FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 30 - WAN Optimization, Web Cache, Explicit Proxy, and WCCP > The FortiGate explicit web proxy

The FortiGate explicit web proxy

You can use the FortiGate explicit web proxy to enable explicit proxying of IPv4 and IPv6 HTTP, and HTTPS traffic one or more FortiGate interfaces. The explicit web proxy also supports proxying FTP sessions from a web browser and proxy auto-config (PAC) to provide automatic proxy configurations for explicit web proxy users. From the CLI you can also configure the explicit web proxy to support SOCKS sessions from a web browser.

The explicit web and FTP proxies can be operating at the same time on the same or on different FortiGate interfaces.

If explicit web proxy options are not visible on the web-based manager, go to System > Config > Features and turn on Explicit Proxy.

In most cases you would configure the explicit web proxy for users on a network by enabling the explicit web proxy on the FortiGate interface connected to that network. Users on the network would configure their web browsers to use a proxy server for HTTP and HTTPS, FTP, or SOCKS and set the proxy server IP address to the IP address of the FortiGate interface connected to their network. Users could also enter the PAC URL into their web browser PAC configuration to automate their web proxy configuration using a PAC file stored on the FortiGate unit.

Enabling the explicit web proxy on an interface connected to the Internet is a security risk because anyone on the Internet who finds the proxy could use it to hide their source address.

If the FortiGate unit is operating in Transparent mode, users would configure their browsers to use a proxy server with the FortiGate management IP address.

If the FortiGate unit is operating with multiple VDOMs the explicit web proxy is configured for each VDOM.

The web proxy receives web browser sessions to be proxied at FortiGate interfaces with the explicit web proxy enabled. The web proxy uses FortiGate routing to route sessions through the FortiGate unit to a destination interface. Before a session leaves the exiting interface, the explicit web proxy changes the source addresses of the session packets to the IP address of the exiting interface. When the FortiGate unit is operating in Transparent mode the explicit web proxy changes the source addresses to the management IP address. You can configure the explicit web proxy to keep the original client IP address. See Preventing the explicit web proxy from changing source addresses.

For more information about explicit web proxy sessions, see Explicit web proxy sessions and user limits.

Example explicit web proxy topology

To allow all explicit web proxy traffic to pass through the FortiGate unit you can set the explicit web proxy default firewall policy action to accept. However, in most cases you would want to use security policies to control explicit web proxy traffic and apply security features such as access control/authentication, virus scanning, web filtering, application control, and traffic logging. You can do this by keeping the default explicit web proxy security policy action to deny and then adding web-proxy security policies.

You can also change the explicit web proxy default security policy action to accept and add explicit web proxy security policies. If you do this, sessions that match web-proxy security policies are processed according to the security policy settings. Connections to the explicit web proxy that do not match a web‑proxy security policy are allowed with no restrictions or additional security processing. This configuration is not recommended and is not a best practice.

Web-proxy policies can selectively allow or deny traffic, apply authentication, enable traffic logging, and use security profiles to apply virus scanning, web filtering, IPS, application control, DLP, and SSL/SSH inspection to explicit web proxy traffic.

You cannot configure Traffic shaping for explicit web proxy traffic. Web Proxy policies can only include firewall addresses not assigned to a FortiGate unit interface or with interface set to Any. (On the web-based manager you must set the interface to Any. In the CLI you must unset the associated-interface.)

Authentication of explicit web proxy sessions uses HTTP authentication and can be based on the user’s source IP address or on cookies from the user’s web browser. For more information, see Explicit web proxy authentication.

To use the explicit web proxy, users must add the IP address of a FortiGate interface on which the explicit web proxy is enabled and the explicit web proxy port number (default 8080) to the proxy configuration settings of their web browsers.

On FortiGate units that support it, you can also enable web caching for explicit web proxy sessions.

General explicit web proxy configuration steps

You can use the following general steps to configure the explicit web proxy.

To enable the explicit web proxy - web-based manager:
  1. Go to System > Network > Explicit Proxy. Select HTTP/HTTPS beside Enable Explicit Web Proxy to turn on the explicit web proxy for IPv4 HTTP and HTTPS traffic.

    You can also select FTP to enable the web proxy for FTP over HTTP sessions in a web browser (not an FTP client) and PAC to enable automatic proxy configuration.

    You can also optionally change the HTTP port that the proxy listens on (the default is 8080) and optionally specify different ports for HTTPS, FTP, and PAC.
  2. Optionally select Enable IPv6 Explicit Proxy to turn on the explicit web proxy for IPv6 traffic.
If you enable both the IPv4 and the IPv6 explicit web proxy you can combine IPv4 and IPv6 addresses in a single explicit web proxy policy to allow both IPv4 and IPv6 traffic through the proxy.
  1. Select Apply.

    The default explicit web proxy configuration has Default Firewall Policy Action set to Deny and requires you to add a security policy to allow access to the explicit web proxy. This configuration is recommended as a best practice because you can use security policies to control access to the explicit web proxy and also apply security features such as logging, UTM, and authentication (by adding identity-based policies).
  2. Go to System > Network > Interface and select one or more interfaces for which to enable the explicit web proxy. Edit the interface and select Enable Explicit Web Proxy.
Enabling the explicit web proxy on an interface connected to the Internet is a security risk because anyone on the Internet who finds the proxy could use it to hide their source address. If you enable the proxy on such an interface make sure authentication is required to use the proxy.
  1. Go to Policy & Objects > Objects > Addresses and select Create New to add a firewall address that matches the source address of packets to be accepted by the explicit proxy.
Category Address
Name Internal_subnet
Type IP Range
Subnet / IP Range 10.31.101.1 - 10.31.101.255
Interface any*

*The Interface must be set to Any.

You can also set the Type to URL Pattern (Explicit Proxy) to add a destination URL that is only used by the explicit proxy. For example, to create an explicit policy that only allows access to Fortinet.com:

Category Address
Name Fortinet-web-sites
Type URL Pattern (Explicit Proxy)
URL Pattern fortinet.com
Interface any
  1. Go to Policy & Objects > Policy > Explicit Proxy and select Create New. Configure the policy as required to accept the traffic that you want to be allowed to use the explicit web proxy.

    The source address of the policy must match the client’s source IP addresses. The interface of this firewall address must be set to any.

    The destination address of the policy should match the IP addresses of web sites that clients are connecting to. Usually the destination address would be all if proxying Internet web browsing. You could also specify a URL firewall address to limit the policy to allowing access to this URL.

    If Default Firewall Policy Action is set to Deny, traffic sent to the explicit web proxy that is not accepted by a web-proxy policy is dropped. If Default Firewall Policy Action is set to Allow then all web-proxy sessions that don’t match with a security policy are allowed.

    For example, the following security policy allows users on an internal network to access fortinet.com websites through the wan1 interface of a FortiGate unit.
Explicit Proxy Type Web
Source Address Internal_subnet
Outgoing Interface wan1
Destination Address Fortinet-web-sites
Schedule always
Action ACCEPT

Add security profiles as required.

  1. Select Create New to add another explicit web proxy and set the Action to AUTHENTICATE to require authentication to access the explicit web proxy. For example:
Explicit Proxy Type Web
Source Address Internal_subnet
Outgoing Interface wan1
Destination Address Fortinet-web-sites
Schedule always
Action AUTHENTICATE

Select Create New to add an Authentication Rule and configure the rule as follows:

Groups Proxy-Group
Source User(s) (optional)
Schedule always

Add security profiles as required and select OK.

You can add multiple user identity policies to apply different authentication for different user groups and users and also apply different UTM and logging settings for different user groups.

You can change the User Authentication Options if required. In most cases you can accept the defaults.

  1. Optionally enable Web Caching.
  2. Select OK.
To enable the explicit web proxy - CLI:
  1. Enter the following command to turn on the IPv4 and IPv6 explicit web proxy for HTTP and HTTPS traffic.

config web-proxy explicit

set status enable

set ipv6-status enable

end

You can also enter the following command to enable the web proxy for FTP sessions in a web browser.

config web-proxy explicit

set ftp-over-http enable

end

The default explicit web proxy configuration has sec-default-action set to deny and requires you to add a security policy to allow access to the explicit web proxy.

  1. Enter the following command to enable the explicit web proxy for the internal interface.

config system interface

edit internal

set explicit-web-proxy enable

end

end

  1. Use the following command to add a firewall address that matches the source address of users who connect to the explicit web proxy.

config firewall address

edit Internal_subnet

set type iprange

set start-ip 10.31.101.1

set end-ip 10.31.101.255

end

The source address for a web-proxy security policy cannot be assigned to a FortiGate interface.

  1. Optionally use the following command to add a destination URL that is only used by the explicit proxy. For example, to create an explicit policy that only allows access to Fortinet.com:

config firewall address

edit Fortinet-web-sites

set type url

set url fortinet.com

end

  1. Use the following command to add an explicit web proxy policy that allows all users on the internal subnet to use the explicit web proxy for connections through the wan1 interface to the Internet.

config firewall explicit-proxy-policy

edit 0

set proxy web

set dstintf wan1

set scraddr Internal_subnet

set dstaddr all

set action accept

set service webproxy

set schedule always

end

  1. Use the following command to add an explicit web proxy policy that allows authenticated users on the internal subnet to use the explicit web proxy for connections through the wan1 interface to the Internet.

config firewall explicit-proxy-policy

edit 0

set proxy web

set dstintf wan1

set scraddr Internal_subnet

set dstaddr Fortinet-web-sites

set action accept

set service webproxy

set schedule always

set identity-based enable

config identity-based-policy

edit 1

set groups Proxy-group

set schedule always

end

end

  1. Use the following command to change global web proxy settings, for example to set the maximum request length for the explicit web proxy to 10:

config web-proxy global

set max-request-length 10

end

Proxy auto-config (PAC) configuration

A proxy auto-config (PAC) file defines how web browsers can choose a proxy server for receiving HTTP content. PAC files include the FindProxyForURL(url, host) JavaScript function that returns a string with one or more access method specifications. These specifications cause the web browser to use a particular proxy server or to connect directly.

To configure PAC for explicit web proxy users, you can use the port that PAC traffic from client web browsers use to connect to the explicit web proxy. explicit web proxy users must configure their web browser’s PAC proxy settings to use the PAC port.

PAC File Content

You can edit the default PAC file from the web-based manager or use the following command to upload a custom PAC file:

config web-proxy explicit

set pac-file-server-status enable

set pac-file-data <pac_file_str>

end

Where <pac_file_str> is the contents of the PAC file. Enter the PAC file text in quotes. You can copy the contents of a PAC text file and paste the contents into the CLI using this option. Enter the command followed by two sets of quotes then place the cursor between the quotes and paste the file content.

The maximum PAC file size is 256 kbytes. If your FortiGate unit is operating with multiple VDOMs each VDOM has its own PAC file. The total amount of FortiGate memory available to store all of these PAC files 2 MBytes. If this limit is reached you will not be able to load any additional PAC files.

You can use any PAC file syntax that is supported by your users’s browsers. The FortiGate unit does not parse the PAC file.

To use PAC, users must add an automatic proxy configuration URL (or PAC URL) to their web browser proxy configuration. The default FortiGate PAC file URL is:

http://<interface_ip>:<PAC_port_int>/<pac_file_str>

For example, if the interface with the explicit web proxy has IP address 172.20.120.122, the PAC port is the same as the default HTTP explicit web proxy port (8080) and the PAC file name is proxy.pac the PAC file URL would be:

http://172.20.120.122:8080/proxy.pac

From the CLI you can use the following command to display the PAC file URLs:

get web-proxy explicit

Unknown HTTP version

You can select the action to take when the proxy server must handle an unknown HTTP version request or message. Set unknown HTTP version to Reject or Best Effort. Best Effort attempts to handle the HTTP traffic as best as it can. Reject treats known HTTP traffic as malformed and drops it. The Reject option is more secure.

Authentication realm

You can enter an authentication realm to identify the explicit web proxy. The realm can be any text string of up to 63 characters. If the realm includes spaces enclose it in quotes. When a user authenticates with the explicit web proxy the HTTP authentication dialog includes the realm so you can use the realm to identify the explicitly web proxy for your users.

Other explicit web proxy options

You can change the following explicit web proxy options as required by your configuration.

HTTP port, HTTPS port, FTP port, PAC port The TCP port that web browsers use to connect to the explicit proxy for HTTP, HTTPS, FTP and PAC services. The default port is 8080 for all services. By default HTTPS, FTP. and PAC use the same port as HTTP. You can change any of these ports as required. Users configuring their web browsers to use the explicit web proxy should add the same port numbers to their browser configurations.
Proxy FQDN Enter the fully qualified domain name (FQDN) for the proxy server. This is the domain name to enter into browsers to access the proxy server.
Max HTTP request length Enter the maximum length of an HTTP request in Kbytes. Larger requests will be rejected.
Max HTTP message length Enter the maximum length of an HTTP message in Kbytes. Larger messages will be rejected.

Configuring an external IP address for the IPv4 explicit web proxy

You can use the following command to set an external IP address (or pool) that will be used by the explicit web proxy policy.

config web-proxy explicit

set status enable

set outgoing-ip <ip1> <ip2> ... <ipN>

end

Configuring an external IP address for the IPv6 explicit web proxy

You can use the following command to set an external IP address (or pool) that will be used by the explicit web proxy policy.

config web-proxy explicit

set status enable

set outgoing-ipv6 <ip1> <ip2> ... <ipN>

end

Restricting the IP address of the IPv4 explicit web proxy

You can use the following command to restrict access to the explicit web proxy using only one IP address. The IP address that you specify must be the IP address of an interface that the explicit HTTP proxy is enabled on. You might want to use this option if the explicit FTP proxy is enabled on an interface with multiple IP addresses.

For example, to require uses to connect to the IP address 10.31.101.100 to connect to the explicit HTTP proxy:

config web-proxy explicit

set incoming-ip 10.31.101.100

end

Restricting the outgoing source IP address of the IPv4 explicit web proxy

You can use the following command to restrict the source address of outgoing web proxy packets to a single IP address. The IP address that you specify must be the IP address of an interface that the explicit HTTP proxy is enabled on. You might want to use this option if the explicit HTTP proxy is enabled on an interface with multiple IP addresses.

For example, to restrict the outgoing packet source address to 172.20.120.100:

config http-proxy explicit

set outgoing-ip 172.20.120.100

end

Restricting the IP address of the explicit IPv6 web proxy

You can use the following command to restrict access to the IPv6 explicit web proxy to use only one IP6 IP address. The IPv6 address that you specify must be the IPv6 address of an interface that the explicit HTTP proxy is enabled on. You might want to use this option if the explicit web proxy is enabled on an interface with multiple IPv6 addresses.

For example, to require uses to connect to the IPv6 address 2001:db8:0:2::30 to connect to the explicit IPv6 HTTP proxy:

config web-proxy explicit

set incoming-ipv6 2001:db8:0:2::30

end

Restricting the outgoing source IP address of the IPv6 explicit web proxy

You can use the following command to restrict the source address of outgoing web proxy packets to a single IPv6 address. The IP address that you specify must be the IPv6 address of an interface that the explicit HTTP proxy is enabled on. You might want to use this option if the explicit HTTP proxy is enabled on an interface with multiple IPv6 addresses.

For example, to restrict the outgoing packet source address to 2001:db8:0:2::50:

config http-proxy explicit

set outgoing-ip6 2001:db8:0:2::50

end

Proxy chaining (web proxy forwarding servers)

For the explicit web proxy you can configure web proxy forwarding servers to use proxy chaining to redirect web proxy sessions to other proxy servers. Proxy chaining can be used to forward web proxy sessions from the FortiGate unit to one or more other proxy servers on your network or on a remote network. You can use proxy chaining to integrate the FortiGate explicit web proxy with an web proxy solution that you already have in place.

A FortiGate unit can forward sessions to most web proxy servers including a remote FortiGate unit with the explicit web proxy enabled. No special configuration of the explicit web proxy on the remote FortiGate unit is required.

You can deploy the explicit web proxy with proxy chaining in an enterprise environment consisting of small satellite offices and a main office. If each office has a FortiGate unit, users at each of the satellite offices can use their local FortiGate unit as an explicit web proxy server. The satellite office FortiGate units can forward explicit web proxy sessions to an explicit web proxy server at the central office. From here the sessions can connect to web servers on the Internet.

FortiGate proxy chaining does not support authenticating with the remote forwarding server.

Adding a web proxy forwarding server

To add a forwarding server, select Create New in the Web Proxy Forwarding Servers section of the Explicit Proxy page by going to System > Network > Explicit Proxy.

Server Name Enter the name of the forwarding server.
Proxy Address Enter the IP address of the forwarding server.
Proxy Address Type Select the type of IP address of the forwarding server. A forwarding server can have an FQDN or IP address.
Port Enter the port number on which the proxy receives connections. Traffic leaving the FortiGate explicit web proxy for this server has its destination port number changed to this number.
Server Down action Select what action the explicit web proxy to take if the forwarding server is down.

Block means if the remote server is down block traffic.

Use Original Server means do not forward traffic to the forwarding sever but instead forward it from the FortiGate to its destination. In other words operate as if there is no forwarding server configured.
Enable Health Monitor Select to enable health check monitoring and enter the address of a remote site. See “Web proxy forwarding server monitoring and health checking”.
Health Check Monitor Site

Use the following CLI command to add a web proxy forwarding server named fwd-srv at address proxy.example.com and port 8080.

config web-proxy forward-server

edit fwd-srv

set addr-type fqdn

set fqdn proxy.example.com

 

set port 8080

end

Web proxy forwarding server monitoring and health checking

By default, a FortiGate unit monitors web proxy forwarding server by forwarding a connection to the remote server every 10 seconds. If the remote server does not respond it is assumed to be down. Checking continues and when the server does send a response the server is assumed to be back up. If you configure health checking, every 10 seconds the FortiGate unit attempts to get a response from a web server by connecting through the remote forwarding server.

You can configure health checking for each remote server and specify a different website to check for each one.

If the remote server is found to be down you can configure the FortiGate unit to block sessions until the server comes back up or to allow sessions to connect to their destination, bypassing the remote forwarding server. You cannot configure the FortiGate unit to fail over to another remote forwarding server.

Configure the server down action and enable health monitoring from the web-based manager by going to System > Network > Explicit Proxy, selecting a forwarding server, and changing the server down action and changing the health monitor settings.

Use the following CLI command to enable health checking for a web proxy forwarding server and set the server down option to bypass the forwarding server if it is down.

config web-proxy forward-server

edit fwd-srv

set healthcheck enable

set monitor http://example.com

set server-down-option pass

end

Grouping forwarding servers and load balancing traffic to them

You can add multiple web proxy forwarding servers to a forwarding server group and then add the server group to an explicit web proxy policy instead of adding a single server. Forwarding server groups are created from the FortiGate CLI but can be added to policies from the web-based manager (or from the CLI).

When you create a forwarding server group you can select a load balancing method to control how sessions are load balanced to the forwarding servers in the server group. Two load balancing methods are available:

  • Weighted load balancing sends more sessions to the servers with higher weights. You can configure the weight for each server when you add it to the group.
  • Least-session load balancing sends new sessions to the forwarding server that is processing the fewest sessions.

When you create a forwarding server group you can also enable affinity. Enable affinity to have requests from the same client processed by the same server. This can reduce delays caused by using multiple servers for a single multi-step client operation. Affinity takes precedence over load balancing.

You can also configure the behavior of the group if all of the servers in the group are down. You can select to block traffic or you can select to have the traffic pass through the FortiGate explicit proxy directly to its destination instead of being sent to one of the forwarding servers.

Use the following command to add a forwarding server group that users weighted load balancing to load balance traffic to three forwarding servers. Server weights are configured to send most traffic to server2. The group has affinity enabled and blocks traffic if all of the forward servers are down:

config web-proxy forward-server

edit server_1

set ip 172.20.120.12

set port 8080

next

edit server_2

set ip 172.20.120.13

set port 8000

next

edit server_3

set ip 172.20.120.14

set port 8090

next

end

config web-proxy forward-server-group

edit New-fwd-group

set affinity enable

set ldb-method weight

set group-down-option block

config server-list

edit server_1

set weight 10

next

edit server_2

set weight 40

next

edit server_3

set weight 10

next

end

Adding proxy chaining to an explicit web proxy policy

You enable proxy chaining for web proxy sessions by adding a web proxy forwarding server or server group to an explicit web proxy policy. In a policy you can select one web proxy forwarding server or server group. All explicit web proxy traffic accepted by this security policy is forwarded to the specified web proxy forwarding server or server group.

To add an explicit web proxy forwarding server - web-based manager:
  1. Go to Policy & Objects > Policy > Explicit Proxy and select Create New.
  2. Configure the policy:
Explicit Proxy Type Web
Source Address Internal_subnet
Outgoing Interface wan1
Destination Address all
Schedule always
Action ACCEPT
Web Proxy Forwarding Server Select, fwd-srv
  1. Select OK to save the security policy.
To add an explicit web proxy forwarding server - CLI:
  1. Use the following command to add a security policy that allows all users on the 10.31.101.0 subnet to use the explicit web proxy for connections through the wan1 interface to the Internet. The policy forwards web proxy sessions to a remote forwarding server named fwd-srv

config firewall explicit-proxy-policy

edit 0

set proxy web

set dstintf wan1

set scraddr Internal_subnet

set dstaddr all

set action accept

set schedule always

set webproxy-forward-server fwd-srv

end

Explicit web proxy authentication

You can add authentication to explicit web proxy policies to control access to the explicit web proxy and to identify users and apply different UTM features to different users.

Authentication of web proxy sessions uses HTTP basic and digest authentication as described in RFC 2617 (HTTP Authentication: Basic and Digest Access Authentication) and prompts the user for credentials from the browser allowing individual users to be identified by their web browser instead of IP address. HTTP authentication allows the FortiGate unit to distinguish between multiple users accessing services from a shared IP address.

You can also select IP-based authentication to authenticate users according to their source IP address in the same way as normal firewall policies.

IP-Based authentication

IP-based authentication applies authentication by source IP address. For the explicit web proxy, IP authentication is compatible with basic, digest, NTLM, FSSO, or RSSO authentication methods. Once a user authenticates, all sessions to the explicit web proxy from that user’s IP address are assumed to be from that user and are accepted until the authentication timeout ends or the session times out.

This method of authentication is similar to standard (non-web proxy) firewall authentication and may not produce the desired results if multiple users share IP addresses (such as in a network that uses virtualization solutions or includes a NAT device between the users and the explicit web proxy).

To configure IP-based authentication, add an explicit web proxy security policy, set the Action to AUTHENTICATION, and select Enable IP Based Authentication is selected.

Use the following CLI command to add IP-based authentication to a web proxy security policy. IP‑based authentication is selected by setting ip-based to enable.

config firewall explicit-proxy-policy

edit 0

set proxy web

set scraddr User_network

set dstintf port1

set dstaddr all

set action accept

set identity-based enable

set ip-based enable

config identity-based-policy

edit 0

set groups Internal_users

set users dwhite rlee

set schedule always

end

Per session authentication

If you don’t select IP Based the explicit web proxy applies HTTP authentication per session. This authentication is browser-based. When a user enters a user name and password in their browser to authenticate with the explicit web proxy, this information is stored by the browser in a session cookie. Each new session started by the same web browser uses the session cookie for authentication. When the session cookie expires the user has to re-authenticate. If the user starts another browser on the same PC or closes and then re-opens their browser they have to authenticate again.

Since the authentication is browser-based, multiple clients with the same IP address can authenticate with the proxy using their own credentials. HTTP authentication provides authentication for multiple user sessions from the same source IP address. This can happen if there is a NAT device between the users and the FortiGate unit. HTTP authentication also supports authentication for other configurations that share one IP address among multiple users. These includes Citrix products and Windows Terminal Server and other similar virtualization solutions.

To configure per session authentication, add a explicit web proxy policy, set the Action to AUTHENTICATE, and make sure Enable IP Based Authentication is not selected.

Use the following CLI command to add per session authentication to a security policy. Per session authentication is selected by setting ip-based to disable.

config firewall explicit-proxy-policy

edit 0

set proxy web

set scraddr User_network

set dstintf port1

set dstaddr all

set action accept

set identity-based enable

set ip-based disable

config identity-based-policy

edit 0

set groups Internal_users

set users dwhite rlee

set schedule always

end

end

Per session HTTP authentication

Transaction-based authentication

Multiple HTTP transactions (request/response) may be pipelined in the same TCP connection. Typically, all HTTP transactions of a TCP connection are considered as belonging to the same user. However, some devices (e.g., load balancers) may send HTTP transactions of different users to the same TCP connection and to explicit proxy. In order to support this deployment case, transaction-based authentication can be implemented to require each HTTP transaction to be authenticated separately.

To implement transaction-based authentication in the CLI:

config firewall explicit-proxy-policy

edit <id>

set transaction-based enable

next

end

Security profiles, threat weight, device identification, and the explicit web proxy

You can apply all security profiles to explicit web proxy sessions. This includes antivirus, web filtering, intrusion protection (IPS), application control, data leak prevention (DLP), and SSL/SSH inspection. Security profiles are applied by selecting them in an explicit web proxy policy or in authentication rules added to web proxy policies.

Traffic accepted by explicit web proxy policies contributes to threat weight data.

The explicit web proxy is not compatible with device identification.

Since the traffic accepted by the explicit web proxy is known to be either HTTP, HTTPS, or FTP over HTTP and since the ports are already known by the proxy, the explicit web proxy does not use all of the SSL/SSH inspection options. The explicit web proxy does support the following proxy options:

  • Enable chunked bypass
  • HTTP oversized file action and threshold

The explicit web proxy does not support the following proxy options:

  • Client comforting
  • Server comforting
  • Monitor content information from dashboard. URLs visited by explicit web proxy users are not added to dashboard usage and log and archive statistics widgets.

For explicit web proxy sessions, the FortiGate unit applies antivirus scanning to HTTP POST requests and HTTP responses. The FortiGate unit starts virus scanning a file in an HTTP session when it receives a file in the body of an HTML request. The explicit web proxy can receive HTTP responses from either the originating web server or the FortiGate web cache module.

Web Proxy firewall services and service groups

Configure web proxy services by selecting Explicit Proxy when configuring a service. Web proxy services can be selected in a explicit web proxy policy when adding one from the CLI. If you add a policy from the web-based manager the service is set to the webproxy service. The webproxy service should be used in most cases, it matches with any traffic with any port number. However, if you have special requirements, such as using a custom protocol type or a reduced port range or need to add an IP/FQDN to an explicit proxy service you can create custom explicit web proxy services.

Web proxy services are similar to standard firewall services. You can configure web proxy services to define one or more protocols and port numbers that are associated with each web proxy service. Web proxy services can also be grouped into web proxy service groups.

One way in which web proxy services differ from firewall services is the protocol type you can select. The following protocol types are available:

  • ALL
  • CONNECT
  • FTP
  • HTTP
  • SOCKS-TCP
  • SOCKS-UDP

To add a web proxy service go to Policy & Objects > Objects > Services and select Create New. Set Service Type to Explicit Proxy and configure the service as required.

To add a web proxy service from the CLI enter:

config firewall service custom

edit my-socks-service

set explicit-proxy enable

set category Web Proxy

set protocol SOCKS-TCP

set tcp-portrange 3450-3490

end

To add a web proxy service group go to Policy & Objects > Objects > Services and select Create New > Service Group. Set Type to Explicit Proxy and add web proxy services to the group as required.

To add a web proxy service group from the CLI enter:

config firewall service group

edit web-group

set explicit-proxy enable

set member webproxy my-socks-service

end

Explicit web proxy firewall address URL patterns

You can add URL pattern addresses and address groups to control the destination URLs that explicit proxy users can connect to. To add a URL pattern to go to Policy & Objects > Objects > Addresses, select Create New and set the Type to URL Pattern (Explicit Proxy). Add a URL or URL pattern that defines the URL or URLs that explicit proxy users should be limited to. Set the Interface to any.

For example to limit access to a single website:

www.fortinet.com

To limit access to websites from the same domain:

google.com

To limit access to a part of a website:

www.apple.com/ipad/

To add a URL pattern group, create several URL pattern addresses then go to Policy & Objects > Objects > Addresses, select Create New > Group and add URL patterns to the address group.

Then when creating explicit web proxy policies, select the URL pattern addresses or groups as the destination address.

URL patterns and HTTPS scanning

For HTTPS traffic, URL patterns can only be matched up to the root path. For example, consider the following URL pattern:

www.apple.com/ipad/

If a proxy user browses using HTTP, this URL pattern limits their access the iPad pages of www.apple.com. However, if a proxy user browses using HTTPS, they will be able to access all pages on www.apple.com.

Changing HTTP headers

You can create explicit web proxy profiles that can add, remove and change HTTP headers. The explicit web proxy profile can be added to a web explicit proxy policy and will be applied to all of the HTTP traffic accepted by that policy.

You can change the following HTTP headers:

  • client-ip
  • via header for forwarded requests
  • via header for forwarded responses
  • x-forwarded-for
  • front-end-https

For each of these headers you can set the action to:

  • Pass to forward the traffic without changing the header
  • Add to add the header
  • Remove to remove the header

You can also configure how the explicit web proxy handles custom headers. The proxy can add or remove custom headers from requests or responses. If you are adding a header you can specify the content to be included in the added header.

Create web proxy profiles from the CLI:

config web-proxy profile

edit <name>

set header-client-ip {add | pass | remove}

set header-via-request {add | pass | remove}

set header-via-response {add | pass | remove}

set header-x-forwarded-for {add | pass | remove}

set header-front-end-https {add | pass | remove}

config headers

edit <id>

set action {add-to-request | add-to-response | remove-from-request | remove-from-response}

set content <string>

set name <name>

end

end

Use the following command to add a web proxy profile to an explicit proxy policy:

config firewall explicit-proxy-policy

edit <id>

set webproxy-profile <name>

end

Preventing the explicit web proxy from changing source addresses

By default in NAT/Route mode the explicit web proxy changes the source address of packets leaving the FortiGate to the IP address of the FortiGate interface that the packets are exiting from. In Transparent mode the source address is changed to the management IP.

This configuration hides the IP addresses of clients and allows packets to return to the FortiGate unit interface without having to route packets from clients. You can use the following command to configure the explicit web proxy to keep the original client’s source IP address:

config firewall explicit-proxy-policy

edit 0

set proxy web

set transparent enable

end

Example users on an internal network browsing the Internet through the explicit web proxy with web caching, RADIUS authentication, web filtering and virus scanning

This example describes how to configure the explicit web proxy for the example network shown below. In this example, users on the internal network connect to the explicit web proxy through the Internal interface of the FortiGate unit. The explicit web proxy is configured to use port 8888 so users must configure their web browser proxy settings to use port 8888 and IP address 10.31.101.100.

Example explicit web proxy network topology

Explicit web proxy users must authenticate with a RADIUS server before getting access to the proxy. The explicit proxy policy that accepts explicit web proxy traffic applies per session authentication and includes a RADIUS server user group. The authentication rule also applies web filtering and virus scanning.

General configuration steps

This section breaks down the configuration for this example into smaller procedures. For best results, follow the procedures in the order given:

  1. Enable the explicit web proxy for HTTP and HTTPS and change the HTTP and HTTPS ports to 8888.
  2. Enable the explicit web proxy on the internal interface.
  3. Add a RADIUS server and user group for the explicit web proxy.
  4. Add an authentication explicit proxy policy. Enable web caching. Add an authentication rule and enable antivirus and web filtering.

Configuring the explicit web proxy - web-based manager

Use the following steps to configure the explicit web proxy.

To enable and configure the explicit web proxy
  1. Go to System > Config > Features and turn on the Explicit Proxy feature.
  2. Go to System > Network > Explicit Proxy and change the following settings:
Enable Explicit Web Proxy Select HTTP/HTTPS.
Listen on Interfaces No change. This field will eventually show that the explicit web proxy is enabled for the Internal interface.
HTTP Port 8888
HTTPS Port 0
Realm You are authenticating with the explicit web proxy.
Default Firewall Policy Action Deny
  1. Select Apply.
To enable the explicit web proxy on the Internal interface
  1. Go to System > Network > Interfaces.
  2. Edit the internal interface.
  3. Select Enable Explicit Web Proxy.
  4. Select OK.
To add a RADIUS server and user group for the explicit web proxy
  1. Go to User & Device > Authentication > RADIUS Servers and select Create New to add a new RADIUS server:
Name RADIUS_1
Primary Server Name/IP 10.31.101.200
Primary Server Secret RADIUS_server_secret
  1. Select OK.
  2. Go to User & Device > User > User Groups and select Create New to add a new user group.
Name Explict_proxy_user_group
Type Firewall
Remote Groups RADIUS_1
Group Name Any
  1. Select OK.
To add an explicit proxy policy
  1. Go to Policy & Objects > Objects > Addresses and select Create New.
  2. Add a firewall address for the internal network:
Category Address
Name Internal_subnet
Type Subnet / IP Range
Subnet / IP Range 10.31.101.0
Interface Any
  1. Go to Policy & Objects > Policy > Explicit Proxy and select Create New.
  2. Configure the explicit web proxy policy.
Explicit Proxy Type Web
Source Address Internal_subnet
Outgoing Interface wan1
Destination Address all
Action AUTHENTICATE
  1. Under Configure Authentication Rules select Create New to add an authentication rule:
Groups Explicit_policy
Source User(s) Leave blank
Schedule always
  1. Turn on Antivirus and Web Filter and select the default profiles for both.
  2. Select the default proxy options profile.
  3. Select OK.
  4. Make sure Enable IP Based Authentication is not selected.
  5. Turn on Web Cache.
  6. Select OK.

Configuring the explicit web proxy - CLI

Use the following steps to configure the example explicit web proxy configuration from the CLI.

To enable the explicit web proxy on the Internal interface
  1. Enter the following command to enable the explicit web proxy on the internal interface.

config system interface

edit internal

set explicit-web-proxy enable

end

To enable and configure the explicit web proxy
  1. Enter the following command to enable the explicit web proxy and set the TCP port that proxy accepts HTTP and HTTPS connections on to 8888.

config web-proxy explicit

set status enable

set http-incoming-port 8888

set https-incoming-port 8888

set realm "You are authenticating with the explicit web proxy"

set sec-default-action deny

end

To add a RADIUS server and user group for the explicit web proxy
  1. Enter the following command to add a RADIUS server:

config user radius

edit RADIUS_1

set server 10.31.101.200

set secret RADIUS_server_secret

end

 

  1. Enter the following command to add a user group for the RADIUS server.

config user group

edit Explicit_proxy_user_group

set group-type firewall

set member RADIUS_1

end

To add a security policy for the explicit web proxy
  1. Enter the following command to add a firewall address for the internal subnet:

config firewall address

edit Internal_subnet

set type iprange

set start-ip 10.31.101.1

set end-ip 10.31.101.255

end

 

  1. Enter the following command to add the explicit web proxy security policy:

config firewall explicit-proxy-policy

edit 0

set proxy web

set dstintf wan1

set srcaddr Internal_subnet

set dstaddr all

set action accept

set service webproxy

set webcache enable

set identity-based enable

set ipbased disable

set active-auth-method basic

config identity-based-policy

edit 0

set groups Explicit_Proxy_user_group

set schedule always

set utm-status enable

set av-profile default

set webfilter-profile default

set profile-protocol-options default

end

end

Testing and troubleshooting the configuration

You can use the following steps to verify that the explicit web proxy configuration is working as expected:

To test the explicit web proxy configuration
  1. Configure a web browser on the internal subnet to use a web proxy server at IP address 10.31.101.100 and port 8888.
  2. Browse to an Internet web page.
    The web browser should pop up an authentication window that includes the phrase that you added to the Realm option.
  3. Enter the username and password for an account on the RADIUS server.
    If the account is valid you should be allowed to browse web pages on the Internet.
  4. Close the browser and clear its cache and cookies.
  5. Restart the browser and connect to the Internet.
    You could also start a second web browser on the same PC. Or you could start a new instance of the same browser as long as the browser asks for a user name and password again.

    You should have to authenticate again because identity-based policies are set to session-based authentication.
  6. If this basic functionality does not work, check your FortiGate and web browser configuration settings.
  7. Browse to a URL on the URL filter list and confirm that the web page is blocked.
  8. Browse to http://www.eicar.org/ and attempt to download an anti-malware test file.
    The antivirus configuration should block the file.
    Sessions for web-proxy security policies do not appear on the Top Sessions dashboard widget and the count column for security policies does not display a count for explicit web proxy security policies.
  9. You can use the following command to display explicit web proxy sessions

get test wad 60

IP based users:

 

Session based users:

user:0x9c20778, username:User1, vf_id:0, ref_cnt:9

 

Total allocated user:1

 

Total user count:3, shared user quota:50, shared user count:3

This command output shows one explicit proxy user with user name User1 authenticated using session-based authentication.

Explicit web proxy sessions and user limits

Web browsers and web servers open and close multiple sessions with the explicit web proxy. Some sessions open and close very quickly. HTTP 1.1 keepalive sessions are persistent and can remain open for long periods of time. Sessions can remain on the explicit web proxy session list after a user has stopped using the proxy (and has, for example, closed their browser). If an explicit web proxy session is idle for more than 3600 seconds it is torn down by the explicit web proxy. See RFC 2616 for information about HTTP keepalive/persistent HTTP sessions.

This section describes proxy sessions and user limits for both the explicit web proxy and the explicit FTP proxy. Session and user limits for the two proxies are counted and calculated together. However, in most cases if both proxies are active there will be many more web proxy sessions than FTP proxy sessions.

The FortiGate unit adds two sessions to its session table for every explicit proxy session started by a web browser and every FTP session started by an FTP client. An entry is added to the session table for the session from the web browser or client to the explicit proxy. All of these sessions have the same destination port as the explicit web proxy port (usually 8080 for HTTP and 21 for FTP). An entry is also added to the session table for the session between the exiting FortiGate interface and the web or FTP server destination of the session. All of these sessions have a FortiGate interface IP address and the source address of the session and usually have a destination port of 80 for HTTP and 21 for FTP.

Proxy sessions that appear in FortiView do not include the Policy ID of the web-proxy or ftp-proxy security policy that accepted them. However, the explicit proxy sessions include a destination port that matches the explicit proxy port number (usually 8080 for the web proxy and 21 for the FTP proxy). The proxied sessions from the FortiGate unit have their source address set to the IP address of the FortiGate unit interface that the sessions use to connect to their destinations (for example, for connections to the Internet the source address would be the IP address of the FortiGate interface connected to the Internet).

FortiOS limits the number of explicit proxy users. This includes both explicit FTP proxy and explicit web proxy users. The number of users varies by FortiGate model from as low as 10 to up to 18000 for high end models. You cannot raise this limit.

If your FortiGate unit is configured for multiple VDOMs you can go to System > VDOM > Global Resources to view the maximum number of Concurrent explicit proxy users and optionally reduce the limit. You can also use the following command:

config global

config system resource-limits

set proxy 50

end

end

To limit the number of explicit proxy users for a VDOM, from the web-based manager enable multiple VDOMs and go to System > VDOM > VDOM and edit a VDOM or use the following command to change the number of explicit web proxy users for VDOM_1:

config global

config system vdom-property

edit VDOM_1

set proxy 25

end

end

You can use the diagnose wad user list command to view the number of explicit web proxy users. Users may be displayed with this command even if they are no longer actively using the proxy. All idle sessions time out after 3600 seconds.

You can use the command diagnose wad user clear to clear current explicit proxy users. You can also use the command diagnose wad user clear <user-name> to clear individual users. This means delete information about all users and force them re-authenticate.

Users that authenticate with explicit web-proxy or ftp-proxy security policies do not appear in the User & Device > Monitor > Firewall list and selecting De-authenticate All Users has no effect on explicit proxy users.

How the number of concurrent explicit proxy users is determined depends on their authentication method:

  • For session-based authenticated users, each authenticated user is counted as a single user. Since multiple users can have the same user name, the proxy attempts to identify users according to their authentication membership (based upon whether they were authenticated using RADIUS, LADAP, FSAE, local database etc.). If a user of one session has the same name and membership as a user of another session, the explicit proxy assumes this is one user.
  • For IP Based authentication, or no authentication, or if no web-proxy security policy has been added, the source IP address is used to determine a user. All sessions from a single source address are assumed to be from the same user.

The explicit proxy does not limit the number of active sessions for each user. As a result the actual explicit proxy session count is usually much higher than the number of explicit web proxy users. If an excessive number of explicit web proxy sessions is compromising system performance you can limit the amount of users if the FortiGate unit is operating with multiple VDOMs.