The FortiGate explicit web proxy

Example explicit web proxy topology

To allow all explicit web proxy traffic to pass through the FortiGate unit you can set the explicit web proxy default firewall policy action to accept. However, in most cases you would want to use security policies to control explicit web proxy traffic and apply security features such as access control/authentication, virus scanning, web filtering, application control, and traffic logging. You can do this by keeping the default explicit web proxy security policy action to deny and then adding web-proxy security policies.

You can also change the explicit web proxy default security policy action to accept and add explicit web proxy security policies. If you do this, sessions that match web-proxy security policies are processed according to the security policy settings. Connections to the explicit web proxy that do not match a web-proxy security policy are allowed with no restrictions or additional security processing. This configuration is not recommended and is not a best practice.

The explicit web-proxy can accept VIP addresses for destination address. If an external IP matches a VIP policy, the IP is changed to the mapped-IP of the VIP.

Web-proxy policies can selectively allow or deny traffic, apply authentication, enable traffic logging, and use security profiles to apply virus scanning, web filtering, IPS, application control, DLP, and SSL/SSH inspection to explicit web proxy traffic.

You cannot configure IPsec, SSL VPN, or Traffic shaping for explicit web proxy traffic. Web Proxy policies can only include firewall addresses not assigned to a FortiGate unit interface or with interface set to Any. (On the web-based manager you must set the interface to Any. In the CLI you must unset the associated- interface.)

Authentication of explicit web proxy sessions uses HTTP authentication and can be based on the user’s source IP address or on cookies from the user’s web browser. For more information, see Explicit web proxy authentication on page 2919.

To use the explicit web proxy, users must add the IP address of a FortiGate interface on which the explicit web proxy is enabled and the explicit web proxy port number (default 8080) to the proxy configuration settings of their web browsers.

On FortiGate units that support it, you can also enable web caching for explicit web proxy sessions.

 

General explicit web proxy configuration steps

You can use the following general steps to configure the explicit web proxy.

 

To enable the explicit web proxy – web-based manager:

1. Go to Network > Explicit Proxy. Select HTTP/HTTPS beside Enable Explicit Web Proxy to turn on the explicit web proxy for IPv4 HTTP and HTTPS traffic.

You can also select FTP to enable the web proxy for FTP over HTTP sessions in a web browser (not an FTP client) and PAC to enable automatic proxy configuration.

You can also optionally change the HTTP port that the proxy listens on (the default is 8080) and optionally specify different ports for HTTPS, FTP, and PAC.

2. Optionally select Enable IPv6 Explicit Proxy to turn on the explicit web proxy for IPv6 traffic.

If you enable both the IPv4 and the IPv6 explicit web proxy you can combine IPv4 and IPv6 addresses in a single explicit web proxy policy to allow both IPv4 and IPv6 traffic through the proxy.

3. Select Apply.

The default explicit web proxy configuration has Default Firewall Policy Action set to Deny and requires you to add a security policy to allow access to the explicit web proxy. This configuration is recommended as a best practice because you can use security policies to control access to the explicit web proxy and also apply security features such as logging, UTM, and authentication (by adding identity-based policies).

4. Go to Network > Interfaces and select one or more interfaces for which to enable the explicit web proxy. Edit the interface and select Enable Explicit Web Proxy.

Enabling the explicit web proxy on an interface connected to the Internet is a security risk because anyone on the Internet who finds the proxy could use it to hide their source address. If you enable the proxy on such an interface make sure authentication is required to use the proxy.

5. Go to Policy & Objects > Addresses and select Create New to add a firewall address that matches the source address of packets to be accepted by the explicit proxy.

 

Category                                     Address

Name                                           Internal_subnet

Type                                            IP Range

Subnet / IP Range                     10.31.101.1 – 10.31.101.255

Interface                                     any*

*The Interface must be set to Any.

You can also set the Type to URL Pattern (Explicit Proxy) to add a destination URL that is only used by the explicit proxy. For example, to create an explicit policy that only allows access to Fortinet.com:

Category                                     Address

Name                                           Fortinet-web-sites

Type                                            URL Pattern (Explicit Proxy)

URL Pattern                               fortinet.com

Interface                                     any

6. Go to Policy & Objects > Explicit Proxy Policy and select Create New. Configure the policy as required to accept the traffic that you want to be allowed to use the explicit web proxy.

The source address of the policy must match the client’s source IP addresses. The interface of this firewall address must be set to any.

The destination address of the policy should match the IP addresses of web sites that clients are connecting to. Usually the destination address would be all if proxying Internet web browsing. You could also specify a URL firewall address to limit the policy to allowing access to this URL.

If Default Firewall Policy Action is set to Deny (under Network > Explicit Proxy), traffic sent to the explicit web proxy that is not accepted by a web-proxy policy is dropped. If Default Firewall Policy Action is set to Allow then all web-proxy sessions that don’t match with a security policy are allowed.

For example, the following security policy allows users on an internal network to access fortinet.com websites through the wan1 interface of a FortiGate unit.

Explicit Proxy Type                  Web

Source Address                        Internal_subnet

Outgoing Interface                   wan1

Destination Address                 Fortinet-web-sites

Schedule                                    always

Action                                         ACCEPT

Add security profiles as required.

7. Select Create New to add another explicit web proxy and set the Action to AUTHENTICATE to require authentication to access the explicit web proxy. For example:

Explicit Proxy Type                  Web

Source Address                        Internal_subnet

Outgoing Interface                   wan1

Destination Address                 Fortinet-web-sites

Schedule                                    always

Action                                         AUTHENTICATE

 

Select Create New to add an Authentication Rule and configure the rule as follows:

Groups                                       Proxy-Group

Source User(s)                          (optional)

Schedule                                    always

Add security profiles as required and select OK.

You can add multiple user identity policies to apply different authentication for different user groups and users and also apply different UTM and logging settings for different user groups.

You can change the User Authentication Options if required. In most cases you can accept the defaults.

8. Optionally enable Web Caching.

9. Select OK.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

2 thoughts on “The FortiGate explicit web proxy

  1. Tom

    When you are authenticating to the explicit proxy, are your credentials passing in clear text from your browser to the proxy?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.