Proxy chaining (web proxy forwarding servers)
For the explicit web proxy you can configure web proxy forwarding servers to use proxy chaining to redirect web proxy sessions to other proxy servers. Proxy chaining can be used to forward web proxy sessions from the FortiGate unit to one or more other proxy servers on your network or on a remote network. You can use proxy chaining to integrate the FortiGate explicit web proxy with an web proxy solution that you already have in place.
A FortiGate unit can forward sessions to most web proxy servers including a remote FortiGate unit with the explicit web proxy enabled. No special configuration of the explicit web proxy on the remote FortiGate unit is required.
You can deploy the explicit web proxy with proxy chaining in an enterprise environment consisting of small satellite offices and a main office. If each office has a FortiGate unit, users at each of the satellite offices can use their local FortiGate unit as an explicit web proxy server. The satellite office FortiGate units can forward explicit web proxy sessions to an explicit web proxy server at the central office. From here the sessions can connect to web servers on the Internet.
FortiGate proxy chaining does not support authenticating with the remote forwarding server.
Adding a web proxy forwarding server
To add a forwarding server, select Create New in the Web Proxy Forwarding Servers section of the Explicit Proxy page by going to Network > Explicit Proxy.
Server Name Enter the name of the forwarding server.
Proxy Address Enter the IP address of the forwarding server.
Proxy Address Type
Select the type of IP address of the forwarding server. A forwarding server can have an FQDN or IP address.
Enter the port number on which the proxy receives connections. Traffic leaving the FortiGate explicit web proxy for this server has its destination port number changed to this number.
Server Down action
Select what action the explicit web proxy to take if the forwarding server is down.
Block means if the remote server is down block traffic.
Use Original Server means do not forward traffic to the forwarding sever but instead forward it from the FortiGate to its destination. In other words operate as if there is no forwarding server configured.
Monitor Select to enable health check monitoring and enter the address of a remote site. See
“Web proxy forwarding server monitoring and health checking”.
Use the following CLI command to add a web proxy forwarding server named fwd-srv at address proxy.example.com and port 8080.
config web-proxy forward-server
set addr-type fqdn
set fqdn proxy.example.com set port 8080
Web proxy forwarding server monitoring and health checking
By default, a FortiGate unit monitors web proxy forwarding server by forwarding a connection to the remote server every 10 seconds. If the remote server does not respond it is assumed to be down. Checking continues and when the server does send a response the server is assumed to be back up. If you configure health checking, every 10 seconds the FortiGate unit attempts to get a response from a web server by connecting through the remote forwarding server.
You can configure health checking for each remote server and specify a different website to check for each one. If the remote server is found to be down you can configure the FortiGate unit to block sessions until the server comes back up or to allow sessions to connect to their destination, bypassing the remote forwarding server. You cannot configure the FortiGate unit to fail over to another remote forwarding server.
Configure the server down action and enable health monitoring from the web-based manager by going to Network > Explicit Proxy, selecting a forwarding server, and changing the server down action and changing the health monitor settings.
Use the following CLI command to enable health checking for a web proxy forwarding server and set the server down option to bypass the forwarding server if it is down.
config web-proxy forward-server edit fwd-srv
set healthcheck enable
set monitor http://example.com set server-down-option pass
Grouping forwarding servers and load balancing traffic to them
You can add multiple web proxy forwarding servers to a forwarding server group and then add the server group to an explicit web proxy policy instead of adding a single server. Forwarding server groups are created from the FortiGate CLI but can be added to policies from the web-based manager (or from the CLI).
When you create a forwarding server group you can select a load balancing method to control how sessions are load balanced to the forwarding servers in the server group. Two load balancing methods are available:
- Weighted load balancing sends more sessions to the servers with higher weights. You can configure the weight for each server when you add it to the group.
- Least-session load balancing sends new sessions to the forwarding server that is processing the fewest sessions.
When you create a forwarding server group you can also enable affinity. Enable affinity to have requests from the same client processed by the same server. This can reduce delays caused by using multiple servers for a single multi-step client operation. Affinity takes precedence over load balancing.
You can also configure the behavior of the group if all of the servers in the group are down. You can select to block traffic or you can select to have the traffic pass through the FortiGate explicit proxy directly to its destination instead of being sent to one of the forwarding servers.
Use the following command to add a forwarding server group that users weighted load balancing to load balance traffic to three forwarding servers. Server weights are configured to send most traffic to server2. The group has affinity enabled and blocks traffic if all of the forward servers are down:
config web-proxy forward-server edit server_1
set ip 172.20.120.12 set port 8080
set ip 172.20.120.13 set port 8000
set ip 172.20.120.14 set port 8090
config web-proxy forward-server-group edit New-fwd-group
set affinity enable set ldb-method weight
set group-down-option block config server-list
edit server_1 set weight 10
edit server_2 set weight 40
edit server_3 set weight 10
Adding proxy chaining to an explicit web proxy policy
You enable proxy chaining for web proxy sessions by adding a web proxy forwarding server or server group to an explicit web proxy policy. In a policy you can select one web proxy forwarding server or server group. All explicit web proxy traffic accepted by this security policy is forwarded to the specified web proxy forwarding server or server group.
To add an explicit web proxy forwarding server – web-based manager:
1. Go to Policy & Objects > Explicit Proxy Policy and select Create New.
2. Configure the policy:
Explicit Proxy Type Web
Source Address Internal_subnet
Outgoing Interface wan1
Destination Address all
Web Proxy Forwarding
3. Select OK to save the security policy.
To add an explicit web proxy forwarding server – CLI:
1. Use the following command to add a security policy that allows all users on the 10.31.101.0 subnet to use the explicit web proxy for connections through the wan1 interface to the Internet. The policy forwards web proxy sessions to a remote forwarding server named fwd-srv
config firewall explicit-proxy-policy edit 0
set proxy web
set dstintf wan1
set scraddr Internal_subnet set dstaddr all
set action accept set schedule always
set webproxy-forward-server fwd-srv end
Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!