Fortinet black logo

Cookbook

FortiGate Cloud / FDN communication through an explicit proxy

Copy Link
Copy Doc ID af0e75e9-211f-11ea-9384-00505692583a:647427
Download PDF

FortiGate Cloud / FDN communication through an explicit proxy

Explicit proxy communication to FortiGate Cloud and FortiGuard servers from FortiGate is enabled. A proxy server can be configured in the FortiGuard settings so that all FortiGuard connections under the forticldd process can be established through the proxy server.

Note

Not all FortiGuard services are supported by these proxy settings. For example, web filter service traffic to FortiGuard will not be directed to the configured proxy.

To configure a proxy server and communicate with FortiGate Cloud though it:
  1. Configure FortiGate B as a proxy server:
    config firewall proxy-policy
        edit 1
            set proxy explicit-web
            set dstintf "wan1"
            set srcaddr "all"
            set dstaddr "all"
            set service "webproxy"
            set action accept
            set schedule "always"
            set logtraffic all
            set users "guest1"
        next
    end
    config user local
        edit "guest1"
            set type password
            set passwd 123456
        next
    end
    config authentication scheme
        edit "local-basic"
            set method basic
            set user-database "local-user-db"
        next
    end
    config authentication rule
        edit "local-basic-rule"
            set srcaddr "all"
            set ip-based disable
            set active-auth-method "local-basic"
        next
    end
  2. Configure a firewall policy on FortiGate B to allow FortiGate A to get DNS resolution:
    config firewall policy
        edit 1
            set name "dns"
            set uuid c55cd2fa-9486-51e9-fc0a-c17b296f9c72
            set srcintf "port18"
            set dstintf "wan1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "DNS"
            set fsso disable
            set nat enable
        next
    end
  3. Configure the FortiGuard proxy settings on FortiGate A:
    config system fortiguard
        set proxy-server-ip 10.2.2.2
        set proxy-server-port 8080
        set proxy-username "guest1"
        set proxy-password 123456
    end
  4. On FortiGate A, log in to FortiGate Cloud to activate the logging service:
    execute fortiguard-log login <username> <password>
  5. On FortiGate A, view the forticldd debug message to see the connection to the log controller through the proxy server:
    #
    [136] fds_on_sys_fds_change: trace
    [40] fds_queue_task: req-111 is added to log-controller
    [596] fds_https_start_server: server: 172.16.95.168:443
    [654] ssl_new: SSL object is created
    [117] https_create: proxy server 10.2.2.2 port:8080
    [40] fds_queue_task: req-101 is added to message-controller
    [596] fds_https_start_server: server: 172.16.95.187:443
    [654] ssl_new: SSL object is created
    [117] https_create: proxy server 10.2.2.2 port:8080
    [124] fds_on_log_setting_change: trace
    [528] fds_https_connect: https_connect(172.16.95.168) is established.
    [265] fds_svr_default_on_established: log-controller has connected to ip=172.16.95.168
    diagnose test application forticldd 1
        System=FGT Platform=FG201E
        Management vdom: vdom1, id=1,  ha=master.
        acct_id=user@fortinet.com
        acct_st=OK
        
        FortiGuard log: status=enabled, full=overwrite, ssl_opt=1, source-ip=0.0.0.0
        
        Centra Management: type=FGD, flags=000000bf.
        
        active-tasks=0

FortiGate Cloud / FDN communication through an explicit proxy

Explicit proxy communication to FortiGate Cloud and FortiGuard servers from FortiGate is enabled. A proxy server can be configured in the FortiGuard settings so that all FortiGuard connections under the forticldd process can be established through the proxy server.

Note

Not all FortiGuard services are supported by these proxy settings. For example, web filter service traffic to FortiGuard will not be directed to the configured proxy.

To configure a proxy server and communicate with FortiGate Cloud though it:
  1. Configure FortiGate B as a proxy server:
    config firewall proxy-policy
        edit 1
            set proxy explicit-web
            set dstintf "wan1"
            set srcaddr "all"
            set dstaddr "all"
            set service "webproxy"
            set action accept
            set schedule "always"
            set logtraffic all
            set users "guest1"
        next
    end
    config user local
        edit "guest1"
            set type password
            set passwd 123456
        next
    end
    config authentication scheme
        edit "local-basic"
            set method basic
            set user-database "local-user-db"
        next
    end
    config authentication rule
        edit "local-basic-rule"
            set srcaddr "all"
            set ip-based disable
            set active-auth-method "local-basic"
        next
    end
  2. Configure a firewall policy on FortiGate B to allow FortiGate A to get DNS resolution:
    config firewall policy
        edit 1
            set name "dns"
            set uuid c55cd2fa-9486-51e9-fc0a-c17b296f9c72
            set srcintf "port18"
            set dstintf "wan1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "DNS"
            set fsso disable
            set nat enable
        next
    end
  3. Configure the FortiGuard proxy settings on FortiGate A:
    config system fortiguard
        set proxy-server-ip 10.2.2.2
        set proxy-server-port 8080
        set proxy-username "guest1"
        set proxy-password 123456
    end
  4. On FortiGate A, log in to FortiGate Cloud to activate the logging service:
    execute fortiguard-log login <username> <password>
  5. On FortiGate A, view the forticldd debug message to see the connection to the log controller through the proxy server:
    #
    [136] fds_on_sys_fds_change: trace
    [40] fds_queue_task: req-111 is added to log-controller
    [596] fds_https_start_server: server: 172.16.95.168:443
    [654] ssl_new: SSL object is created
    [117] https_create: proxy server 10.2.2.2 port:8080
    [40] fds_queue_task: req-101 is added to message-controller
    [596] fds_https_start_server: server: 172.16.95.187:443
    [654] ssl_new: SSL object is created
    [117] https_create: proxy server 10.2.2.2 port:8080
    [124] fds_on_log_setting_change: trace
    [528] fds_https_connect: https_connect(172.16.95.168) is established.
    [265] fds_svr_default_on_established: log-controller has connected to ip=172.16.95.168
    diagnose test application forticldd 1
        System=FGT Platform=FG201E
        Management vdom: vdom1, id=1,  ha=master.
        acct_id=user@fortinet.com
        acct_st=OK
        
        FortiGuard log: status=enabled, full=overwrite, ssl_opt=1, source-ip=0.0.0.0
        
        Centra Management: type=FGD, flags=000000bf.
        
        active-tasks=0