Security profiles, threat weight, device identification, and the explicit FTP proxy

Leave a reply

Security profiles, threat weight, device identification, and the explicit FTP proxy

You can apply antivirus, data leak prevention (DLP), and SSL/SSH inspection to explicit FTP proxy sessions. Security profiles are applied by selecting them in an explicit FTP proxy policy or an authentication rule in an FTP proxy security policy.

Traffic accepted by explicit FTP proxy policies contributes to threat weight data. The explicit FTP proxy is not compatible with device identification.

Explicit FTP proxy options and SSL/SSH inspection

Since the traffic accepted by the explicit FTP proxy is known to be FTP and since the ports are already known by the proxy, the explicit FTP proxy does not use the FTP port proxy options settings.

When adding UTM features to an FTP proxy security policy, you must select a proxy options profile. In most cases you can select the default proxy options profile. You could also create a custom proxy options profile.

The explicit FTP proxy supports the following proxy options:

  • Block Oversized File and oversized file limit

 

The explicit FTP proxy does not support the following protocol options:

  • Client comforting

 

Explicit FTP proxy sessions and antivirus

For explicit FTP proxy sessions, the FortiGate unit applies antivirus scanning to FTP file GET and PUT requests. The FortiGate unit starts virus scanning a file in an FTP session when it receives a file in the body of an FTP request.

Flow-based virus scanning is not available for explicit FTP proxy sessions. Even if the FortiGate unit is configured to use flow-based antivirus, explicit FTP proxy sessions use the regular virus database.

Restricting the outgoing source IP address of the explicit FTP proxy

Leave a reply

Restricting the outgoing source IP address of the explicit FTP proxy

You can use the following command to restrict the source address of outgoing FTP proxy packets to a single IP address. The IP address that you specify must be the IP address of an interface that the explicit FTP proxy is enabled on. You might want to use this option if the explicit FTP proxy is enabled on an interface with multiple IP addresses.

 

For example, to restrict the outgoing packet source address to 172.20.120.100:

config ftp-proxy explicit

set outgoing-ip 172.20.120.100 end

Restricting the IP address of the explicit FTP proxy

Leave a reply

Restricting the IP address of the explicit FTP proxy

You can use the following command to restrict access to the explicit FTP proxy using only one IP address. The IP address that you specify must be the IP address of an interface that the explicit FTP proxy is enabled on. You might want to use this option if the explicit FTP proxy is enabled on an interface with multiple IP addresses.

For example, to require uses to connect to the IP address 10.31.101.100 to connect to the explicit FTP proxy:

config ftp-proxy explicit

set incoming-ip 10.31.101.100

end

How to use the explicit FTP proxy to connect to an FTP server

Leave a reply

How to use the explicit FTP proxy to connect to an FTP server

To connect to an FTP server using the explicit FTP proxy, users must run an FTP client and connect to the IP address of a FortiGate interface on which the explicit FTP proxy is enabled. This connection attempt must use the configured explicit FTP proxy port number (default 21).

The explicit FTP proxy is not compatible with using a web browser as an FTP client. To use web browsers as FTP clients configure the explicit web proxy to accept FTP sessions.

The following steps occur when a user starts an FTP client to connect to an FTP server using the explicit FTP proxy. Any RFC-compliant FTP client can be used. This example describes using a command-line FTP client. Some FTP clients may require a custom FTP proxy connection script.

1. The user enters a command on the FTP client to connect to the explicit FTP proxy.

 

For example, if the IP address of the FortiGate interface on which the explicit FTP proxy is enabled is 10.31.101.100, enter:

ftp 10.31.101.100

2. The explicit FTP proxy responds with a welcome message and requests the user’s FTP proxy user name and password and a username and address of the FTP server to connect to:

Connected to 10.31.101.100.

220 Welcome to Fortigate FTP proxy

Name (10.31.101.100:user):

You can change the message by editing the FTP Explicit Banner Message replacement message.

3. At the prompt the user enters their FTP proxy username and password and a username and address for the FTP server. The FTP server address can be a domain name or numeric IP address. This information is entered using the following syntax:

<proxy-user>:<proxy-password>:<server-user>@<server-address>

For example, if the proxy username and password are p-name and p-pass and a valid username for the FTP server is s-name and the server’s IP address is ftp.example.com the syntax would be:

p-name:p-pass:s-name@ftp.example.com

If the FTP proxy accepts anonymous logins p-name and p-pass can be any char- acters.

4. The FTP proxy forwards the connection request, including the user name, to the FTP server.

5. If the user name is valid for the FTP server it responds with a password request prompt.

6. The FTP proxy relays the password request to the FTP client.

7. The user enters the FTP server password and the client sends the password to the FTP proxy.

8. The FTP proxy relays the password to the FTP server.

9. The FTP server sends a login successful message to the FTP proxy.

10. The FTP proxy relays the login successful message to the FTP client.

11. The FTP client starts the FTP session.

 

All commands entered by the client are relayed by the proxy to the server. Replies from the server are relayed back to the FTP client.

 

Explicit FTP proxy session

From a simple command line FTP client connecting to an the previous sequence could appear as follows:

ftp 10.31.101.100 21

Connected to 10.31.101.100.

220 Welcome to Fortigate FTP proxy

Name (10.31.101.100:user): p-name:p-pass:s-name@ftp.example.com

331 Please specify the password. Password: s-pass

230 Login successful. Remote system type is UNIX

Using binary mode to transfer files. ftp>

 

General explicit FTP proxy configuration steps

You can use the following general steps to configure the explicit FTP proxy.

 

To enable the explicit FTP proxy – web-based manager:

1. Go to Network > Explicit Proxy > Explicit FTP Proxy Options. Select Enable Explicit FTP Proxy to turn on the explicit FTP proxy.

2. Select Apply.

 

The Default Firewall Policy Action is set to Deny and requires you to add a explicit FTP proxy policy to allow access to the explicit FTP proxy. This configuration is recommended and is a best practice because you can use policies to control access to the explicit FTP proxy and also apply security features and authentication.

3. Go to Network > Interfaces and select one or more interfaces for which to enable the explicit web proxy. Edit the interface and select Enable Explicit FTP Proxy.

Enabling the explicit FTP proxy on an interface connected to the Internet is a security risk because anyone on the Internet who finds the proxy could use it to hide their source address. If you enable the proxy on such an interface make sure authentication is required to use the proxy.

 

4. Go to Policy & Objects > Explicit Proxy Policy and select Create New and set the Explicit Proxy Type to FTP.

 

You can add multiple explicit FTP proxy policies.

5. Configure the policy as required to accept the traffic that you want to be processed by the explicit FTP proxy.

 

The source address of the policy should match client source IP addresses. The firewall address selected as the source address cannot be assigned to a FortiGate interface. The Interface field of the firewall address must be blank or it must be set to Any.

The destination address of the policy should match the IP addresses of FTP servers that clients are connecting to. The destination address could be all to allow connections to any FTP server.

If Default Firewall Policy Action is set to Deny, traffic sent to the explicit FTP proxy that is not accepted by an explicit FTP proxy policy is dropped. If Default Firewall Policy Action is set to Allow then all FTP proxy sessions that don’t match a policy are allowed.

For example the following explicit FTP proxy policy allows users on an internal network to access FTP servers on the Internet through the wan1 interface of a FortiGate unit.

 

Explicit Proxy Type                  FTP

Source Address                        Internal_subnet

Outgoing Interface                   wan1

Destination Address                 all

Schedule                                    always

Action                                         ACCEPT

 

The following explicit FTP proxy policy requires users on an internal network to authenticate with the FortiGate unit before accessing FTP servers on the Internet through the wan1 interface.

 

Explicit Proxy Type                  FTP

Source Address                        Internal_subnet

Outgoing Interface                   wan1

Destination Address                 all

Action                                         AUTHENTICATE

 

6. Select Create New to add an Authentication Rule and configure the rule as follows:

Groups                                       Proxy-Group

Source Users                             (optional)

Schedule                                    always

 

7. Add security profiles as required and select OK.

8. You can add multiple authentication rules to apply different authentication for different user groups and users and also apply different security profiles and logging settings for different users.

9. Select OK.

 

To enable the explicit FTP proxy – CLI:

1. Enter the following command to turn on the explicit FTP proxy. This command also changes the explicit FTP proxy port to 2121.

config ftp-proxy explicit set status enable

set incoming-port 2121 end

The default explicit FTP proxy configuration has sec-default-action set to deny and requires you to add a security policy to allow access to the explicit FTP proxy.

 

2. Enter the following command to enable the explicit FTP proxy for the internal interface.

 

config system interface edit internal

set explicit-ftp-proxy enable end

end

 

3. Use the following command to add a firewall address that matches the source address of users who connect to the explicit FTP proxy.

config firewall address edit Internal_subnet

set type iprange

set start-ip 10.31.101.1 set end-ip 10.31.101.255

end

The source address for a ftp-proxy security policy cannot be assigned to a FortiGate unit interface.

 

4. Use the following command to add an explicit FTP proxy policy that allows all users on the internal subnet to use the explicit FTP proxy for connections through the wan1 interface to the Internet.

config firewall explicit-proxy-policy edit 0

set proxy ftp

set dstintf wan1

set scraddr Internal_subnet set dstaddr all

set action accept set schedule always

end

 

5. Use the following command to add an explicit FTP proxy policy that allows authenticated users on the internal subnet to use the explicit FTP proxy for connections through the wan1 interface to the Internet.

config firewall explicit-proxy-policy edit 0

set proxy ftp

set dstintf wan1

set scraddr Internal_subnet

set dstaddr Fortinet-web-sites set action accept

set schedule always

set identity-based enable config identity-based-policy

edit 1

set groups Proxy-group set schedule always

end

end

The FortiGate explicit FTP proxy

Leave a reply

The FortiGate explicit FTP proxy

You can use the FortiGate explicit FTP proxy to enable explicit FTP proxying on one or more FortiGate interfaces. The explicit web and FTP proxies can be operating at the same time on the same or on different FortiGate interfaces.

Explicit FTP proxies are configured for each VDOM when multiple VDOMs are enabled.

In most cases you would configure the explicit FTP proxy for users on a network by enabling the explicit FTP proxy on the FortiGate interface connected to that network. Users on the network would connect to and authenticate with the explicit FTP proxy before connecting to an FTP server. In this case the IP address of the explicit FTP proxy is the IP address of the FortiGate interface on which the explicit FTP proxy is enabled.

Enabling the explicit FTP proxy on an interface connected to the Internet is a security risk because anyone on the Internet who finds the proxy could use it to hide their source address.

If the FortiGate unit is operating in Transparent mode, users would configure their browsers to use a proxy server with the FortiGate unit management IP address.

The FTP proxy receives FTP sessions to be proxied at FortiGate interfaces with the explicit FTP proxy enabled. The FTP proxy uses FortiGate routing to route sessions through the FortiGate unit to a destination interface. Before a session leaves the exiting interface, the explicit FTP proxy changes the source addresses of the session packets to the IP address of the exiting interface. When the FortiGate unit is operating in Transparent mode the explicit web proxy changes the source addresses to the management IP address.

 

Example explicit FTP proxy topology

To allow anyone to anonymously log into explicit FTP proxy and connect to any FTP server you can set the explicit FTP proxy default firewall proxy action to accept. When you do this, users can log into the explicit FTP proxy with any username and password.

In most cases you would want to use explicit proxy policies to control explicit FTP proxy traffic and apply security features, access control/authentication, and logging. You can do this by keeping the default explicit FTP proxy firewall policy action to deny and then adding explicit FTP proxy policies. In most cases you would also want users to authenticate with the explicit FTP proxy. By default an anonymous FTP login is required. Usually you would add authentication to explicit FTP proxy policies. Users can then authenticate with the explicit FTP proxy according to users or user groups added to the policies. User groups added to explicit FTP proxy policies can use any authentication method supported by FortiOS including the local user database and RADIUS and other remote servers.

If you leave the default firewall policy action set to deny and add explicit FTP proxy policies, all connections to the explicit FTP proxy must match an or else they will be dropped. Sessions that are accepted are processed according to the ftp-proxy security policy settings.

You can also change the explicit FTP proxy default firewall policy action to accept and add explicit FTP proxy policies. If you do this, sessions that match explicit FTP proxy policies are processed according to the policy settings. Connections to the explicit FTP proxy that do not match an explicit FTP proxy policy are allowed and the users can authenticate with the proxy anonymously.

There are some limitations to the security features that can be applied to explicit FTP proxy sessions. See Security profiles, threat weight, device identification, and the explicit FTP proxy on page 2938.

You cannot configure IPsec, SSL VPN, or Traffic shaping for explicit FTP proxy traffic. Explicit FTP proxy policies can only include firewall addresses not assigned to a FortiGate unit interface or with interface set to any. (On the web-based manager you must set the interface to Any. In the CLI you must unset the associated- interface.)

Explicit web proxy sessions and user limits

1 Reply

Explicit web proxy sessions and user limits

Web browsers and web servers open and close multiple sessions with the explicit web proxy. Some sessions open and close very quickly. HTTP 1.1 keepalive sessions are persistent and can remain open for long periods of time. Sessions can remain on the explicit web proxy session list after a user has stopped using the proxy (and has, for example, closed their browser). If an explicit web proxy session is idle for more than 3600 seconds it is torn down by the explicit web proxy. See RFC 2616 for information about HTTP keepalive/persistent HTTP sessions.

This section describes proxy sessions and user limits for both the explicit web proxy and the explicit FTP proxy. Session and user limits for the two proxies are counted and calculated together. However, in most cases if both proxies are active there will be many more web proxy sessions than FTP proxy sessions.

The FortiGate unit adds two sessions to its session table for every explicit proxy session started by a web browser and every FTP session started by an FTP client. An entry is added to the session table for the session from the web browser or client to the explicit proxy. All of these sessions have the same destination port as the explicit web proxy port (usually 8080 for HTTP and 21 for FTP). An entry is also added to the session table for the session between the exiting FortiGate interface and the web or FTP server destination of the session. All of these sessions have a FortiGate interface IP address and the source address of the session and usually have a destination port of 80 for HTTP and 21 for FTP.

Proxy sessions that appear in FortiView do not include the Policy ID of the web-proxy or ftp-proxy security policy that accepted them. However, the explicit proxy sessions include a destination port that matches the explicit proxy port number (usually 8080 for the web proxy and 21 for the FTP proxy). The proxied sessions from the FortiGate unit have their source address set to the IP address of the FortiGate unit interface that the sessions use to connect to their destinations (for example, for connections to the Internet the source address would be the IP address of the FortiGate interface connected to the Internet).

FortiOS limits the number of explicit proxy users. This includes both explicit FTP proxy and explicit web proxy users. The number of users varies by FortiGate model from as low as 10 to up to 18000 for high end models. You cannot raise this limit.

If your FortiGate unit is configured for multiple VDOMs you can go to System > Global Resources to view the maximum number of Concurrent explicit proxy users and optionally reduce the limit. You can also use the following command:

config global

config system resource-limits set proxy 50

end end

To limit the number of explicit proxy users for a VDOM, from the web-based manager enable multiple VDOMs and go to System > VDOM and edit a VDOM or use the following command to change the number of explicit web proxy users for VDOM_1:

config global

config system vdom-property edit VDOM_1

set proxy 25

end end

You can use the diagnose wad user list command to view the number of explicit web proxy users. Users may be displayed with this command even if they are no longer actively using the proxy. All idle sessions time out after 3600 seconds.

You can use the command diagnose wad user clear to clear current explicit proxy users. You can also use the command diagnose wad user clear <user-name> to clear individual users. This means delete information about all users and force them re-authenticate.

Users that authenticate with explicit web-proxy or ftp-proxy security policies do not appear in the Monitor > Firewall Monitor list and selecting Deauthenticate All Users has no effect on explicit proxy users.

How the number of concurrent explicit proxy users is determined depends on their authentication method:

  • For session-based authenticated users, each authenticated user is counted as a single user. Since multiple users can have the same user name, the proxy attempts to identify users according to their authentication membership (based upon whether they were authenticated using RADIUS, LADAP, FSAE, local database etc.). If a user of one session has the same name and membership as a user of another session, the explicit proxy assumes this is one user.
  • For IP Based authentication, or no authentication, or if no web-proxy security policy has been added, the source IP address is used to determine a user. All sessions from a single source address are assumed to be from the same user.

The explicit proxy does not limit the number of active sessions for each user. As a result the actual explicit proxy session count is usually much higher than the number of explicit web proxy users. If an excessive number of explicit web proxy sessions is compromising system performance you can limit the amount of users if the FortiGate unit is operating with multiple VDOMs.

Preventing the explicit web proxy from changing source addresses

Leave a reply

Preventing the explicit web proxy from changing source addresses

By default in NAT/Route mode the explicit web proxy changes the source address of packets leaving the FortiGate to the IP address of the FortiGate interface that the packets are exiting from. In Transparent mode the source address is changed to the management IP.

This configuration hides the IP addresses of clients and allows packets to return to the FortiGate unit interface without having to route packets from clients. You can use the following command to configure the explicit web proxy to keep the original client’s source IP address:

config firewall explicit-proxy-policy edit 0

set proxy web

set transparent enable end

 

Example users on an internal network browsing the Internet through the explicit web proxy with web caching, RADIUS authentication, web filtering, and virus scanning

This example describes how to configure the explicit web proxy for the example network shown below. In this example, users on the internal network connect to the explicit web proxy through the Internal interface of the FortiGate unit. The explicit web proxy is configured to use port 8888 so users must configure their web browser proxy settings to use port 8888 and IP address 10.31.101.100.

 

Example explicit web proxy network topology

Explicit web proxy users must authenticate with a RADIUS server before getting access to the proxy. The explicit proxy policy that accepts explicit web proxy traffic applies per session authentication and includes a RADIUS server user group. The authentication rule also applies web filtering and virus scanning.

 

General configuration steps

This section breaks down the configuration for this example into smaller procedures. For best results, follow the procedures in the order given:

1. Enable the explicit web proxy for HTTP and HTTPS and change the HTTP and HTTPS ports to 8888.

2. Enable the explicit web proxy on the internal interface.

3. Add a RADIUS server and user group for the explicit web proxy.

4. Add an authentication explicit proxy policy. Enable web caching. Add an authentication rule and enable antivirus and web filtering.

 

Configuring the explicit web proxy – web-based manager

Use the following steps to configure the explicit web proxy.

 

To enable and configure the explicit web proxy

1. Go to System > Feature Select and turn on the Explicit Proxy feature.

2. Go to Network > Explicit Proxy and change the following settings:

 

Enable Explicit Web Proxy      Select HTTP/HTTPS.

Listen on Interfaces                 No change. This field will eventually show that the explicit web proxy is enabled for the Internal interface.

HTTP Port                                  8888

HTTPS Port                                0

Realm                                         You are authenticating with the explicit web proxy.

Default Firewall Policy

ActioDeny

3. Select Apply.

 

To enable the explicit web proxy on the Internal interface

1. Go to Network > Interfaces.

2. Edit the internal interface.

3. Select Enable Explicit Web Proxy.

4. Select OK.

 

To add a RADIUS server and user group for the explicit web proxy

1. Go to User & Device > RADIUS Servers and select Create New to add a new RADIUS server:

Name                                           RADIUS_1

Primary Server Name/IP           10.31.101.200

Primary Server Secret              RADIUS_server_secret

2. Select OK.

3. Go to User & Device > User Groups and select Create New to add a new user group.

Name                                           Explict_proxy_user_group

Type                                            Firewall

Remote Groups                         RADIUS_1

Group Name                              Any

4. Select OK.

 

To add an explicit proxy policy

1. Go to Policy & Objects > Addresses and select Create New.

2. Add a firewall address for the internal network:

 

Category                                     Address

Name                                           Internal_subnet

Type                                            Subnet / IP Range

Subnet / IP Range                     10.31.101.0

Interface                                     Any

3. Go to Policy & Objects > Explicit Proxy Policy and select Create New.

4. Configure the explicit web proxy policy.

Explicit Proxy Type                  Web

Source Address                        Internal_subnet

Outgoing Interface                   wan1

Destination Address                 all

Action                                         AUTHENTICATE

5. Under Configure Authentication Rules select Create New to add an authentication rule:

 

Groups                                       Explicit_policy

Source User(s)                          Leave blank

Schedule                                    always

6. Turn on Antivirus and Web Filter and select the default profiles for both.

7. Select the default proxy options profile.

8. Select OK.

9. Make sure Enable IP Based Authentication is not selected.

10. Turn on Web Cache.

11. Select OK.

 

Configuring the explicit web proxy – CLI

Use the following steps to configure the example explicit web proxy configuration from the CLI.

 

To enable the explicit web proxy on the Internal interface

1. Enter the following command to enable the explicit web proxy on the internal interface.

config system interface edit internal

set explicit-web-proxy enable

end

 

To enable and configure the explicit web proxy

1. Enter the following command to enable the explicit web proxy and set the TCP port that proxy accepts HTTP and

HTTPS connections on to 8888.

config web-proxy explicit set status enable

set http-incoming-port 8888 set https-incoming-port 8888

set realm “You are authenticating with the explicit web proxy” set sec-default-action deny

end

 

To add a RADIUS server and user group for the explicit web proxy

1. Enter the following command to add a RADIUS server:

config user radius edit RADIUS_1

set server 10.31.101.200

set secret RADIUS_server_secret

end

2. Enter the following command to add a user group for the RADIUS server.

config user group

edit Explicit_proxy_user_group set group-type firewall

set member RADIUS_1

end

 

To add a security policy for the explicit web proxy

1. Enter the following command to add a firewall address for the internal subnet:

config firewall address edit Internal_subnet

set type iprange

set start-ip 10.31.101.1 set end-ip 10.31.101.255

end

2. Enter the following command to add the explicit web proxy security policy:

config firewall explicit-proxy-policy edit 0

set proxy web

set dstintf wan1

set srcaddr Internal_subnet set dstaddr all

set action accept

set service webproxy set webcache enable

set identity-based enable set ipbased disable

end

set active-auth-method basic config identity-based-policy

edit 0

set groups Explicit_Proxy_user_group set schedule always

set utm-status enable set av-profile default

set webfilter-profile default

set profile-protocol-options default end

 

Testing and troubleshooting the configuration

You can use the following steps to verify that the explicit web proxy configuration is working as expected:

 

To test the explicit web proxy configuration

1. Configure a web browser on the internal subnet to use a web proxy server at IP address 10.31.101.100 and port 8888.

2. Browse to an Internet web page.

The web browser should pop up an authentication window that includes the phrase that you added to the Realm option.

3. Enter the username and password for an account on the RADIUS server.

If the account is valid you should be allowed to browse web pages on the Internet.

4. Close the browser and clear its cache and cookies.

5. Restart the browser and connect to the Internet.

You could also start a second web browser on the same PC. Or you could start a new instance of the same browser as long as the browser asks for a user name and password again.

You should have to authenticate again because identity-based policies are set to session-based authentication.

6. If this basic functionality does not work, check your FortiGate and web browser configuration settings.

7. Browse to a URL on the URL filter list and confirm that the web page is blocked.

8. Browse to http://eicar.org and attempt to download an anti-malware test file.

The antivirus configuration should block the file.

Sessions for web-proxy security policies do not appear on the Top Sessions dashboard widget and the count column for security policies does not display a count for explicit web proxy security policies.

9. You can use the following command to display explicit web proxy sessions

get test wad 60

IP based users:

Session based users:

user:0x9c20778, username:User1, vf_id:0, ref_cnt:9

 

Total allocated user:1

Total user count:3, shared user quota:50, shared user count:3

This command output shows one explicit proxy user with user name User1 authenticated using session-based authentication.

Changing HTTP headers

Leave a reply

Changing HTTP headers

You can create explicit web proxy profiles that can add, remove and change HTTP headers. The explicit web proxy profile can be added to a web explicit proxy policy and will be applied to all of the HTTP traffic accepted by that policy.

 

You can change the following HTTP headers:

  • client-ip
  • via header for forwarded requests
  • via header for forwarded responses
  • x-forwarded-for
  • front-end-https

 

For each of these headers you can set the action to:

  • Pass to forward the traffic without changing the header
  • Add to add the header
  • Remove to remove the header

You can also configure how the explicit web proxy handles custom headers. The proxy can add or remove custom headers from requests or responses. If you are adding a header you can specify the content to be included in the added header.

 

Create web proxy profiles from the CLI:

config web-proxy profile edit <name>

set header-client-ip {add | pass | remove} set header-via-request {add | pass | remove} set header-via-response {add | pass | remove}

set header-x-forwarded-for {add | pass | remove}

set header-front-end-https {add | pass | remove}

config headers edit <id>

set action {add-to-request | add-to-response | remove-from-request |

remove-from-response}

set content <string>

set name <name>

end

end

 

Use the following command to add a web proxy profile to an explicit proxy policy:

config firewall explicit-proxy-policy edit <id>

set webproxy-profile <name>

end