FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home

Video

FortiGuard

Fuse

KB

Support

  • All Files

Home > Online Help

> Chapter 1 - What's New for FortiOS 5.2 > WAN Optimization, Web Cache, and Explicit Proxy

WAN Optimization, Web Cache, and Explicit Proxy

New WAN optimization, web cache, and explicit proxy features include:

Explicit Proxy Policy Table - for explicit web proxy, explicit FTP proxy and WAN optimization policies

Explicit proxy policies now have a dedicated table and creation page, found at Policy & Objects > Policy > Explicit Proxy. The corresponding CLI command is:

config firewall explicit-proxy-policy

You use explict proxy policies to add policies for the IPv4 and IPv6 explicit web proxy and for the explicit FTP policy. The first step in creating an explicit proxy policy is to select the proxy type (web or FTP). The options availabl e then depend on the explicit proxy type.

From the CLI you use the explicit web proxy policy to add WAN optimization tunnel policies. In FortiOS 5.0 you added WAN optimization tunnel policies by setting the source interface to wanopt. In FortiOS 5.2 you create an explicit web proxy policy from the CLI and set the proxy type to wanopt. For example:

configure firewall explicit-proxy-policy

edit 0

set proxy wanopt

set dstintf internal

set srcaddr all

set dstaddr server-subnet

set action accept

set schedule always

set service ALL

next

end

Distributing Explicit Web Proxy Traffic to Multiple CPU Cores

To improve explicit web proxy performance, FortiOS 5.2 distributes explicit web proxy processing to multiple CPU cores. By default web proxy traffic is handled by half of the CPU cores in a FortiGate unit, so if your FortiGate unit has 4 CPU cores, by default two will be used for explicit web proxy traffic. You can increase or decrease the number of CPU cores that are used in the CLI.

config system global

set wad-worker-count <number>

end

 

The value for <number> can be anything between 1 and the total number of CPU cores in your FortiGate unit. The default value for <number> is half the number of CPU cores in your FortiGate unit.

Proxy Header Control

You can create explicit web proxy profiles that can add, remove and change HTTP headers. The explicit web proxy profile can be added to a web explicit proxy policy and will be applied to all of the HTTP traffic accepted by that policy.

You can change the following HTTP headers:

  • client-ip
  • via header for forwarded requests
  • via header for forwarded responses
  • x-forwarded-for
  • front-end-https

For each of these headers you can set the action to:

  • Pass to forward the traffic without changing the header
  • Add to add the header
  • Remove to remove the header

You can also configure how the explicit web proxy handles custom headers. The proxy can add or remove custom headers from requests or responses. If you are adding a header you can specify the content to be included in the added header.

Create web proxy profiles from the CLI:

config web-proxy profile

edit <name>

set header-client-ip {add | pass | remove}

set header-via-request {add | pass | remove}

set header-via-response {add | pass | remove}

set header-x-forwarded-for {add | pass | remove}

set header-front-end-https {add | pass | remove}

config headers

edit <id>

set action {add-to-request | add-to-response | remove-from-request | remove-from-response}

set content <string>

set name <name>

end

end

 

Use the following command to add a web proxy profile to an explicit proxy policy:

config firewall explicit-proxy-policy

edit <id>

set webproxy-profile <name>

end

Explicit Web Proxy SOCKS services support for TCP and UDP traffic

You can now configure Web Proxy services to allow UDP traffic as well as TCP traffic to be accepted by the SOCKS proxy. Previously, the web proxy would only accept TCP SOCKS traffic.

Web proxy services can be configured in the CLI.

Syntax

Use the following command to create a custom service for UDP traffic over the SOCKS proxy:

config firewall service custom

edit <name>

set explicit-proxy enable

set category Web\ Proxy

set protocol SOCKS-UDP

set tcp-portrange 8080-8080

end

end

 

The option to create a custom service for TCP traffic over the SOCKS proxy has also changed. For example, use the following command to create a custom service for TCP traffic over the SOCKS proxy:

config firewall service custom

edit <name>

set explicit-proxy enable

set category Web\ Proxy

set protocol SOCKS-TCP

set tcp-portrange 80-80

end

end

Preventing the explicit web proxy from changing source addresses

By default in NAT/Route mode the explicit web proxy changes the source address of packets leaving the FortiGate to the IP address of the FortiGate interface that the packets are exiting from. In Transparent mode the source address is changed to the management IP.

This configuration hides the IP addresses of clients and allows packets to return to the FortiGate unit interface without having to route packets from clients. You can use the following command to configure the explicit web proxy to keep the original client’s source IP address:

config firewall explicit-proxy-policy

edit 0

set proxy web

set transparent enable

end

Explicit web proxy firewall address URL patterns

You can add URL pattern addresses and address groups to control the destination URLs that explicit web proxy users can connect to. To add a URL pattern to go to Policy & Objects > Objects > Addresses, select Create New and set the Type to URL Pattern (Explicit Proxy). Add a URL or URL pattern that defines the URL or URLs that explicit proxy users should be limited to. Set the Interface to any.

For example to limit access to a single website:

www.fortinet.com

To limit access to websites from the same domain:

google.com

To limit access to a part of a website:

www.apple.com/ipad/

To add a URL pattern group, create several URL pattern addresses then go to Policy & Objects > Objects > Addresses, select Create New > Group and add URL patterns to the address group.

Then when creating explicit web proxy policies, select the URL pattern addresses or groups as the destination address.

URL patterns and HTTPS scanning

For HTTPS traffic, URL patterns can only be matched up to the root path. For example, consider the following URL pattern:

www.apple.com/ipad/

If a proxy user browses using HTTP, this URL pattern limits their access the iPad pages of www.apple.com. However, if a proxy user browses using HTTPS, they will be able to access all pages on www.apple.com.

 

Copyright © 2018 Fortinet, Inc. All Rights Reserved. | Terms of Service | Privacy Policy