Education category. For more information about categories, see https://fortiguard.com/webfilter/categories.

To create an advanced (destination) address in the GUI:

  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Set the following:

l Category to Proxy Address, l Name to Advanced-dst, l Type to Advanced (Destination), l Host to all, l URL Path Regex to /about, and l URL Category to Education.

  1. Click OK.

To create an advanced (destination) address in the CLI:

config firewall proxy-address edit “Advanced-dst” set uuid d9c2a0d6-57e5-51e9-8c92-6aa8b3372198 set type dst-advanced set host “ubc” set path “/about” set category 30

next

end

This entry was posted in Administration Guides, FortiGate, Fortinet Cookbook, FortiOS, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.