Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 6.4.14 Administration Guide
    6.4.14
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Multiple dynamic header count

    Multiple dynamic header count

    Multiple dynamic headers are supported for web proxy profiles, as well as Base64 encoding and the append/new options.

    Administrators only have to select the dynamic header in the profile. The FortiGate will automatically display the corresponding static value. For example, if the administrator selects the $client-ip header, the FortiGate will display the actual client IP address.

    The supported headers are:

    $client-ip

    Client IP address

    $user

    Authentication user name

    $domain

    User domain name

    $local_grp

    Firewall group name

    $remote_grp

    Group name from authentication server

    $proxy_name

    Proxy realm name
    To configure dynamic headers using the CLI:

    Since authentication is required, FSSO NTLM authentication is configured in this example.

    1. Configure LDAP:
      config user ldap
    edit "ldap-kerberos"
        set server "172.18.62.220"
        set cnid "cn"a
        set dn "dc=fortinetqa,dc=local"
        set type regular
        set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
        set password *********
    next
end
    2. Configure FSSO:
      config user fsso
    edit "1"
        set server "172.18.62.220"
        set password *********
    next
end
    3. Configure a user group:
      config user group
    edit "NTLM-FSSO"
        set group-type fsso-service
        set member "FORTINETQA/FSSO"
    next
end
    4. Configure an authentication scheme:
      config authentication scheme
    edit "au-sch-ntlm"
        set method ntlm
    next
end
    5. Configure an authentication rule:
      config authentication rule
    edit "au-rule-fsso"
        set srcaddr "all"
        set active-auth-method "au-sch-ntlm"
    next
end
    6. Create a web proxy profile that adds a new dynamic and custom Via header:
      config web-proxy profile
    edit "test"
        set log-header-change enable
        config headers
            edit 1
                set name "client-ip"
                set content "$client-ip"
            next
            edit 2
                set name "Proxy-Name"
                set content "$proxy_name"
            next
            edit 3
                set name "user"
                set content "$user"
            next
            edit 4
                set name "domain"
                set content "$domain"
            next
            edit 5
                set name "local_grp"
                set content "$local_grp"
            next
            edit 6
                set name "remote_grp"
                set content "$remote_grp"
            next
            edit 7
                set name "Via"
                set content "Fortigate-Proxy"
            next
        end
    next
end
    7. In the proxy policy, append the web proxy profile created in the previous step:
      config firewall proxy-policy
    edit 1
        set proxy explicit-web
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set service "web"
        set action accept
        set schedule "always"
        set logtraffic all
        set groups "NTLM-FSSO"
        set webproxy-profile "test"
        set utm-status enable
        set av-profile "av"
        set webfilter-profile "content"
        set ssl-ssh-profile "deep-custom"
    next
end
    8. Once traffic is being generated from the client, look at the web filter logs to verify that it is working.

      The corresponding values for all the added header fields displays in the Change headers section at the bottom of the Log Details pane.

      1: date=2019-02-07 time=13:57:24 logid="0344013632" type="utm" subtype="webfilter" eventtype="http_header_change" level="notice" vd="vdom1" eventtime=1549576642 policyid=1 transid=50331689 sessionid=1712788383 user="TEST21@FORTINETQA" group="NTLM-FSSO" profile="test" srcip=10.1.100.116 srcport=53278 dstip=172.16.200.46 dstport=80 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTP" url="http://172.16.200.46/" agent="curl/7.22.0" chgheaders="Added=client-ip: 10.1.100.116|Proxy-Name: 1.1 100D.qa|user: TEST21|domain: FORTINETQA|local_grp: NTLM-FSSO|remote_grp: FORTINETQA/FSSO|Via: Fortigate-Proxy"

    Previous
    Next

    Multiple dynamic header count

    Multiple dynamic header count

    Multiple dynamic headers are supported for web proxy profiles, as well as Base64 encoding and the append/new options.

    Administrators only have to select the dynamic header in the profile. The FortiGate will automatically display the corresponding static value. For example, if the administrator selects the $client-ip header, the FortiGate will display the actual client IP address.

    The supported headers are:

    $client-ip

    Client IP address

    $user

    Authentication user name

    $domain

    User domain name

    $local_grp

    Firewall group name

    $remote_grp

    Group name from authentication server

    $proxy_name

    Proxy realm name
    To configure dynamic headers using the CLI:

    Since authentication is required, FSSO NTLM authentication is configured in this example.

    1. Configure LDAP:
      config user ldap
    edit "ldap-kerberos"
        set server "172.18.62.220"
        set cnid "cn"a
        set dn "dc=fortinetqa,dc=local"
        set type regular
        set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
        set password *********
    next
end
    2. Configure FSSO:
      config user fsso
    edit "1"
        set server "172.18.62.220"
        set password *********
    next
end
    3. Configure a user group:
      config user group
    edit "NTLM-FSSO"
        set group-type fsso-service
        set member "FORTINETQA/FSSO"
    next
end
    4. Configure an authentication scheme:
      config authentication scheme
    edit "au-sch-ntlm"
        set method ntlm
    next
end
    5. Configure an authentication rule:
      config authentication rule
    edit "au-rule-fsso"
        set srcaddr "all"
        set active-auth-method "au-sch-ntlm"
    next
end
    6. Create a web proxy profile that adds a new dynamic and custom Via header:
      config web-proxy profile
    edit "test"
        set log-header-change enable
        config headers
            edit 1
                set name "client-ip"
                set content "$client-ip"
            next
            edit 2
                set name "Proxy-Name"
                set content "$proxy_name"
            next
            edit 3
                set name "user"
                set content "$user"
            next
            edit 4
                set name "domain"
                set content "$domain"
            next
            edit 5
                set name "local_grp"
                set content "$local_grp"
            next
            edit 6
                set name "remote_grp"
                set content "$remote_grp"
            next
            edit 7
                set name "Via"
                set content "Fortigate-Proxy"
            next
        end
    next
end
    7. In the proxy policy, append the web proxy profile created in the previous step:
      config firewall proxy-policy
    edit 1
        set proxy explicit-web
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set service "web"
        set action accept
        set schedule "always"
        set logtraffic all
        set groups "NTLM-FSSO"
        set webproxy-profile "test"
        set utm-status enable
        set av-profile "av"
        set webfilter-profile "content"
        set ssl-ssh-profile "deep-custom"
    next
end
    8. Once traffic is being generated from the client, look at the web filter logs to verify that it is working.

      The corresponding values for all the added header fields displays in the Change headers section at the bottom of the Log Details pane.

      1: date=2019-02-07 time=13:57:24 logid="0344013632" type="utm" subtype="webfilter" eventtype="http_header_change" level="notice" vd="vdom1" eventtime=1549576642 policyid=1 transid=50331689 sessionid=1712788383 user="TEST21@FORTINETQA" group="NTLM-FSSO" profile="test" srcip=10.1.100.116 srcport=53278 dstip=172.16.200.46 dstport=80 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTP" url="http://172.16.200.46/" agent="curl/7.22.0" chgheaders="Added=client-ip: 10.1.100.116|Proxy-Name: 1.1 100D.qa|user: TEST21|domain: FORTINETQA|local_grp: NTLM-FSSO|remote_grp: FORTINETQA/FSSO|Via: Fortigate-Proxy"

    Previous
    Next