Explicit web proxy firewall address URL patterns

Leave a reply

Explicit web proxy firewall address URL patterns

You can add URL pattern addresses and address groups to control the destination URLs that explicit proxy users can connect to. To add a URL pattern to go to Policy & Objects > Addresses, select Create New and set the Type to URL Pattern (Explicit Proxy). Add a URL or URL pattern that defines the URL or URLs that explicit proxy users should be limited to. Set the Interface to any.

 

For example to limit access to a single website:

www.fortinet.com

 

To limit access to websites from the same domain:

google.com

 

To limit access to a part of a website:

www.apple.com/ipad/

 

To add a URL pattern group, create several URL pattern addresses then go to Policy & Objects > Addresses, select Create New > Group and add URL patterns to the address group.

Then when creating explicit web proxy policies, select the URL pattern addresses or groups as the destination address.

 

URL patterns and HTTPS scanning

For HTTPS traffic, URL patterns can only be matched up to the root path. For example, consider the following URL pattern:

www.apple.com/ipad/

 

If a proxy user browses using HTTP, this URL pattern limits their access the iPad pages of www.apple.com. However, if a proxy user browses using HTTPS, they will be able to access all pages on www.apple.com.

Web Proxy firewall services and service groups

Leave a reply

Web Proxy firewall services and service groups

Configure web proxy services by selecting Explicit Proxy when configuring a service. Web proxy services can be selected in a explicit web proxy policy when adding one from the CLI. If you add a policy from the web-based manager the service is set to the webproxy service. The webproxy service should be used in most cases, it matches with any traffic with any port number. However, if you have special requirements, such as using a custom protocol type or a reduced port range or need to add an IP/FQDN to an explicit proxy service you can create custom explicit web proxy services.

Web proxy services are similar to standard firewall services. You can configure web proxy services to define one or more protocols and port numbers that are associated with each web proxy service. Web proxy services can also be grouped into web proxy service groups.

One way in which web proxy services differ from firewall services is the protocol type you can select. The following protocol types are available:

  • ALL
  • CONNECT
  • FTP
  • HTTP
  • SOCKS-TCP
  • SOCKS-UDP

To add a web proxy service go to Policy & Objects > Services and select Create New. Set Service Type to Explicit Proxy and configure the service as required. To add a web proxy service from the CLI enter:

config firewall service custom edit my-socks-service

set explicit-proxy enable set category Web Proxy

set protocol SOCKS-TCP

set tcp-portrange 3450-3490 end

 

To add a web proxy service group go to Policy & Objects > Services and select Create New > Service Group. Set Type to Explicit Proxy and add web proxy services to the group as required. To add a web proxy service group from the CLI enter:

config firewall service group edit web-group

set explicit-proxy enable

set member webproxy my-socks-service end

Security profiles, threat weight, device identification, and the explicit web proxy

Leave a reply

Security profiles, threat weight, device identification, and the explicit web proxy

You can apply all security profiles to explicit web proxy sessions. This includes antivirus, web filtering, intrusion protection (IPS), application control, data leak prevention (DLP), and SSL/SSH inspection. Security profiles are applied by selecting them in an explicit web proxy policy or in authentication rules added to web proxy policies.

Traffic accepted by explicit web proxy policies contributes to threat weight data. The explicit web proxy is not compatible with device identification.

Since the traffic accepted by the explicit web proxy is known to be either HTTP, HTTPS, or FTP over HTTP and since the ports are already known by the proxy, the explicit web proxy does not use all of the SSL/SSH inspection options. The explicit web proxy does support the following proxy options:

  • Enable chunked bypass
  • HTTP oversized file action and threshold

 

The explicit web proxy does not support the following proxy options:

  • Client comforting
  • Server comforting
  • Monitor content information from dashboard. URLs visited by explicit web proxy users are not added to dashboard usage and log and archive statistics widgets.

For explicit web proxy sessions, the FortiGate unit applies antivirus scanning to HTTP POST requests and HTTP responses. The FortiGate unit starts virus scanning a file in an HTTP session when it receives a file in the body of an HTML request. The explicit web proxy can receive HTTP responses from either the originating web server or the FortiGate web cache module.

Explicit web proxy authentication

3 Replies

Explicit web proxy authentication

You can add authentication to explicit web proxy policies to control access to the explicit web proxy and to identify users and apply different UTM features to different users.

Authentication of web proxy sessions uses HTTP basic and digest authentication as described in RFC 2617 (HTTP Authentication: Basic and Digest Access Authentication) and prompts the user for credentials from the browser allowing individual users to be identified by their web browser instead of IP address. HTTP authentication allows the FortiGate unit to distinguish between multiple users accessing services from a shared IP address.

You can also select IP-based authentication to authenticate users according to their source IP address in the same way as normal firewall policies.

 

IPBased authentication

IP-based authentication applies authentication by source IP address. For the explicit web proxy, IP authentication is compatible with basic, digest, NTLM, FSSO, or RSSO authentication methods. Once a user authenticates, all sessions to the explicit web proxy from that user’s IP address are assumed to be from that user and are accepted until the authentication timeout ends or the session times out.

This method of authentication is similar to standard (non-web proxy) firewall authentication and may not produce the desired results if multiple users share IP addresses (such as in a network that uses virtualization solutions or includes a NAT device between the users and the explicit web proxy).

To configure IP-based authentication, add an explicit web proxy security policy, set the Action to AUTHENTICATION, and select Enable IP Based Authentication is selected.

Use the following CLI command to add IP-based authentication to a web proxy security policy. IP-based authentication is selected by setting ip-based to enable.

config firewall explicit-proxy-policy edit 0

set proxy web

set scraddr User_network set dstintf port1

set dstaddr all set action accept

set identity-based enable set ip-based enable

config identity-based-policy edit 0

set groups Internal_users set users dwhite rlee

set schedule always end

 

Per session authentication

If you don’t select IP Based the explicit web proxy applies HTTP authentication per session. This authentication is browser-based. When a user enters a user name and password in their browser to authenticate with the explicit web proxy, this information is stored by the browser in a session cookie. Each new session started by the same web browser uses the session cookie for authentication. When the session cookie expires the user has to re- authenticate. If the user starts another browser on the same PC or closes and then re-opens their browser they have to authenticate again.

Since the authentication is browser-based, multiple clients with the same IP address can authenticate with the proxy using their own credentials. HTTP authentication provides authentication for multiple user sessions from the same source IP address. This can happen if there is a NAT device between the users and the FortiGate unit. HTTP authentication also supports authentication for other configurations that share one IP address among multiple users. These includes Citrix products and Windows Terminal Server and other similar virtualization solutions.

To configure per session authentication, add a explicit web proxy policy, set the Action to AUTHENTICATE, and make sure Enable IP Based Authentication is not selected.

Use the following CLI command to add per session authentication to a security policy. Per session authentication is selected by setting ip-based to disable.

config firewall explicit-proxy-policy edit 0

set proxy web

set scraddr User_network set dstintf port1

set dstaddr all set action accept

set identity-based enable set ip-based disable

config identity-based-policy edit 0

set groups Internal_users set users dwhite rlee

set schedule always end

end

 

Per session HTTP authentication

 

Transaction-based authentication

Multiple HTTP transactions (request/response) may be pipelined in the same TCP connection. Typically, all HTTP transactions of a TCP connection are considered as belonging to the same user. However, some devices (e.g., load balancers) may send HTTP transactions of different users to the same TCP connection and to explicit

proxy. In order to support this deployment case, transaction-based authentication can be implemented to require each HTTP transaction to be authenticated separately.

To implement transaction-based authentication in the CLI:

config firewall explicit-proxy-policy edit <id>

set transaction-based enable next

end

Adding disclaimer messages to explicit proxy policies

Leave a reply

Adding disclaimer messages to explicit proxy policies

This feature allows you to create user exceptions for specific URL categories (including warning messages) based on user groups. The Disclaimer Options are configured under Policy & Objects > Explicit Proxy Policy.

You can also configure a disclaimer for each Authentication Rule by setting Action to Authenticate.

 

Disclaimer explanations

  • Disable: No disclaimer (default setting).
  • By Domain: The disclaimer will be displayed on different domains. The explicit web proxy will check the referring header to mitigate the javascript/css/images/video/etc page.
  • By Policy: The disclaimer will be displayed ifa the HTTP request matches a different explicit firewall policy.
  • By User: The disclaimer will be displayed when a new user logs on.

Proxy chaining (web proxy forwarding servers)

Leave a reply

Proxy chaining (web proxy forwarding servers)

For the explicit web proxy you can configure web proxy forwarding servers to use proxy chaining to redirect web proxy sessions to other proxy servers. Proxy chaining can be used to forward web proxy sessions from the FortiGate unit to one or more other proxy servers on your network or on a remote network. You can use proxy chaining to integrate the FortiGate explicit web proxy with an web proxy solution that you already have in place.

A FortiGate unit can forward sessions to most web proxy servers including a remote FortiGate unit with the explicit web proxy enabled. No special configuration of the explicit web proxy on the remote FortiGate unit is required.

You can deploy the explicit web proxy with proxy chaining in an enterprise environment consisting of small satellite offices and a main office. If each office has a FortiGate unit, users at each of the satellite offices can use their local FortiGate unit as an explicit web proxy server. The satellite office FortiGate units can forward explicit web proxy sessions to an explicit web proxy server at the central office. From here the sessions can connect to web servers on the Internet.

FortiGate proxy chaining does not support authenticating with the remote forwarding server.

 

Adding a web proxy forwarding server

To add a forwarding server, select Create New in the Web Proxy Forwarding Servers section of the ExpliciProxy page by going to Network > Explicit Proxy.

Server Name             Enter the name of the forwarding server.

Proxy Address         Enter the IP address of the forwarding server.

Proxy Address Type

Select the type of IP address of the forwarding server. A forwarding server can have an FQDN or IP address.

 

Port

Enter the port number on which the proxy receives connections. Traffic leaving the FortiGate explicit web proxy for this server has its destination port number changed to this number.
Server Down action

Select what action the explicit web proxy to take if the forwarding server is down.

 

Block means if the remote server is down block traffic.

 

Use Original Server means do not forward traffic to the forwarding sever but instead forward it from the FortiGate to its destination. In other words operate as if there is no forwarding server configured.

 

Enable Health

Monitor                     Select to enable health check monitoring and enter the address of a remote site. See

 

Health Check

Monitor Site

“Web proxy forwarding server monitoring and health checking”.

 

Use the following CLI command to add a web proxy forwarding server named fwd-srv at address proxy.example.com and port 8080.

 

config web-proxy forward-server

 

edit fwd-srv

set addr-type fqdn

set fqdn proxy.example.com set port 8080

end

 

Web proxy forwarding server monitoring and health checking

By default, a FortiGate unit monitors web proxy forwarding server by forwarding a connection to the remote server every 10 seconds. If the remote server does not respond it is assumed to be down. Checking continues and when the server does send a response the server is assumed to be back up. If you configure health checking, every 10 seconds the FortiGate unit attempts to get a response from a web server by connecting through the remote forwarding server.

You can configure health checking for each remote server and specify a different website to check for each one. If the remote server is found to be down you can configure the FortiGate unit to block sessions until the server comes back up or to allow sessions to connect to their destination, bypassing the remote forwarding server. You cannot configure the FortiGate unit to fail over to another remote forwarding server.

Configure the server down action and enable health monitoring from the web-based manager by going to Network > Explicit Proxy, selecting a forwarding server, and changing the server down action and changing the health monitor settings.

Use the following CLI command to enable health checking for a web proxy forwarding server and set the server down option to bypass the forwarding server if it is down.

config web-proxy forward-server edit fwd-srv

set healthcheck enable

set monitor http://example.com set server-down-option pass

end

 

Grouping forwarding servers and load balancing traffic to them

You can add multiple web proxy forwarding servers to a forwarding server group and then add the server group to an explicit web proxy policy instead of adding a single server. Forwarding server groups are created from the FortiGate CLI but can be added to policies from the web-based manager (or from the CLI).

When you create a forwarding server group you can select a load balancing method to control how sessions are load balanced to the forwarding servers in the server group. Two load balancing methods are available:

  • Weighted load balancing sends more sessions to the servers with higher weights. You can configure the weight for each server when you add it to the group.
  • Least-session load balancing sends new sessions to the forwarding server that is processing the fewest sessions.

When you create a forwarding server group you can also enable affinity. Enable affinity to have requests from the same client processed by the same server. This can reduce delays caused by using multiple servers for a single multi-step client operation. Affinity takes precedence over load balancing.

You can also configure the behavior of the group if all of the servers in the group are down. You can select to block traffic or you can select to have the traffic pass through the FortiGate explicit proxy directly to its destination instead of being sent to one of the forwarding servers.

Use the following command to add a forwarding server group that users weighted load balancing to load balance traffic to three forwarding servers. Server weights are configured to send most traffic to server2. The group has affinity enabled and blocks traffic if all of the forward servers are down:

config web-proxy forward-server edit server_1

set ip 172.20.120.12 set port 8080

next

edit server_2

set ip 172.20.120.13 set port 8000

next

edit server_3

set ip 172.20.120.14 set port 8090

next end

config web-proxy forward-server-group edit New-fwd-group

set affinity enable set ldb-method weight

set group-down-option block config server-list

edit server_1 set weight 10

next

edit server_2 set weight 40

next

edit server_3 set weight 10

next

end

 

Adding proxy chaining to an explicit web proxy policy

You enable proxy chaining for web proxy sessions by adding a web proxy forwarding server or server group to an explicit web proxy policy. In a policy you can select one web proxy forwarding server or server group. All explicit web proxy traffic accepted by this security policy is forwarded to the specified web proxy forwarding server or server group.

 

To add an explicit web proxy forwarding server – web-based manager:

1. Go to Policy & Objects > Explicit Proxy Policy and select Create New.

2. Configure the policy:

 

Explicit Proxy Type                  Web

Source Address                        Internal_subnet

Outgoing Interface                   wan1

Destination Address                 all

Schedule                                    always

Action                                         ACCEPT

Web Proxy Forwarding

Server

Select, fwd-srv

3. Select OK to save the security policy.

 

To add an explicit web proxy forwarding server – CLI:

1. Use the following command to add a security policy that allows all users on the 10.31.101.0 subnet to use the explicit web proxy for connections through the wan1 interface to the Internet. The policy forwards web proxy sessions to a remote forwarding server named fwd-srv

config firewall explicit-proxy-policy edit 0

set proxy web

set dstintf wan1

set scraddr Internal_subnet set dstaddr all

set action accept set schedule always

set webproxy-forward-server fwd-srv end

Other explicit web proxy options

Leave a reply

Other explicit web proxy options

You can change the following explicit web proxy options as required by your configuration.

 

HTTP port, HTTPS port, FTP port, PAC port

The TCP port that web browsers use to connect to the explicit proxy for HTTP, HTTPS, FTP and PAC services. The default port is 8080 for all services. By default HTTPS, FTP. and PAC use the same port as HTTP. You can change any of these ports as required. Users configuring their web browsers to use the explicit web proxy should add the same port numbers to their browser configurations.

 

Proxy FQDN             Enter the fully qualified domain name (FQDN) for the proxy server. This is the domain name to enter into browsers to access the proxy server.

 

Max HTTP request length

Enter the maximum length of an HTTP request in Kbytes. Larger requests will be rejec- ted.

 

Max HTTP mes- sage length

Enter the maximum length of an HTTP message in Kbytes. Larger messages will be rejected.

 

Configuring an external IP address for the IPv4 explicit web proxy

You can use the following command to set an external IP address (or pool) that will be used by the explicit web proxy policy.

config web-proxy explicit set status enable

set outgoing-ip <ip1> <ip2> … <ipN>

end

 

 

Configuring an external IP address for the IPv6 explicit web proxy

You can use the following command to set an external IP address (or pool) that will be used by the explicit web proxy policy.

config web-proxy explicit set status enable

set outgoing-ipv6 <ip1> <ip2> … <ipN>

end

 

Restricting the IP address of the IPv4 explicit web proxy

You can use the following command to restrict access to the explicit web proxy using only one IP address. The IP address that you specify must be the IP address of an interface that the explicit HTTP proxy is enabled on. You might want to use this option if the explicit FTP proxy is enabled on an interface with multiple IP addresses.

For example, to require uses to connect to the IP address 10.31.101.100 to connect to the explicit HTTP proxy:

config web-proxy explicit

set incoming-ip 10.31.101.100 end

 

Restricting the outgoing source IP address of the IPv4 explicit web proxy

You can use the following command to restrict the source address of outgoing web proxy packets to a single IP address. The IP address that you specify must be the IP address of an interface that the explicit HTTP proxy is enabled on. You might want to use this option if the explicit HTTP proxy is enabled on an interface with multiple IP addresses.

 

For example, to restrict the outgoing packet source address to 172.20.120.100:

config http-proxy explicit

set outgoing-ip 172.20.120.100 end

 

Restricting the IP address of the explicit IPv6 web proxy

You can use the following command to restrict access to the IPv6 explicit web proxy to use only one IP6 IP address. The IPv6 address that you specify must be the IPv6 address of an interface that the explicit HTTP proxy is enabled on. You might want to use this option if the explicit web proxy is enabled on an interface with multiple IPv6 addresses.

For example, to require uses to connect to the IPv6 address 2001:db8:0:2::30 to connect to the explicit IPv6 HTTP proxy:

config web-proxy explicit

set incoming-ipv6 2001:db8:0:2::30 end

 

Restricting the outgoing source IP address of the IPv6 explicit web proxy

You can use the following command to restrict the source address of outgoing web proxy packets to a single IPv6 address. The IP address that you specify must be the IPv6 address of an interface that the explicit HTTP proxy is enabled on. You might want to use this option if the explicit HTTP proxy is enabled on an interface with multiple IPv6 addresses.

 

For example, to restrict the outgoing packet source address to 2001:db8:0:2::50:

config http-proxy explicit

set outgoing-ipv6 2001:db8:0:2::50 end

Unknown HTTP version

Leave a reply

Unknown HTTP version

You can select the action to take when the proxy server must handle an unknown HTTP version request or message. Set unknown HTTP version to Reject or Best Effort. Best Effort attempts to handle the HTTP traffic as best as it can. Reject treats known HTTP traffic as malformed and drops it. The Reject option is more secure.

 

Authentication realm

You can enter an authentication realm to identify the explicit web proxy. The realm can be any text string of up to 63 characters. If the realm includes spaces enclose it in quotes. When a user authenticates with the explicit web proxy the HTTP authentication dialog includes the realm so you can use the realm to identify the explicitly web proxy for your users.

 

Implementing Botnet features

The option scan-botnet-connections can be added to an explicit proxy policy.

 

CLI Syntax:

config firewall explicit-proxy-policy

edit <policy_id>

set scan-botnet-connections [disable|block|monitor]

end

 

where:

  • disable means do not scan connections to botnet servers.
  • block means block connections to botnet servers.
  • monitor means log connections to botnet servers.