Professional Documents
Culture Documents
FORTINET
Explicit Proxy
In this lesson, we will show you how your web browsers can use FortiGate as an explicit proxy.
DO NOT REPRINT
FORTINET
Explicit Proxy
After completing this lesson, you should have these practical skills.
You will learn how to configure both FortiGate and the web browsers that will use it as an explicit proxy.
Since you can alternatively use an implicit proxy, we will also explain why in some cases you might want
an explicit proxy instead.
DO NOT REPRINT
FORTINET
Explicit Proxy
A proxy receives or intercepts requests from a client to a server. If allowed, and if no cache is available,
it forwards the request to the server on behalf of the client.
Two sessions are created: one from the client to the proxy, and another one from the proxy to the server.
How is this different from an implicit proxy, sometimes called a transparent proxy?
DO NOT REPRINT
FORTINET
Explicit Proxy
An implicit proxy server does not require any configuration change on the clients. Clients continue to use
the web just like they would without a proxy.
Clients send requests to the web servers IP address and port number. The proxy intercepts the clients
requests transparently that is, at the IP layer, the destination address doesnt change.
Does this mean that implicit proxies dont require any configuration changes, anywhere? Not
necessarily.
Usually, both incoming and outgoing traffic is routed through FortiGate. As a result, web browsing is
already being routed through FortiGate, where it can be intercepted by the transparent proxy. But if
clients traffic isnt currently routed through FortiGate, then you must reconfigure routing so that the
packets will be routed through FortiGate, where the implicit proxy can intercept.
DO NOT REPRINT
FORTINET
Explicit Proxy
DO NOT REPRINT
FORTINET
Explicit Proxy
How do you configure users web browsers to use an explicit web proxy?
In large networks, you wont configure the browser settings individually, on each computer; instead, for
example, you may use an Active Directory login script or roaming profile.
Alternatively, you can configure browsers to use an explicit proxy by installing PAC file, or using the web
proxy autodiscovery protocol (WAPD).
Lets look at each.
DO NOT REPRINT
FORTINET
Explicit Proxy
With manual configuration, you must provide one proxys FQDN or IP address. It is limited to only one
proxy.
If you want to exempt specific IP addresses, subnets and FQDNs from using the proxy, you can add
them to a list. For those destinations, the browser will send requests directly to the web servers.
DO NOT REPRINT
FORTINET
Explicit Proxy
The second possible method is a standard explicit auto-configuration file, called a PAC file. A PAC file
contains instructions that tell the browser when to use a proxy, and which proxy to use, depending on the
destination.
This method supports use of multiple proxy servers.
To deploy the PAC file, first you must install it on an HTTP server that the clients can reach. (Your
FortiGate can act as the HTTP server for the PAC file.) Then you must configure all browsers with the
PAC files URL. Again, in larger networks, you usually wont do this individually; instead, you will use
your domain to define the PAC files URL.
DO NOT REPRINT
FORTINET
Explicit Proxy
DO NOT REPRINT
FORTINET
Explicit Proxy
Browsers can automatically discover the URL where the PAC files is located via the web proxy autodiscovery protocol.
There are two methods you can use to do this. One is to use a DNS server; the other is to use a DHCP
server.
Most browsers try the DHCP method first. If it fails, they try the DNS method.
DO NOT REPRINT
FORTINET
Explicit Proxy
DO NOT REPRINT
FORTINET
Explicit Proxy
DO NOT REPRINT
FORTINET
Explicit Proxy
Usually, you will enable the proxy to cache responses from web servers.
A web cache stores responses from web servers so that the next time a client requests the same thing,
FortiGate can quickly send the cached content, instead of forwarding the request and waiting for the
response. This reduces WAN bandwidth usage, server load, and delay. We will review how web caching
works in the next slides.
DO NOT REPRINT
FORTINET
Explicit Proxy
DO NOT REPRINT
FORTINET
Explicit Proxy
DO NOT REPRINT
FORTINET
Explicit Proxy
Given that cache consumes system resources, do you want all users to be able to use the cache?
You can configure FortiGates HTTP proxy to allow access only to authenticated users that belong to
specific user groups. Authentication can be either based on either source IP address or HTTP session
cookies.
How should you decide which to use?
IP-based authentication requires less RAM to remember the authenticated sessions. However, it should
only be used when each user has a different IP address from the perspective of the source address in
the IP header.
If your users are behind source NAT, such as with a remote office that uses Internet sharing, use HTTP
session-based authentication instead. In this mode, each browser inserts an HTTP cookie in its
requests. The cookie identifies the users sessions. This method requires slightly more RAM because
FortiGate must remember all session cookies. However, it can even differentiate the same person using
multiple accounts multiple tabs in multiple browsers.
DO NOT REPRINT
FORTINET
Explicit Proxy
What does the traffic flow look like when a user authenticates with the explicit proxy, using HTTP
session-based authentication?
If a user connects and the request doesnt have any associated authentication session, first FortiGate
replies to the browser, requesting login credentials. The browser prompts the user to authenticate, and
remembers the authenticated state by storing a cookie.
If the same user makes more requests later, the browser automatically sends the same cookie again.
FortiGate identifies the user via a lookup in its table of current session cookies, so the user does not
need to authenticate for every request only the first time.
DO NOT REPRINT
FORTINET
Explicit Proxy
These are the steps for configuring a FortiGate as an explicit web proxy. We will show the details of
each step next.
DO NOT REPRINT
FORTINET
Explicit Proxy
By default, the explicit web proxy settings are hidden in the GUI. To show them, in the dashboards
Features widget, enable explicit proxy.
DO NOT REPRINT
FORTINET
Explicit Proxy
Once explicit proxy settings are visible in the GUI, you can enable and configure them.
You can configure the TCP port where the proxy is listening, edit and upload the PAC file, and choose
the default action that FortiGate will take if there is any traffic that doesnt match a proxy policy.
We will talk about the proxy policies later.
DO NOT REPRINT
FORTINET
Explicit Proxy
After enabling the explicit web proxy globally, you must specify which on which interfaces the proxy will
listen for connections.
DO NOT REPRINT
FORTINET
Explicit Proxy
The next step is to create explicit proxy policies to specify which traffic and users are allow to use the
proxy. Starting from FortiOS 5.2, policies for explicit proxy are configured in a different configuration
section than the regular firewall policies.
Proxy traffic can be inspected. We can do antivirus, web filtering, application control and IPS inspection.
Additionally, the use of web caching can be enabled or disabled per policy.
When the proxy traffic matches a proxy policy, the FortiGate take one of three possible actions: Accept
the traffic, deny it, or request authentication before accepting it.
DO NOT REPRINT
FORTINET
Explicit Proxy
If you select authentication as the action, you will be presented with the option to add authentication
rules. These rules specify which users and users groups are allowed, and what kind of inspection is
going to be done over each of them.
DO NOT REPRINT
FORTINET
Explicit Proxy
Authentication for the explicit proxy behaves differently than it usually does for firewall policies.
With the explicit proxy, FortiGate will not fall through to try the next authentication rule.
FortiGate always applies the first policy that matches all criteria: the source IP address, the destination
IP address, and the outgoing interface. It doesnt evaluate any policy after the first match, even if the
user failed to authenticate with the first rule.
Lets look at an example next.
DO NOT REPRINT
FORTINET
Explicit Proxy
In this example, the first proxy policy matches traffic from 10.0.1.0/24. It only allows the user named
Student.
The second policy allows traffic without authentication only if the source address matches 10.0.0.0/8.
With this configuration, if traffic arrives from the 10.0.1.0/24 subnet, and that user has not authenticated
yet, then FortiGate prompts the user to authenticate. Traffic from that source IP address always matches
the first policy, and FortiGate does not continue to evaluate other policies in the list after it finds a match.
So FortiGate never applies the second policy for that subnet only for the rest of 10.0.0.0/8.
DO NOT REPRINT
FORTINET
Explicit Proxy
In the CLI, if you disable the setting strict-guest, then all users that do not belong to any user
group in the proxy policy will be treated as if they belong to a group named SSO_guest_user. In this
way, you can control their access even if the users cannot authenticate.
DO NOT REPRINT
FORTINET
Explicit Proxy
Like with firewall policies, when creating proxy policies, you use firewall address objects to specify the
source and destination.
With HTTP, the destination may appear in both the IP headers destination field, and the HTTP headers
Host: field. They arent always the same. Usually, the Host: header is a FQDN, indicating possibly
an Apache virtual host; it is not usually an IP address. But at the IP layer, the destination field always
contains an IP address. So if you are matching by using the IP Range object, keep in mind which layer
you are matching, and the effects of NAT at both layers.
Are IP addresses and domain names the only way you can use to match traffic with a proxy rule? No.
One type of firewall address object can only be used in proxy policies: the URL pattern object type. The
proxy can match policies based on the requested URL (not only the destination IP address). URL
address objects are used for that purpose.
DO NOT REPRINT
FORTINET
Explicit Proxy
In this example of the use of an URL Address object, the first proxy policy allows unrestricted access to
the URL update.microsoft.com. No authentication is required.
All other traffic would match the second policy, which enforces authentication when accessing any other
URL.
DO NOT REPRINT
FORTINET
Explicit Proxy
If you are using the WPAD DNS method to configure the browser, you may need to edit the PAC file to
indicate the file name and listening port number.
As we explained before, the DNS method always assumes that the PAC file is located at:
http://<FortiGate_IP_Address>:80/wpad.dat
So if your clients use the DNS method, you must configure FortiGate to offer the PAC file named
wpad.dat, and to listen for requests for it on port 80.
DO NOT REPRINT
FORTINET
Explicit Proxy
Also, you must check that the Local Domain Name setting is properly configured.
This indicates which requests that FortiGate will reply to; FortiGate will only reply if clients requests for
the WPAD file match the FortiGates own HTTP Host: header.
DO NOT REPRINT
FORTINET
Explicit Proxy
Once the web proxy is working, you can monitor which users that are connected to it that is, the
proxys session table. You can do this from the GUI, or from the CLI by using the command:
diagnose wad user list
You can also remove all entries from the list of users that are currently
authenticated with the proxy.
DO NOT REPRINT
FORTINET
Explicit Proxy