Example: Proxy option

> Chapter 9 - Firewall > Building firewall objects and policies > Example: Proxy Option

Example: Proxy option

The company will be using a number of the Security Profiles features on various policies but wants to use as few profiles as possible to make administration simpler. The decision has been made to have two profiles, the default one and a single customized one that will be a combination of the settings required to cover the situations that will not be covered by the default profile.

The company profile will have the following parameters:

There are no FTP servers running on the site so there is no need for FTP.
The company has a non-standard IMAP implementation the uses port 1143.
The Comfort Clients is to be used with a ratio of 1 byte for every 15 seconds.
There is a lot of varied email traffic so there is to be no blocking of emails due to size beyond the settings on the mail servers.

Go to Policy & Objects > Policy > Proxy Options.
Create a new profile
Fill out the fields with the following information:

Name	example_standard
Comments	<optional>
Log Oversized Files	<disabled>

Protocol port mapping:

Enable	Protocol	Inspection Ports
enabled	HTTP	Specify and <leave on default setting.>
enabled	SMTP	Specify and <leave on default setting.>
enabled	POP3	Specify and <leave on default setting.>
enabled	IMAP	Specify and 1143
not enabled	FTP
enabled	NNTP	Specify and <leave on default setting.>
enabled	MAPI	<leave on default setting.>
enabled	DNS	<leave on default setting.>

Common options

Comfort Clients	enabled
Interval (Seconds)	15
Amount(bytes)	1
Block Oversized File/Email	not enabled
Threshold(MB)	not enabled

Web options

Enabled Chunked Bypass	not enabled
Add Fortinet Bar	not enabled
Communication Port	<Unseen because Add Fortinet Bar is not enabled>

Email Options

Allow Fragmented Messages	<not enabled>
Append Signature (SMTP)	<not enabled>
Email Signature Text	<Unseen because Append Signature is not enabled>

Select OK.
Enter the following CLI command:

config firewall profile-protocol-options

edit example_standard

config http

set options clientcomfort no-content-summary

set comfort-interval 15

config ftp

set status disable

set options clientcomfort no-content-summary splice

set comfort-interval 15

config imap

set ports "1143"

set options fragmail no-content-summary

config mapi

set options fragmail no-content-summary

config pop3

set options fragmail no-content-summary

config smtp

set options fragmail no-content-summary splice

config nntp

set options no-content-summary splice

config ssh

set inspect-all enable

set log x11-filter ssh-shell exec port-forward

end

Oversized files

A couple of variations on the example could have to do with the processing of oversized files at a level other than the default setting. The ways that it can be approached are:

Set a non default threshold size and block the files

Set a non default threshold size and not scan the files over the threshold but allow them to pass through the FortiGate firewall.

In the following instructions:

We will just use 2 MB as the new threshold.
In the CLI instructions we will limit the configuration to just the HTTP settings for the purposes of brevity and simplicity.

Option 1

Option 1 can be done in the GUI.

Go to Policy & Objects > Policy > Proxy Options.
Edit the profile that you wan the change in.
Fill out the fields with the following information:

Common Options

Comfort Clients	enabled
Interval (Seconds)	15
Amount(bytes)	1
Block Oversized File/Email	enabled
Threshold(MB)	2

Select OK.
Enter the following CLI command:

config firewall profile-protocol-options

edit example_standard

config http

set options clientcomfort no-content-summary oversize

set oversize-limit 2

set comfort-interval 15

end

Option 2

Option 2 can only be done in the CLI. Enter the following CLI command:

config firewall profile-protocol-options

edit example_standard

config http

set options clientcomfort no-content-summary

set oversize-limit 2

set comfort-interval 15

end