Fortinet black logo

Handbook

Proxy authentication

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:237189
Download PDF

Proxy authentication

Beginning in FortiOS 5.6, authentication is separated from authorization for user based policy. You can add authentication to proxy policies to control access to the policy and to identify users and apply different UTM features to different users. The described authentication methodology works with Explicit Web Proxy and Transparent Proxy.

Authentication of web proxy sessions uses HTTP basic and digest authentication as described in RFC 2617 (HTTP Authentication: Basic and Digest Access Authentication) and prompts the user for credentials from the browser allowing individual users to be identified by their web browser instead of IP address. HTTP authentication allows the FortiGate unit to distinguish between multiple users accessing services from a shared IP address.

The methodology of adding authentication has changed from FortiOS version 5.4 and previous version. Split-policy has been obsoleted and instead of identity-based-policy, authentication is managed by authentication scheme, setting and rule settings. These authentication settings are no longer configured with the individual policies. Authentication is set up in the contexts of:

config authentication scheme

config authentication setting

config authentication rule

The Authentication rule table defines how to identify user-ID. It uses the match factors:

  • Protocol
  • Source Address

For one address and protocol, there is only one authentication rule. It is possible to configure multiple authentication methods for on one address. The client browser will chose one authentication method from the authentication methods list, but you can not control which authentication method will be chosen by the browser.

Note

For authentication of transparent mode proxy sessions to work, you need to enable SSL deep inspection.

Matching

If a rule is matched, the authentication methods defined in the rule will be used to authenticate a user. The procedure works as the following:

  1. If it is IP-based, look up active user list to see a user existed from the source IP. If found, return the user ID.
  2. If no method is set, an anonymous user is created to associate to the source-IP. Return the anonymous user. It is another way to bypass user authentication for some source IPs.
  3. Use authentication methods to authenticate the user.
    • If no active method is defined, a failure will result to return an anonymous user.
    • Otherwise, a valid or guest user has to be identified to move on.
    • Return the identified user ID.

Once a user is returned, the policy match resumes until a policy is matched or default policy will be used.

Processing policies for authentication

Authentication rules are checked once a User-ID is needed in order to resolve a match to a policy

Use the following scenario as an example of the process.

There are 3 policies:

  • policy1 does not have an associated user group
  • policy2 has an associated user group
  • policy3 does not have an associated user group

Step 1

If the traffic, based on protocol and source address matchespolicy 1, no user authentication is needed. The traffic is processed by policy1.

Step 2

If the traffic does not match policy 1, and any factor of policy 2 is not matched, continue to next policy.

If all the factors except the user-group of policy 2 are matched the authentication rule table is checked to get user-ID in the process in based on the procedure described earlier in Matching.

Step 3

When a user-ID is returned, whether it is a valid user or anonymous user, it is checked to see if the user is authorized by the user group associated with policy2. If yes, it is a match of policy2, and the traffic is processed by policy2. If not move on the next policy.

Step 4

For the purposes of the scenario, it will be assumed that the traffic either matches policy3 or that policy3 is the final policy that denies everything.

Configuring authentication in transparent proxy

You can enable transparent web-proxy feature to support authentication. Follow these steps

  1. Configure a firewall policy
  2. Enable a UTM profile in the firewall policy. Whenever there is a UTM item enabled, the feature enables the profile-protocol-options.
  3. Go to the Proxy Options profile.

    • In the GUI this is Security Profiles > Proxy Options.
    • In the CLI it is config firewall profile-protocol-options.
  4. Edit the profile used by the policy.
  5. Enable HTTP in the profile.

    In the GUI toggle on HTTP under Protocol Port Mapping

    In the CLI, the command sequence is:

    config firewall profile-protocol-options

    edit <profile id>

    config http

    set status enable

    end

  6. Fill out any other appropriate values.

  7. Configure the proxy-policy, and set the value transparent-web for proxy option.

    Other configuration options are same as the explicit-web proxy.

    In the GUI, go to Policy & Objects > Proxy Policy. In the Proxy Type field choose Transparent Web .

    In the CLI, the command sequence is:

    config firewall proxy-policy

    edit <profile id>

    set proxy transparent-web

    end

  8. Fill out any other appropriate values.
  9. Setup the authentication rule and scheme.

With this configuration, if a HTTP request passes through FortiGate without explicit web proxy being applied, the traffic will be redirected to WAD daemon after it matches the proxy with HTTP-policy enabled, then WAD will do the proxy-policy matching, and all of the proxy authentication method can be used for the request.

Proxy authentication

Beginning in FortiOS 5.6, authentication is separated from authorization for user based policy. You can add authentication to proxy policies to control access to the policy and to identify users and apply different UTM features to different users. The described authentication methodology works with Explicit Web Proxy and Transparent Proxy.

Authentication of web proxy sessions uses HTTP basic and digest authentication as described in RFC 2617 (HTTP Authentication: Basic and Digest Access Authentication) and prompts the user for credentials from the browser allowing individual users to be identified by their web browser instead of IP address. HTTP authentication allows the FortiGate unit to distinguish between multiple users accessing services from a shared IP address.

The methodology of adding authentication has changed from FortiOS version 5.4 and previous version. Split-policy has been obsoleted and instead of identity-based-policy, authentication is managed by authentication scheme, setting and rule settings. These authentication settings are no longer configured with the individual policies. Authentication is set up in the contexts of:

config authentication scheme

config authentication setting

config authentication rule

The Authentication rule table defines how to identify user-ID. It uses the match factors:

  • Protocol
  • Source Address

For one address and protocol, there is only one authentication rule. It is possible to configure multiple authentication methods for on one address. The client browser will chose one authentication method from the authentication methods list, but you can not control which authentication method will be chosen by the browser.

Note

For authentication of transparent mode proxy sessions to work, you need to enable SSL deep inspection.

Matching

If a rule is matched, the authentication methods defined in the rule will be used to authenticate a user. The procedure works as the following:

  1. If it is IP-based, look up active user list to see a user existed from the source IP. If found, return the user ID.
  2. If no method is set, an anonymous user is created to associate to the source-IP. Return the anonymous user. It is another way to bypass user authentication for some source IPs.
  3. Use authentication methods to authenticate the user.
    • If no active method is defined, a failure will result to return an anonymous user.
    • Otherwise, a valid or guest user has to be identified to move on.
    • Return the identified user ID.

Once a user is returned, the policy match resumes until a policy is matched or default policy will be used.

Processing policies for authentication

Authentication rules are checked once a User-ID is needed in order to resolve a match to a policy

Use the following scenario as an example of the process.

There are 3 policies:

  • policy1 does not have an associated user group
  • policy2 has an associated user group
  • policy3 does not have an associated user group

Step 1

If the traffic, based on protocol and source address matchespolicy 1, no user authentication is needed. The traffic is processed by policy1.

Step 2

If the traffic does not match policy 1, and any factor of policy 2 is not matched, continue to next policy.

If all the factors except the user-group of policy 2 are matched the authentication rule table is checked to get user-ID in the process in based on the procedure described earlier in Matching.

Step 3

When a user-ID is returned, whether it is a valid user or anonymous user, it is checked to see if the user is authorized by the user group associated with policy2. If yes, it is a match of policy2, and the traffic is processed by policy2. If not move on the next policy.

Step 4

For the purposes of the scenario, it will be assumed that the traffic either matches policy3 or that policy3 is the final policy that denies everything.

Configuring authentication in transparent proxy

You can enable transparent web-proxy feature to support authentication. Follow these steps

  1. Configure a firewall policy
  2. Enable a UTM profile in the firewall policy. Whenever there is a UTM item enabled, the feature enables the profile-protocol-options.
  3. Go to the Proxy Options profile.

    • In the GUI this is Security Profiles > Proxy Options.
    • In the CLI it is config firewall profile-protocol-options.
  4. Edit the profile used by the policy.
  5. Enable HTTP in the profile.

    In the GUI toggle on HTTP under Protocol Port Mapping

    In the CLI, the command sequence is:

    config firewall profile-protocol-options

    edit <profile id>

    config http

    set status enable

    end

  6. Fill out any other appropriate values.

  7. Configure the proxy-policy, and set the value transparent-web for proxy option.

    Other configuration options are same as the explicit-web proxy.

    In the GUI, go to Policy & Objects > Proxy Policy. In the Proxy Type field choose Transparent Web .

    In the CLI, the command sequence is:

    config firewall proxy-policy

    edit <profile id>

    set proxy transparent-web

    end

  8. Fill out any other appropriate values.
  9. Setup the authentication rule and scheme.

With this configuration, if a HTTP request passes through FortiGate without explicit web proxy being applied, the traffic will be redirected to WAD daemon after it matches the proxy with HTTP-policy enabled, then WAD will do the proxy-policy matching, and all of the proxy authentication method can be used for the request.