Explicit web proxy

Explicit web proxy

Explicit web proxy can be configured on FortiGate for proxying HTTP and HTTPS traffic.

To deploy explicit proxy, individual client browsers can be manually configured to send requests directly to the proxy, or they can be configured to download proxy configuration instructions from a Proxy Auto-Configuration (PAC) file.

Once explicit proxy is configured on an interface, the interface IP address can be used by client browsers to forward requests directly to the FortiGate. FortiGate also supports PAC file configuration

To configure explicit web proxy in the GUI:

  1. Enable and configure explicit web proxy:
    1. Go to Network > Explicit Proxy.
    2. Enable Explicit Web Proxy.
    3. Select port2 as the Listen on Interfaces and set the HTTP Port to 8080.
    4. Configure the remaining settings as needed.
    5. Click Apply.
  2. Create an explicit web proxy policy:
  3. Go to Policy & Objects > Proxy Policy.
  4. Click Create New.
  5. Set Proxy Type to Explicit Web and Outgoing Interface to port1.
  6. Also set Source and Destination to all, Schedule to always, Service to webproxy, and Action to ACCEPT.
  7. Configure a client to use the FortiGate explicit proxy:

Set the FortiGate IP address as the proxy IP address in the browser, or use an automatic configuration script for the PAC file.

To configure explicit web proxy in the CLI:

  1. Enable and configure explicit web proxy:

config web-proxy explicit set status enable set ftp-over-http enable set socks enable set http-incoming-port 8080 set ipv6-status enable set unknown-http-version best-effort

end

config system interface

edit “port2” set vdom “vdom1”

set ip 10.1.100.1 255.255.255.0

set allowaccess ping https ssh snmp http telnet set type physical set explicit-web-proxy enable set snmp-index 12

end

next

end

  1. Create an explicit web proxy policy:

config firewall proxy-policy edit 1 set uuid 722b6130-13aa-51e9-195b-c4196568d667 set proxy explicit-web set dstintf “port1” set srcaddr “all” set dstaddr “all” set service “webproxy” set action accept set schedule “always” set logtraffic all

next

end

  1. Configure a client to use the FortiGate explicit web proxy:

Set the FortiGate IP address as the proxy IP address in the browser, or use an automatic configuration script for the PAC file.

This entry was posted in Administration Guides, FortiGate, Fortinet Cookbook, FortiOS, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.