Fortinet white logo
Fortinet white logo

FortiDAST Proxy Server

FortiDAST Proxy Server

You can use proxy servers with FortiDAST to scan internal web applications that are are not exposed to the internet. This is particularly useful in scanning applications-in-development, internal corporate applications, integrating FortiDAST as a DAST scanner in DevOps pipelines, and so on. Deploy the proxy server in your environment as a Docker container, and it runs with minimum manual intervention.

The FortiDAST-Proxy server supports two modes of deployment.

  • Autonomous - The proxy server (Docker container) creates a reverse secure tunnel to the FortiDAST cloud and waits for commands. This is useful if you want to scan the application manually from the FortiDAST GUI or through the FortiDAST cloud APIs. This mode supports the following configurations.
    • Exit after scan - The container exits after completing the scan; re-install the proxy server to rescan the asset.
    • Daemon - This is a one-time installation mode wherein, the container always runs in the background until you stop it. This configuration minimizes manual intervention.
  • DevOps - This automates the scanning process along with a secure tunnel framework, and enables DAST scanning of web applications by integrating into CI/CD pipelines. When the container is invoked with the required configurations, it interacts with the FortiDAST cloud through REST APIs, and begins the scanning process automatically. This involves authorizing the asset, initiating the scan, waiting for the scan to complete, and stopping the container after the scan is complete.
Configuring the Proxy Server

This section describes the pre-requisites, recommendations, and set-up procedure for configuring a proxy server in your environment.

Pre-requisites
  • Minimum system requirements are 4 GB RAM and 4 core CPU for running 10 proxy server Docker containers.
  • Ensure that the VM hosting the proxy server container has internet connectivity through a NIC, this is required to fetch commands from the FortiDAST cloud and scan the application. Also, the VM must be able to reach the target web server through internal network.
  • Ensure that the target machine is not reachable from FortiDAST through a public IP address and is accessible only from the proxy server.
  • You can meet the aforementioned requirements either through a dedicated NIC or by configuring routing entries.
  • Ensure that the SSH traffic is allowed between the target web server and FortiDAST cloud (even if you have a Firewall).
Recommendations
  • Using Linux OS for configuring the proxy server, Windows OS is NOT supported.
  • Do not run the proxy server Docker container and the target web server on the same machine.
  • Whenever you generate new API keys, copy the updated Docker-compose file from the FortiDAST GUI, and bring up the proxy server again using the new compose file.

Note: Only IPv4 networking is supported for proxy servers. IPv6 is NOT supported.

  1. Install a Linux version (Ubuntu or Centos) in a virtual machine or physical server.
  2. Install the latest version of Docker engine and the Docker compose.
    sudo apt install docker.io
    sudo apt install docker-compose

  3. Copy the Docker compose file (docker-compose.yml) from the FortiDAST Proxy tab of the scan configuration page in the GUI. See FortiDAST Proxy.
  4. Bring up the proxy server container and run the command, sudo docker-compose -f <docker-compose.yml> up –d.

You can view the status of the FortiDAST - proxy server feature in the Scans Policy page. The green icon indicates that communication is established between the proxy server container and the FortiDAST cloud service. Initially, the status is indicated by a red icon, that implies a lack of communication. Hover over the icon to view the port over which the communication is established.

Ensure that the status of the FortiDAST proxy status is green before initiating the scan for the target.

Note: When newer version of the FortiDAST becomes available, you must remove the existing FortiDAST proxy docker image from your virtual machine and pull the latest version.

  • To remove existing FortiDAST proxy docker image run docker rmi registry.fortipentest.com/fptproxyserver command.
  • To pull the latest docker image run docker pull registry.fortidast.forticloud.com/dastproxy command.
  • Also, ensure that you copy the latest Docker compose file (docker-compose.yml) from the FortiDAST Proxy tab of the scan configuration page in the GUI. See FortiDAST Proxy.

FortiDAST Proxy Server

FortiDAST Proxy Server

You can use proxy servers with FortiDAST to scan internal web applications that are are not exposed to the internet. This is particularly useful in scanning applications-in-development, internal corporate applications, integrating FortiDAST as a DAST scanner in DevOps pipelines, and so on. Deploy the proxy server in your environment as a Docker container, and it runs with minimum manual intervention.

The FortiDAST-Proxy server supports two modes of deployment.

  • Autonomous - The proxy server (Docker container) creates a reverse secure tunnel to the FortiDAST cloud and waits for commands. This is useful if you want to scan the application manually from the FortiDAST GUI or through the FortiDAST cloud APIs. This mode supports the following configurations.
    • Exit after scan - The container exits after completing the scan; re-install the proxy server to rescan the asset.
    • Daemon - This is a one-time installation mode wherein, the container always runs in the background until you stop it. This configuration minimizes manual intervention.
  • DevOps - This automates the scanning process along with a secure tunnel framework, and enables DAST scanning of web applications by integrating into CI/CD pipelines. When the container is invoked with the required configurations, it interacts with the FortiDAST cloud through REST APIs, and begins the scanning process automatically. This involves authorizing the asset, initiating the scan, waiting for the scan to complete, and stopping the container after the scan is complete.
Configuring the Proxy Server

This section describes the pre-requisites, recommendations, and set-up procedure for configuring a proxy server in your environment.

Pre-requisites
  • Minimum system requirements are 4 GB RAM and 4 core CPU for running 10 proxy server Docker containers.
  • Ensure that the VM hosting the proxy server container has internet connectivity through a NIC, this is required to fetch commands from the FortiDAST cloud and scan the application. Also, the VM must be able to reach the target web server through internal network.
  • Ensure that the target machine is not reachable from FortiDAST through a public IP address and is accessible only from the proxy server.
  • You can meet the aforementioned requirements either through a dedicated NIC or by configuring routing entries.
  • Ensure that the SSH traffic is allowed between the target web server and FortiDAST cloud (even if you have a Firewall).
Recommendations
  • Using Linux OS for configuring the proxy server, Windows OS is NOT supported.
  • Do not run the proxy server Docker container and the target web server on the same machine.
  • Whenever you generate new API keys, copy the updated Docker-compose file from the FortiDAST GUI, and bring up the proxy server again using the new compose file.

Note: Only IPv4 networking is supported for proxy servers. IPv6 is NOT supported.

  1. Install a Linux version (Ubuntu or Centos) in a virtual machine or physical server.
  2. Install the latest version of Docker engine and the Docker compose.
    sudo apt install docker.io
    sudo apt install docker-compose

  3. Copy the Docker compose file (docker-compose.yml) from the FortiDAST Proxy tab of the scan configuration page in the GUI. See FortiDAST Proxy.
  4. Bring up the proxy server container and run the command, sudo docker-compose -f <docker-compose.yml> up –d.

You can view the status of the FortiDAST - proxy server feature in the Scans Policy page. The green icon indicates that communication is established between the proxy server container and the FortiDAST cloud service. Initially, the status is indicated by a red icon, that implies a lack of communication. Hover over the icon to view the port over which the communication is established.

Ensure that the status of the FortiDAST proxy status is green before initiating the scan for the target.

Note: When newer version of the FortiDAST becomes available, you must remove the existing FortiDAST proxy docker image from your virtual machine and pull the latest version.

  • To remove existing FortiDAST proxy docker image run docker rmi registry.fortipentest.com/fptproxyserver command.
  • To pull the latest docker image run docker pull registry.fortidast.forticloud.com/dastproxy command.
  • Also, ensure that you copy the latest Docker compose file (docker-compose.yml) from the FortiDAST Proxy tab of the scan configuration page in the GUI. See FortiDAST Proxy.