FortiCache 4.0.1 Administration Guide

Services

Web cache services define one or more protocols and port numbers associated with each service. Web cache policies use service definitions to match session types. You can organize related services into service groups to simplify your policy list.

If you need to create a web cache policy for a service that is not in the predefined service list, you can add a custom service. Custom services are configured in Policy & Objects > Objects > Services.

The following options are available:

Create New Create a new custom service or category. See To create a new service: on page 76 and Adding a service category on page 77.
Edit Edit the selected service.
Delete Remove the selected custom service. This icon appears only if a service is not currently being used in a web cache policy.
Category Settings Edit the order in which the categories are displayed in the list when viewing the list by category.
By Category View the list organized by categories.
Alphabetically View the list organized alphabetically.
Service Name The name of the custom service.
Ports The port numbers for each service.
IP/FQDN The IP address or FQDN of the service.
Show in Service List Whether or not the service is shown in the service list.
Comments Optional description of the service.
Protocol The protocl type for the service.
Ref. Displays the number of times the service is referenced to other objects. To view the location of the referenced service, select the number in Ref.; the Object Usage window appears displaying the various locations of the referenced object.
Type The type of service.

To create a new service:

  1. Go to Policy & Objects > Objects > Services and select Create New > Service. The New Service window opens.
  2. Configure the following settings:
Name Enter a name for the custom service.
Comments Optionally, enter a description of the service.
Service Type Select the service type: Firewall or Explicit Proxy.
Show in Service List Select to show the service in the service list.
Category Select the category for the service: Uncategorized, General, or Web Proxy.
Protocol Type Select the type of protocol for the service.

If Service Type is Firewall, select one of: TCP/UDP/SCTP, ICMP, ICMP6, or IP.

If Service Type is Explicit Proxy, select one of: ALL, CONNECT, FTP, HTTP, or SOCKS.

IP/FQDN Enter the IP address or FQDN for the service.

This option is only available if Protocol Type is set to TCP/UDP/SCTP, ALL, CONNECT, FTP, HTTP, or SOCKS.

Protocol Select the protocol from the drop-down list that you are configuring settings for: TCP, UDP, or SCTP. Then, enter the low and high destination and sources ports in the requisite fields.

Up to 16 protocols can be added.

When Service Type is Explicit Proxy, the protocol is TCP.

This option is only available if Protocol Type is set to TCP/UDP/SCTP, ALL, CONNECT, FTP, HTTP, or SOCKS.

Type Enter the ICMP type number for the ICMP protocol configuration.

This option is only available if Protocol Type is set to ICMP, or ICMP6.

Code Enter the ICMP code number for the ICMP protocol configuration.

This option is only available if Protocol Type is set to ICMP, or ICMP6.

Protocol Number Enter the protocol number for the IP protocol configuration. This option is only available if Protocol Type is set to IP.
  1. Select OK to create the new service.

To edit a service:

  1. Select the service you would like to edit then select Edit in the toolbar, or double-click on the service in the table. The Edit Service window opens.
  2. Edit the service as required, then select OK to apply your changes.

To delete a service or services:

  1. Select the address or addresses that you would like to delete.
  2. Select Delete from the toolbar.
  3. Select OK in the confirmation dialog box to delete the selected service or services.

Adding a service category

  1. From Policy & Objects > Objects > Services, select Create New > Category. The New Service Category window opens.
  2. Enter a name for the new category in the Name
  3. Optionally, enter a description of the category in the Comments
  4. Select OK to create the new service category.

Services groups

You can organize multiple services into a service group to simplify your policy list. For example, instead of having five identical policies for five different but related services, you can combine the five services into a single address group that is used by a single policy.

Service groups cannot contain other service groups.

Configure a service group using the following CLI command:

config firewall service group edit <name> set member –Address group member. set explicit-proxy –Enable/disable explicit web proxy service group. set comment            –Comment.

set color              –GUI icon color. next

end

Schedules

When you add security policies on a FortiCache unit, those policies are always on, policing the traffic through the device. Schedules control when policies are in effect.

The schedule list lists all the schedules. Recurring and one-time schedules can be created, edited, and deleted as needed.

You can create a recurring schedule that activates a policy during a specified period of time. If a recurring schedule has a stop time that is earlier than the start time, the schedule will take effect at the start time but end at the stop time on the next day. You can use this technique to create recurring schedules that run from one day to the next. To create a recurring schedule that runs for 24 hours, set the start and stop times to 00.

You can create one-time schedules which are schedules that are in effect only once for the period of time specified in the schedule.

To manage schedules, go to Policy & Objects > Objects > Schedules.

Create New Create a new recurring schedule, one-time schedule, or a schedule group. See To create a new recurring schedule: and To create a new one-time schedule:.
Edit Edit the selected schedule.
Delete Remove the selected schedule. This icon is only available if the selected schedule is not currently being used in a policy.
Search Enter a search term to search the schedules list.
Name The name of the schedule.
Days/Members The days of the week that the schedule is configured to be active.
Start The time of day that the schedule is configured to start.
End The time of day that the schedule is configured to end.
Ref. Displays the number of times the schedule is referenced to other objects. To view the location of the referenced schedule, select the number in Ref.; the Object Usage window appears displaying the various locations of the referenced object.
Type The type of schedule, either Recurring or One-Time.

To create a new recurring schedule:

  1. Go to Policy & Objects > Objects > Schedules and select Create New > Schedule. The New Schedule window opens.
  2. Configure the following settings:
Type Set to Recurring.
Name Enter the name of the recurring schedule.
Days Select the days of the week when the schedule will be active.
Start Time Select the start time for the schedule.
Stop Time Select the stop time for the schedule. If the stop time is set earlier than the start time, the stop time will be during the next day. If the start time is equal to the stop time, the schedule will run for 24 hours.
  1. Select OK to create the recurring schedule.

To create a new one-time schedule:

  1. Go to Policy & Objects > Objects > Schedules and select Create New > Schedule. The New Schedule window opens.
  2. Configure the following settings:
Type Set to One-time.
Name Enter the name of the one-time schedule.
Start Date Select the year, month, day, hour, and minute that the schedule will start.
End Date Select the year, month, and day that the schedule will stop. The stop time must be later than the start time.
Start Time Select the hour and minute that the schedule will start.
Stop Time Select the hour and minute that the schedule will stop. The stop time must be later than the start time.
Pre-expiration event log Select to generate an event log prior to the schedule expiring. Enter the number of days prior to the expiry that the event log will be generated, from 1 to 100.
  1. Select OK to create the one-time schedule.

To edit a schedule:

  1. Select the schedule you would like to edit, then select Edit from the toolbar, or double-click on the schedule in the table. The Edit Recurring Schedule or Edit One-time Schedule window opens.
  2. Edit the information as required, then select OK to apply your changes.

To delete schedules:

  1. Select the schedule or schedules that you would like to delete.
  2. Select Delete from the toolbar.
  3. Select OK in the confirmation dialog box to delete the selected schedule or schedules.

Schedule groups

You can organize multiple schedules into a schedule group to simplify your security policy list. For example, instead of having five identical policies for five different but related schedules, you might combine the five schedules into a single schedule group that is used by a single security policy.

Schedule groups can contain both recurring and one-time schedules. Schedule groups cannot contain other schedule groups

To configure schedule groups go to Policy & Objects > Objects > Schedules.

To create a new schedule group:

  1. Go to Policy & Objects > Objects > Schedules and select Create New > Schedule Group. The New Schedule Group window opens.
  2. Configure the following settings:
Name Enter the name of the schedule group.
Members Select the schedules that you would like to have included in the group from the dropdown menu.
  1. Select OK to create the schedule group.

To edit a schedule group:

  1. Select the schedule group you would like to edit, then select Edit from the toolbar, or double-click on the schedule group in the table. The Edit Schedule Group window opens.
  2. Edit the information as required, then select OK to apply your changes.

To delete schedule groups:

  1. Select the group or groups that you would like to delete.
  2. Select Delete from the toolbar.
  3. Select OK in the confirmation dialog box to delete the selected group or groups.

Explicit

Use the explicit web proxy to enable explicit HTTP proxying on one or more Fortinet interfaces. IPv6 is supported.

To configure the explicit web proxies, go to Policy & Objects > Objects > Explicit.

Configure the following settings:

Create New Create a new explicit web proxy.
Edit Modify settings to an explicit web proxy.
Delete Remove a proxy from the list.
Status The status of the explicit web proxy.
Name The name of the explicit web proxy.
Interface The interface to which the proxy applies.
Ref. Displays the number of times the proxy is referenced to other objects.

To view the location of the referenced proxy, select the number in Ref.; the Object Usage window appears displaying the various locations of the referenced object.

To create a new explicit web proxy:

  1. Go to Policy & Objects > Objects > Explicit and select Create New. The New Web Proxy Explicit window opens.
  2. Configure the following settings:
Name Enter the name of the explicit web proxy.
Interface Select the interface that are being monitored by the explicit web proxy from the drop-down list.
Enable FTP over HTTP Select to enable FTP over HTTP for the explicit web proxy.
HTTP Port Enter the HTTP port number that traffic from client web browsers use to connect to the explicit proxy for the specific protocol. Explicit proxy users must configure their web browser’s protocols proxy settings to use this port (default = 8080).
HTTPS Port Enter the HTTPS port number that traffic from client web browsers use to connect to the explicit proxy for the specific protocol. Explicit proxy users must configure their web browser’s protocols proxy settings to use this port.

Enter 0 to use the HTTP port.

PAC Port Enter the Proxy Auto-Config (PAC) port number that traffic from client web browsers use to connect to the explicit proxy for the specific protocol. Explicit proxy users must configure their web browser’s protocols proxy settings to use this port.

Enter 0 to use the HTTP port.

Realm The authentication realm to identify the explicit web proxy. The realm is a text string of up to 63 characters. If the realm includes spaces, the name must be enclosed in quotation marks

When a user authenticates with the explicit proxy, the HTTP authentication dialog includes the realm, so it can be used to identify the explicitly web proxy for your users.

Enable SOCKS proxy Select to enable the SOCKS proxy protocol.

The SOCKS proxy protocol is an optional protocol that routes packets between a client and a server through a proxy.

SOCKS is supported by many major web browsers.

The SOCKS proxy protocol does not support authentication.

Unknown HTTP version Select the action to take when the proxy must handle a request or message from an unknown HTTP version.

l Best Effort : Attempt to handle the HTTP traffic as well as possible.

l Reject : Treat the traffic as malformed and drop it. This option is more secure and it the default setting.

  1. Select OK to create the explicit web proxy.

To edit an explicit web proxy:

  1. Select the explicit web proxy you would like to edit, then select Edit from the toolbar, or double-click on the schedule group in the table. The Edit Web Proxy Explicit window opens.
  2. Edit the information as required, then select OK to apply your changes.

To delete explicit web proxies:

  1. Select the explicit web proxy or proxies that you would like to delete.
  2. Select Delete from the toolbar.

Select OK in the confirmation dialog box to delete the selected group or groups.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.