Proxy policy security profiles

Leave a reply

Proxy policy security profiles

Web proxy policies support most security profile types.

Explicit web proxy policy

The security profiles supported by explicit web proxy policies are:

  • AntiVirus, l Web Filter, l Application Control, l IPS, l DLP Sensor, l ICAP,
  • Web Application Firewall, and l SSL Inspection.

To configure security profiles on an explicit web proxy policy in the GUI:

  1. Go to Policy & Objects > Proxy Policy.
  2. Click Create New.
  3. Set the following:
Proxy Type Explicit Web
Outgoing Interface port1
Source all
Destination all
Schedule always
Service webproxy
Action ACCEPT
  1. In the Firewall / Network Options section, set Protocol Options to default.
  2. In the Security Profiles section, make the following selections (for this example, these profiles have all already been created):
AntiVirus av
Web Filter urlfiler
Application Control app
IPS Sensor-1
DLP Sensor dlp
ICAP default
Web Application Firewall default
SSL Inspection deep-inspection
  1. Click OK to create the policy.

To configure security profiles on an explicit web proxy policy in the CLI:

config firewall proxy-policy edit 1 set uuid c8a71a2c-54be-51e9-fa7a-858f83139c70 set proxy explicit-web set dstintf “port1” set srcaddr “all” set dstaddr “all” set service “web” set action accept set schedule “always” set utm-status enable set av-profile “av” set webfilter-profile “urlfilter” set dlp-sensor “dlp” set ips-sensor “sensor-1” set application-list “app” set icap-profile “default” set waf-profile “default” set ssl-ssh-profile “deep-inspection”

next end

Transparent proxy

The security profiles supported by explicit web proxy policies are:

  • AntiVirus, l Web Filter, l Application Control, l IPS, l DLP Sensor, l ICAP,
  • Web Application Firewall, and l SSL Inspection.

To configure security profiles on a transparent proxy policy in the GUI:

  1. Go to Policy & Objects > Proxy Policy.
  2. Click Create New.
  3. Set the following:
Proxy Type Explicit Web
Incoming Interfae port2
Outgoing Interface port1
Source all
Destination all
Schedule always
Service webproxy
Action ACCEPT
  1. In the Firewall / Network Options section, set Protocol Options to default.
  2. In the Security Profiles section, make the following selections (for this example, these profiles have all already been created):
AntiVirus av
Web Filter urlfiler
Application Control app
IPS Sensor-1
DLP Sensor dlp
ICAP default
Web Application Firewall default
SSL Inspection deep-inspection
  1. Click OK to create the policy.

To configure security profiles on a transparent proxy policy in the CLI:

config firewall proxy-policy edit 2 set uuid 8fb05036-56fc-51e9-76a1-86f757d3d8dc set proxy transparent-web set srcintf “port2” set dstintf “port1” set srcaddr “all” set dstaddr “all” set service “webproxy” set action accept set schedule “always” set utm-status enable set av-profile “av” set webfilter-profile “urlfilter” set dlp-sensor “dlp” set ips-sensor “sensor-1” set application-list “app” set icap-profile “default” set waf-profile “default” set ssl-ssh-profile “certificate-inspection”

next

end

FTP proxy

The security profiles supported by explicit web proxy policies are:

l AntiVirus, l Application Control, l IPS, and l DLP Sensor.

To configure security profiles on an FTP proxy policy in the GUI:

  1. Go to Policy & Objects > Proxy Policy.
  2. Click Create New.
  3. Set the following:
Proxy Type FTP
Outgoing Interface port1
Source all
Destination all
Schedule always
Action ACCEPT
  1. In the Firewall / Network Options section, set Protocol Options to default.
  2. In the Security Profiles section, make the following selections (for this example, these profiles have all already been created):
AntiVirus av
Application Control app
IPS Sensor-1
DLP Sensor dlp
  1. Click OK to create the policy.

To configure security profiles on an FTP proxy policy in the CLI:

config firewall proxy-policy edit 3 set uuid cb89af34-54be-51e9-4496-c69ccfc4d5d4

set proxy ftp set dstintf “port1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set utm-status enable set av-profile “av” set dlp-sensor “dlp” set ips-sensor “sensor-1” set application-list “app”

next

end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiGate, Fortinet Cookbook, FortiOS, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.