Fortinet black logo

Handbook

Web proxy configuration

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:981458
Download PDF

Web proxy configuration

You can use the following general steps to configure the explicit web proxy.

To enable the explicit web proxy - GUI:
  1. Go to Network > Explicit Proxy and enable Explicit Web Proxy. From here you can optionally change the HTTP port that the proxy listens on (the default is 8080) and optionally specify different ports for HTTPS, FTP, PAC, and other options.
  2. Optionally enable IPv6 Explicit Proxy to turn on the explicit web proxy for IPv6 traffic.
    note iconIf you enable both the IPv4 and the IPv6 explicit web proxy you can combine IPv4 and IPv6 addresses in a single explicit web proxy policy to allow both IPv4 and IPv6 traffic through the proxy.
  3. Select Apply.

  4. Go to Network > Interfaces and select one or more interfaces for which to enable the explicit web proxy. Edit the interface. Under the Miscellaneous heading select Enable Explicit Web Proxy.
    caution iconEnabling the explicit web proxy on an interface connected to the Internet is a security risk because anyone on the Internet who finds the proxy could use it to hide their source address. If you enable the proxy on such an interface make sure authentication is required to use the proxy.
  5. Go to Policy & Objects > Addresses and select Create New to add a firewall address that matches the source address of packets to be accepted by the explicit proxy.
    CategoryAddress
    NameInternal_subnet
    TypeIP Range
    Subnet / IP Range10.31.101.1 - 10.31.101.255
    Interfaceany*

    *The Interface must be set to Any.

    You can also set the Type to URL Pattern (Explicit Proxy) to add a destination URL that is only used by the explicit proxy. For example, to create an explicit policy that only allows access to Fortinet.com:

    CategoryAddress
    NameFortinet-web-sites
    TypeURL Pattern (Explicit Proxy)
    URL Patternfortinet.com
    Interfaceany
  6. Go to Policy & Objects > Proxy Policyand select Create New. Configure the policy as required to accept the traffic that you want to be allowed to use the explicit web proxy.
  7. Set the Outgoing Interface parameter by selecting the field with the "+" next to the field label. Selecting the field will slide out a window from the right where you can select from the available interfaces. You can select one or more specific interfaces For more information on interfaces, check the Concepts section called Interfaces and zones.
  8. The Source of the policy must match the client’s source IP addresses. The interface of this firewall address must be set to any.
  9. The Destination field should match the addresses of web sites that clients are connecting to. Usually the destination address would be all if proxying Internet web browsing. You could also specify a URL firewall address to limit the policy to allowing access to this URL.
  10. Set the Schedule parameter by using the drop down menu to select a preconfigured schedule. The "+" icon next to the Search field is a shortcut for creating a new schedule object. For more information on addresses, check the Firewall Objects section called Schedules
  11. If Default Firewall Policy Action is set to Deny (under Network > Explicit Proxy), traffic sent to the explicit web proxy that is not accepted by a web-proxy policy is dropped. If Default Firewall Policy Action is set to Allow then all web-proxy sessions that don’t match with a security policy are allowed.

    For example, the following security policy allows users on an internal network to access fortinet.com websites through the wan1 interface of a FortiGate unit.
    Explicit Proxy TypeWeb
    Source AddressInternal_subnet
    Outgoing Interfacewan1
    Destination AddressFortinet-web-sites
    Schedulealways
    ActionACCEPT
    note iconThe explicit web-proxy accepts VIP addresses for destination addresses. If an external IP matches a VIP policy, the IP is changed to the mapped-IP of the VIP.
  12. Set the Disclaimer Options

    You can configure a disclaimer for each Authentication Rule by enabling one of the options here. The choices are:

    DisableNo disclaimer (default setting)
    By DomainThe disclaimer will be displayed on different domains. The explicit web proxy will check the referring header to mitigate the javascript/css/images/video/etc page.
    By PolicyThe disclaimer will be displayed if the HTTP request matches a different explicit firewall policy.
    By UserThe disclaimer will be displayed when a new user logs on.

    If you chose a disclaimer option other than Disable, you will have the option to enable Customize Messages. If enabled, select the Edit Disclaimer Message button to customize the message to your needs. This can be done as text or as HTML. The default HTML version is there if you just want to make minor changes.

  13. Enable Security Profiles as required. After the profile type is toggled to enabled, you can use the drop down menu to select a specific profile. The available profile types are:
    • AntiVirus
    • WebFilter
    • Application Control
    • IPS
    • DLP Sensor
    • ICAP
    • Web Application Firewall

    Just like with a regular policy, as soon as any of the Security Profiles is enabled, the following fields, with their own drop down menus for specific profiles will appear:

    • Proxy Options
    • SSL/SSH Inspection
  14. Select OK.
To enable the explicit web proxy - CLI:
  1. Enter the following command to turn on the IPv4 and IPv6 explicit web proxy for HTTP and HTTPS traffic.

    config web-proxy explicit

    set status enable

    set ipv6-status enable

    end

    You can also enter the following command to enable the web proxy for FTP sessions in a web browser.

    config web-proxy explicit

    set ftp-over-http enable

    end

    The default explicit web proxy configuration has sec-default-action set to deny and requires you to add a security policy to allow access to the explicit web proxy.

  2. Enter the following command to enable the explicit web proxy for the internal interface.

    config system interface

    edit internal

    set explicit-web-proxy enable

    end

    end

  3. Use the following command to add a firewall address that matches the source address of users who connect to the explicit web proxy.

    config firewall address

    edit Internal_subnet

    set type iprange

    set start-ip 10.31.101.1

    set end-ip 10.31.101.255

    end

    The source address for a web-proxy security policy cannot be assigned to a FortiGate interface.

  4. Optionally use the following command to add a destination URL that is only used by the explicit proxy. For example, to create an explicit policy that only allows access to Fortinet.com:

    config firewall address

    edit Fortinet-web-sites

    set type url

    set url fortinet.com

    end

  5. Use the following command to add an explicit web proxy policy that allows all users on the internal subnet to use the explicit web proxy for connections through the wan1 interface to the Internet.

    config firewall proxy-policy

    edit 0

    set proxy explicit-web

    set dstintf wan1

    set srcaddr Internal_subnet

    set dstaddr all

    set action accept

    set service webproxy

    set schedule always

    end

  6. Use the following command to add an explicit web proxy policy that allows authenticated users on the internal subnet to use the explicit web proxy for connections through the wan1 interface to the Internet.

    config firewall proxy-policy

    edit 0

    set proxy explicit-web

    set dstintf wan1

    set srcaddr Internal_subnet

    set dstaddr Fortinet-web-sites

    set action accept

    set service webproxy

    set schedule always

    set groups <User group>

    end

    end

  7. Use the following command to change global web proxy settings, for example to set the maximum request length for the explicit web proxy to 10:

    config web-proxy global

    set max-request-length 10

    end

  8. Determine whether or not to use Botnet feature.

    The option scan-botnet-connections uses the following syntax:

    config firewall proxy-policy

    edit <policy id>

    set scan-botnet-connections [disable|block|monitor]

    end

    Where:

    • disable means do not scan connections to botnet servers
    • block means block connection to botnet servers
    • monitor means log connections to botnet servers

Web proxy configuration

You can use the following general steps to configure the explicit web proxy.

To enable the explicit web proxy - GUI:
  1. Go to Network > Explicit Proxy and enable Explicit Web Proxy. From here you can optionally change the HTTP port that the proxy listens on (the default is 8080) and optionally specify different ports for HTTPS, FTP, PAC, and other options.
  2. Optionally enable IPv6 Explicit Proxy to turn on the explicit web proxy for IPv6 traffic.
    note iconIf you enable both the IPv4 and the IPv6 explicit web proxy you can combine IPv4 and IPv6 addresses in a single explicit web proxy policy to allow both IPv4 and IPv6 traffic through the proxy.
  3. Select Apply.

  4. Go to Network > Interfaces and select one or more interfaces for which to enable the explicit web proxy. Edit the interface. Under the Miscellaneous heading select Enable Explicit Web Proxy.
    caution iconEnabling the explicit web proxy on an interface connected to the Internet is a security risk because anyone on the Internet who finds the proxy could use it to hide their source address. If you enable the proxy on such an interface make sure authentication is required to use the proxy.
  5. Go to Policy & Objects > Addresses and select Create New to add a firewall address that matches the source address of packets to be accepted by the explicit proxy.
    CategoryAddress
    NameInternal_subnet
    TypeIP Range
    Subnet / IP Range10.31.101.1 - 10.31.101.255
    Interfaceany*

    *The Interface must be set to Any.

    You can also set the Type to URL Pattern (Explicit Proxy) to add a destination URL that is only used by the explicit proxy. For example, to create an explicit policy that only allows access to Fortinet.com:

    CategoryAddress
    NameFortinet-web-sites
    TypeURL Pattern (Explicit Proxy)
    URL Patternfortinet.com
    Interfaceany
  6. Go to Policy & Objects > Proxy Policyand select Create New. Configure the policy as required to accept the traffic that you want to be allowed to use the explicit web proxy.
  7. Set the Outgoing Interface parameter by selecting the field with the "+" next to the field label. Selecting the field will slide out a window from the right where you can select from the available interfaces. You can select one or more specific interfaces For more information on interfaces, check the Concepts section called Interfaces and zones.
  8. The Source of the policy must match the client’s source IP addresses. The interface of this firewall address must be set to any.
  9. The Destination field should match the addresses of web sites that clients are connecting to. Usually the destination address would be all if proxying Internet web browsing. You could also specify a URL firewall address to limit the policy to allowing access to this URL.
  10. Set the Schedule parameter by using the drop down menu to select a preconfigured schedule. The "+" icon next to the Search field is a shortcut for creating a new schedule object. For more information on addresses, check the Firewall Objects section called Schedules
  11. If Default Firewall Policy Action is set to Deny (under Network > Explicit Proxy), traffic sent to the explicit web proxy that is not accepted by a web-proxy policy is dropped. If Default Firewall Policy Action is set to Allow then all web-proxy sessions that don’t match with a security policy are allowed.

    For example, the following security policy allows users on an internal network to access fortinet.com websites through the wan1 interface of a FortiGate unit.
    Explicit Proxy TypeWeb
    Source AddressInternal_subnet
    Outgoing Interfacewan1
    Destination AddressFortinet-web-sites
    Schedulealways
    ActionACCEPT
    note iconThe explicit web-proxy accepts VIP addresses for destination addresses. If an external IP matches a VIP policy, the IP is changed to the mapped-IP of the VIP.
  12. Set the Disclaimer Options

    You can configure a disclaimer for each Authentication Rule by enabling one of the options here. The choices are:

    DisableNo disclaimer (default setting)
    By DomainThe disclaimer will be displayed on different domains. The explicit web proxy will check the referring header to mitigate the javascript/css/images/video/etc page.
    By PolicyThe disclaimer will be displayed if the HTTP request matches a different explicit firewall policy.
    By UserThe disclaimer will be displayed when a new user logs on.

    If you chose a disclaimer option other than Disable, you will have the option to enable Customize Messages. If enabled, select the Edit Disclaimer Message button to customize the message to your needs. This can be done as text or as HTML. The default HTML version is there if you just want to make minor changes.

  13. Enable Security Profiles as required. After the profile type is toggled to enabled, you can use the drop down menu to select a specific profile. The available profile types are:
    • AntiVirus
    • WebFilter
    • Application Control
    • IPS
    • DLP Sensor
    • ICAP
    • Web Application Firewall

    Just like with a regular policy, as soon as any of the Security Profiles is enabled, the following fields, with their own drop down menus for specific profiles will appear:

    • Proxy Options
    • SSL/SSH Inspection
  14. Select OK.
To enable the explicit web proxy - CLI:
  1. Enter the following command to turn on the IPv4 and IPv6 explicit web proxy for HTTP and HTTPS traffic.

    config web-proxy explicit

    set status enable

    set ipv6-status enable

    end

    You can also enter the following command to enable the web proxy for FTP sessions in a web browser.

    config web-proxy explicit

    set ftp-over-http enable

    end

    The default explicit web proxy configuration has sec-default-action set to deny and requires you to add a security policy to allow access to the explicit web proxy.

  2. Enter the following command to enable the explicit web proxy for the internal interface.

    config system interface

    edit internal

    set explicit-web-proxy enable

    end

    end

  3. Use the following command to add a firewall address that matches the source address of users who connect to the explicit web proxy.

    config firewall address

    edit Internal_subnet

    set type iprange

    set start-ip 10.31.101.1

    set end-ip 10.31.101.255

    end

    The source address for a web-proxy security policy cannot be assigned to a FortiGate interface.

  4. Optionally use the following command to add a destination URL that is only used by the explicit proxy. For example, to create an explicit policy that only allows access to Fortinet.com:

    config firewall address

    edit Fortinet-web-sites

    set type url

    set url fortinet.com

    end

  5. Use the following command to add an explicit web proxy policy that allows all users on the internal subnet to use the explicit web proxy for connections through the wan1 interface to the Internet.

    config firewall proxy-policy

    edit 0

    set proxy explicit-web

    set dstintf wan1

    set srcaddr Internal_subnet

    set dstaddr all

    set action accept

    set service webproxy

    set schedule always

    end

  6. Use the following command to add an explicit web proxy policy that allows authenticated users on the internal subnet to use the explicit web proxy for connections through the wan1 interface to the Internet.

    config firewall proxy-policy

    edit 0

    set proxy explicit-web

    set dstintf wan1

    set srcaddr Internal_subnet

    set dstaddr Fortinet-web-sites

    set action accept

    set service webproxy

    set schedule always

    set groups <User group>

    end

    end

  7. Use the following command to change global web proxy settings, for example to set the maximum request length for the explicit web proxy to 10:

    config web-proxy global

    set max-request-length 10

    end

  8. Determine whether or not to use Botnet feature.

    The option scan-botnet-connections uses the following syntax:

    config firewall proxy-policy

    edit <policy id>

    set scan-botnet-connections [disable|block|monitor]

    end

    Where:

    • disable means do not scan connections to botnet servers
    • block means block connection to botnet servers
    • monitor means log connections to botnet servers