Proxy Option
The company will be using a number of the Security Profiles features on various policies but wants to use as few profiles as possible to make administration simpler. The decision has been made to have two profiles, the default one and a single customized one that will be a combination of the settings required to cover the situations that will not be covered by the default profile.
The company profile will have the following parameters:
• There are no FTP servers running on the site so there is no need for FTP.
• The company will use the Fortinet supplied default certificate called “Fortinet_CA_SSLProxy”
• The company will only be doing inspecting of SSL over HTTP, SMTP and IMAP.
• The company has a non-standard IMAP implementation the uses ports 1143 and 1993 for IMAP and IMAPS respectively.
• Deep Scanning is to be enabled on any SSL traffic regardless of port and the traffic logged but nothing is blocked.
• The Comfort Clients is to be used with a ratio of 1 byte for every 15 seconds.
• There is a lot of varied email traffic so there is to be no blocking of emails due to size beyond the settings on the mail servers.
• The Security Officer insists that invalid SSL certificates not be allowed.
Go to Policy > Policy > Proxy Options
Create a new profile
Fill out the fields with the following information:
Field | Value |
Name | example_standard |
Comments | <optional> |
Protocol Port Mapping:
Enable | Protocol | Inspection Ports |
enabled | HTTP | Specify and <leave on default setting.> |
enabled | SMTP | Specify and <leave on default setting.> |
enabled | POP3 | Specify and <leave on default setting.> |
enabled | IMAP | Specify and 1143 |
not enabled | FTP | |
enabled | NNTP | Specify and <leave on default setting.> |
enabled | MAPI | <leave on default setting.> |
enabled | DNS | <leave on default setting.> |
SSL Inspection Options
CA Certificate:“Fortinet_CA_SSLProxy” from drop down menu
Inspect All Ports: Not enabled
Enable | Protocol | Inspection Port(s) |
enabled | HTTPS | <leave as default> |
enabled | SMTPS | <leave as default> |
enabled | POP3S | <leave as default> |
enabled | IMAPS | 1993 |
| FTPS | |
SSH Inspection Options
Enable SSH Deep Scan: enabled
Protocol | Inspection Ports |
SSH | Any |
Exec | Block: not enabled | Log: enabled |
Port-Forward | Block: not enabled | Log: enabled |
SSH-Shell | Block: not enabled | Log: enabled |
x11-Filter | Block: not enabled | Log: enabled |
Common Options
Field | Value |
Comfort Clients | enabled |
• Interval (Seconds) | 15 |
• Amount(bytes) | 1 |
Block Oversized File/Email | not enabled |
• Threshold(MB) | not enabled |
Allow Invalid SSL Certificates | not enabled |
Web Options
Field | Value |
Enabled Chunked Bypass | not enabled |
Add Fortinet Bar | not enabled |
• Communication Port | <leave as default> |
Email Options
Field | Value |
Allow Fragmented Messages | not enabled |
Append Signature (SMTP) | not enabled |
Email Signature Text | not enabled |
Select OK
Enter the following CLI command:
config firewall profile-protocol-options
edit example_standard
config http
set options clientcomfort no-content-summary
set comfort-interval 15
next
config https
set status enable
set options clientcomfort no-content-summary
set comfort-interval 15
next
config ftp
set status disable
set options clientcomfort no-content-summary splice
set comfort-interval 15
next
config ftps
set options clientcomfort no-content-summary splice
set comfort-interval 15
next
config imap
set ports "1143"
set options fragmail no-content-summary
next
config imaps
set ports "1993"
set status enable
set options fragmail no-content-summary
next
config mapi
set options fragmail no-content-summary
next
config pop3
set options fragmail no-content-summary
next
config pop3s
set status enable
set options fragmail no-content-summary
next
config smtp
set options fragmail no-content-summary splice
next
config smtps
set status enable
set options fragmail no-content-summary splice
next
config nntp
set options no-content-summary splice
next
config ssh
set inspect-all enable
set log x11-filter ssh-shell exec port-forward
next
end