FortiCache 4.0.1 Administration Guide

Proxy options

The Proxy Options menu allows you to configure settings for specific proxies, which can then be applied to policies.

Protocol options are configured in Policy & Objects > Policy > Proxy Options.

Configure the following settings:

Create New Select to open the New Proxy Options window, where you can create a new proxy option.
Clone Clone the current policy option.
View List View the proxy list.

The proxy options list lists all the proxy options. From the list, you can create new options, edit or delete existing options, and view the number of times the policy option is referenced to other objects.

Name The name of the proxy option.
Comments A description given to the option. This is an optional setting.
Protocol Port Mapping Enable a protocol, then enter the inspections port or ports.
Common Options  
Comfort Clients Select to enable. Configure the following:

l Interval (seconds) – enter the interval time in seconds. l Amount (bytes) – enter the amount in bytes.

Block Oversized

File/Email

Enable to block oversized files or emails, and configure the size threshold:

l Threshold (MB) – enter the threshold amount for an oversized email message or file in MB.

Web Options  
Enable Chunked Bypass Select to enable the chunked bypass setting.

SSL inspection

To configure deep inspection options, go to Policy & Objects > Policy > SSL Inspection. SSL inspection options can be used in policies.

Select a deep or certificate inspection option from the drop-down list in the toolbar and edit the settings as required, or create new options, then select apply to apply your changes.

Create New Select to open the New Deep Inspection Options window, where you can create a new deep inspection option.
Name The name of the deep inspection option.
Comments A description given to the option. This is an optional setting.
SSL Inspection Options SSL inspection options.
Enable

SSL Inspection of

l Multiple Clients Connecting to Multiple Servers – The Exempt from SSL Inspection and Common Options options below are only available with this option enabled. l Protecting SSL Server
CA Certificate Select a CA certificate from the drop-down menu.
Inspection Method l SSL Certificate Inspection l Full SSL Inspection – you can optionally enable HTTPS and set which port the protocol uses.
Exempt from SSL Inspection Exempt web categories or specific addresses from SSL inspection.
Web Categories Add web categories to be exempt from SSL inspection.
Addresses Add any pre-configured addresses to be exempt from SSL inspection.
Common Options Common options.

 

Allow Invalid SSL

Certificates

Select to allow invalid SSL certificates.
Log Invalid

Certificates

Select to log invalid certificates.

 

Objects

The firewall objects menu provides options for configuring addresses, services, schedules, explicit web proxy, forwarding servers, and web proxy settings. This chapter contains the following sections:

l Addresses l Services l Schedules l Explicit l Forward servers l Web proxy global

Addresses

Web cache addresses and address groups define network addresses that you use when configuring source and destination addresses for security policies. The FortiCache unit compares the IP addresses contained in packet headers with security policy source and destination addresses to determine if the security policy matches the traffic. Addresses can be IPv4 addresses and address ranges, IPv6 addresses, and fully qualified domain names (FQDNs).

Be careful if employing FQDN web cache addresses. Using a fully qualified domain name in a security policy, while convenient, does present some security risks because policy matching then relies on a trusted DNS server. If the DNS server should ever be compromised, security policies requiring domain name resolution may no longer function properly.

Web cache addresses in the address list are grouped by type: IP/Netmask, FQDN, or IPv6. A FortiCache unit’s default configurations include the all address, which represents any IPv4 IP address on any network. You can also add a firewall address list when configuring a security policy.

To view the address list, go to Policy & Objects > Objects > Addresses.

Configure the following settings:

Create New > Address Add a new address.
Edit Address Edit the selected address.
Delete Remove the selected address or addresses. This icon appears only if a policy or address group is not currently using the address.
Name The name of the address.
Address The IP address and mask, IP address range, or FQDN of the address.
Interface The interface to which the address is bound.
Type The type of address: Subnet, IP Range, FQDN.
Comments Optional description of the address.
Ref. Displays the number of times the address is referenced to other objects.

To view the location of the referenced address, select the number in Ref. The Object Usage window appears displaying the various locations of the referenced object.

Show in Address List  
Tags  

To create a new address:

  1. Go to Policy & Objects > Objects > Addresses and select Create New > Address. The New Address window opens.
  2. Configure the following settings:
Name Enter a name for the address. Addresses must have unique names.
Type Select the type of address: Subnet, IP Range, or FQDN. You can enter either an IP range or an IP address with subnet mask.
Subnet / IP Range Enter the IP address, followed by a forward slash (/), then subnet mask, or enter an IP address range separated by a hyphen. See Web cache policy address formats on page 68.
FQDN Enter the FQDN. This option is only available when Type is FQDN.
Interface Select the interface to which you want to bind the IP address. Select Any if you want to bind the IP address with the interface when you create a policy.
Comments Optionally, enter a description of the address.
  1. Select OK to create the new address.

To edit an address:

  1. Select the address you would like to edit then select Edit from the toolbar, or double-click on the address in the address table. The Edit Address window opens.
  2. Edit the address information as required and select OK to apply your changes.

To delete an address or addresses:

  1. Select the address or addresses that you would like to delete.
  2. Select Delete from the toolbar.
  3. Select OK in the confirmation dialog box to delete the selected address or addresses.

Address groups

You can organize multiple addresses into an address group to simplify your policy list. For example, instead of having five identical policies for five different but related addresses, you might combine the five addresses into a single address group, which is used by a single policy. To view the address group list, go to Policy & Objects > Objects > Addresses.

Create New > Address Group Add an address group.
Edit Select the edit the address group.
Delete Select to remove the address group. This icon appears only if the address group is not currently being used by a policy.
Group Name The name of the address group.
Members The addresses in the address group.
Comments Option description of the address group.
Ref. Displays the number of times the address group is referenced to other objects.

To view the location of the referenced address group, select the number in Ref. The Object Usage window appears displaying the various locations of the referenced object.

Show in Address List Whether or not the group is shown in the address list.
Tags  

To create a new address group:

  1. Select Create New > Address Group. The New Address Group window opens.
  2. Configure the following information:
Group Name Enter a name to identify the address group. Addresses, address groups, and virtual IPs must have unique names.
Comments Optionally, enter a description of the address group.
Show in Address List Select to show the address group is the address list.
Members Select the addresses to add to the address group.
  1. Select OK to create the new address group.

To edit an address group:

  1. Select the group you would like to edit, then select Edit from the toolbar, or double-click on the address group. The Edit Address Group window opens.
  2. Edit the address group information as required and select OK to apply your changes.

To delete an address group or groups:

  1. Select the address or addresses that you would like to delete.
  2. Select Delete from the toolbar.
  3. Select OK in the confirmation dialog box to delete the selected address or addresses.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.