Fortinet white logo
Fortinet white logo

Administration Guide

Proxy chaining (web proxy forwarding servers)

Proxy chaining (web proxy forwarding servers)

For the explicit web proxy you can configure web proxy forwarding servers to use proxy chaining to redirect web proxy sessions to other proxy servers. Proxy chaining can be used to forward web proxy sessions from the FortiGate unit to one or more other proxy servers on your network or on a remote network. You can use proxy chaining to integrate the FortiGate explicit web proxy with a web proxy solution that you already have in place.

A FortiGate unit can forward sessions to most web proxy servers including a remote FortiGate unit with the explicit web proxy enabled. No special configuration of the explicit web proxy on the remote FortiGate unit is required.

You can deploy the explicit web proxy with proxy chaining in an enterprise environment consisting of small satellite offices and a main office. If each office has a FortiGate unit, users at each of the satellite offices can use their local FortiGate unit as an explicit web proxy server. The satellite office FortiGate units can forward explicit web proxy sessions to an explicit web proxy server at the central office. From here the sessions can connect to web servers on the Internet.

FortiGate proxy chaining does not support web proxies in the proxy chain authenticating each other.

The following examples assume explicit web proxy has been enabled.

To enable explicit web proxy in the GUI:
  1. Go to System > Feature Visibility.
  2. In the Security Features column, enable Explicit Proxy.
  3. Configure the explicit web proxy settings. See Explicit web proxy.
To add a web proxy forwarding server in the GUI:
  1. Go to Network > Explicit Proxy. The Explicit Proxy page opens.
  2. In the Web Proxy Forwarding Servers section, click Create New.
  3. Configure the server settings and click OK.
    NameEnter the name of the forwarding server.
    Proxy Address Type Select the type of IP address of the forwarding server. A forwarding server can have an FQDN or IP address.
    Proxy Address Enter the IP address of the forwarding server.
    Port Enter the port number on which the proxy receives connections. Traffic leaving the FortiGate explicit web proxy for this server has its destination port number changed to this number.
    Server Down Action

    Select the action the explicit web proxy will take if the forwarding server is down.

    • Block: Blocks the traffic if the remote server is down.
    • Use Original Server: Forwards the traffic from the FortiGate to its destination as if no forwarding server is configured.
    Health MonitorSelect to enable health check monitoring.

    Health Check Monitor Site

    Enter the address of a remote site.

Example

The following example adds a web proxy forwarding server named fwd-srv at address proxy.example.com and port 8080.

To add a web proxy forwarding server in the CLI:

config web-proxy forward-server

edit fwd-srv

set addr-type fqdn

set fqdn proxy.example.com

set port 8080

end

Web proxy forwarding server monitoring and health checking

By default, a FortiGate unit monitors a web proxy forwarding server by forwarding a connection to the remote server every 10 seconds. The remote server is assumed to be down if it does not respond to the connection. FortiGate continues checking the server. The server is assumed to be back up when the server sends a response. If you enable health checking, the FortiGate unit attempts to get a response from a web server every 10 seconds by connecting through the remote forwarding server.

You can configure health checking for each remote server and specify a different website to check for each one.

If the remote server is found to be down you can configure the FortiGate unit to block sessions until the server comes back up or to allow sessions to connect to their destination, bypassing the remote forwarding server. You cannot configure the FortiGate unit to fail over to another remote forwarding server.

To configure proxy server monitor and health checking in the GUI:
  1. Go to Network > Explicit Proxy. The Explicit Proxy page opens.
  2. In the Web Proxy Forwarding Servers section, select a server and click Editi.
  3. Configure the Server Down Action and Health Monitor settings.
    Server Down Action

    Select the action the explicit web proxy will take if the forwarding server is down.

    • Block: Blocks the traffic if the remote server is down.
    • Use Original Server: Forwards the traffic from the FortiGate to its destination as if no forwarding server configured.
    Health MonitorSelect to enable health check monitoring.

    Health Check Monitor Site

    Enter the address of a remote site.

  4. Click OK.
Example

The following example enables health checking for a web proxy forwarding server and sets the server down option to bypass the forwarding server if it is down.

To configure proxy server monitor and health checking in the CLI:

config web-proxy forward-server

edit fwd-srv

set healthcheck enable

set monitor http://example.com

set server-down-option pass

end

Grouping forwarding servers and load balancing traffic to the servers

You can add multiple web proxy forwarding servers to a forwarding server group and then add the server group to an explicit web proxy policy instead of adding a single server. Forwarding server groups are created from the FortiGate CLI but can be added to policies from the web-based manager (or from the CLI).

When you create a forwarding server group you can select a load balancing method to control how sessions are load balanced to the forwarding servers in the server group. Two load balancing methods are available:

  • Weighted load balancing sends more sessions to the servers with higher weights. You can configure the weight for each server when you add it to the group.
  • Least-session load balancing sends new sessions to the forwarding server that is processing the fewest sessions.

When you create a forwarding server group you can also enable affinity. Enable affinity to have requests from the same client processed by the same server. This can reduce delays caused by using multiple servers for a single multi-step client operation. Affinity takes precedence over load balancing.

You can also configure the behavior of the group if all of the servers in the group are down. You can select to block traffic or you can select to have the traffic pass through the FortiGate explicit proxy directly to its destination instead of being sent to one of the forwarding servers.

Example

The following example adds a forwarding server group that uses weighted load balancing to load balance traffic to three forwarding servers. Server weights are configured to send most traffic to server2. The group has affinity enabled and blocks traffic if all of the forward servers are down.

To configure load balancing in the CLI:

config web-proxy forward-server

edit server_1

set ip 172.20.120.12

set port 8080

next

edit server_2

set ip 172.20.120.13

set port 8000

next

edit server_3

set ip 172.20.120.14

set port 8090

next

end

config web-proxy forward-server-group

edit New-fwd-group

set affinity enable

set ldb-method weighted

set group-down-option block

config server-list

edit server_1

set weight 10

next

edit server_2

set weight 40

next

edit server_3

set weight 10

next

end

Adding proxy chaining to an explicit web proxy policy

You can enable proxy chaining for web proxy sessions by adding a web proxy forwarding server or server group to an explicit web proxy policy. In a policy you can select one web proxy forwarding server or server group. All explicit web proxy traffic accepted by this security policy is forwarded to the specified web proxy forwarding server or server group.

To add an explicit web proxy forwarding server in the GUI:
  1. Go to Policy & Objects > Proxy Policy and click Create New.
  2. Configure the policy settings:
    Proxy TypeExplicit Web
    Outgoing Interfacewan1
    SourceInternal_subnet
    Destinationall
    Schedulealways
    Servicewebproxy
    ActionAccept
  3. Enable Web Proxy Forwarding Server and select the forwarding server, (for example,fwd-srv).
  4. Click OK.
Example

The following example adds a security policy that allows all users on the 10.31.101.0 subnet to use the explicit web proxy for connections through the wan1 interface to the Internet. The policy forwards web proxy sessions to a remote forwarding server named fwd-srv.

To add an explicit web proxy forwarding server in the CLI:

config firewall proxy-policy

edit 0

set proxy explicit-web

set dstintf "wan1"

set srcaddr "Internal_subnet"

set dstaddr "all"

set service "webproxy"

set action accept

set schedule "always"

set webproxy-forward-server "fwd-srv"

end

Using TLS 1.3 with web proxy forward servers

A FortiGate can handle TLS 1.3 traffic in both deep and certificate inspection modes.

Example

The following example demonstrates that the Squid server and the FortiGate can handle TLS 1.3 traffic.

The following output from the Squid server demonstrates that the FortiGate supports TLS 1.3 traffic and forwards the hello retry request back to the client PC. The client PC then sends the client hello again, and the connection is successfully established.

Proxy chaining (web proxy forwarding servers)

Proxy chaining (web proxy forwarding servers)

For the explicit web proxy you can configure web proxy forwarding servers to use proxy chaining to redirect web proxy sessions to other proxy servers. Proxy chaining can be used to forward web proxy sessions from the FortiGate unit to one or more other proxy servers on your network or on a remote network. You can use proxy chaining to integrate the FortiGate explicit web proxy with a web proxy solution that you already have in place.

A FortiGate unit can forward sessions to most web proxy servers including a remote FortiGate unit with the explicit web proxy enabled. No special configuration of the explicit web proxy on the remote FortiGate unit is required.

You can deploy the explicit web proxy with proxy chaining in an enterprise environment consisting of small satellite offices and a main office. If each office has a FortiGate unit, users at each of the satellite offices can use their local FortiGate unit as an explicit web proxy server. The satellite office FortiGate units can forward explicit web proxy sessions to an explicit web proxy server at the central office. From here the sessions can connect to web servers on the Internet.

FortiGate proxy chaining does not support web proxies in the proxy chain authenticating each other.

The following examples assume explicit web proxy has been enabled.

To enable explicit web proxy in the GUI:
  1. Go to System > Feature Visibility.
  2. In the Security Features column, enable Explicit Proxy.
  3. Configure the explicit web proxy settings. See Explicit web proxy.
To add a web proxy forwarding server in the GUI:
  1. Go to Network > Explicit Proxy. The Explicit Proxy page opens.
  2. In the Web Proxy Forwarding Servers section, click Create New.
  3. Configure the server settings and click OK.
    NameEnter the name of the forwarding server.
    Proxy Address Type Select the type of IP address of the forwarding server. A forwarding server can have an FQDN or IP address.
    Proxy Address Enter the IP address of the forwarding server.
    Port Enter the port number on which the proxy receives connections. Traffic leaving the FortiGate explicit web proxy for this server has its destination port number changed to this number.
    Server Down Action

    Select the action the explicit web proxy will take if the forwarding server is down.

    • Block: Blocks the traffic if the remote server is down.
    • Use Original Server: Forwards the traffic from the FortiGate to its destination as if no forwarding server is configured.
    Health MonitorSelect to enable health check monitoring.

    Health Check Monitor Site

    Enter the address of a remote site.

Example

The following example adds a web proxy forwarding server named fwd-srv at address proxy.example.com and port 8080.

To add a web proxy forwarding server in the CLI:

config web-proxy forward-server

edit fwd-srv

set addr-type fqdn

set fqdn proxy.example.com

set port 8080

end

Web proxy forwarding server monitoring and health checking

By default, a FortiGate unit monitors a web proxy forwarding server by forwarding a connection to the remote server every 10 seconds. The remote server is assumed to be down if it does not respond to the connection. FortiGate continues checking the server. The server is assumed to be back up when the server sends a response. If you enable health checking, the FortiGate unit attempts to get a response from a web server every 10 seconds by connecting through the remote forwarding server.

You can configure health checking for each remote server and specify a different website to check for each one.

If the remote server is found to be down you can configure the FortiGate unit to block sessions until the server comes back up or to allow sessions to connect to their destination, bypassing the remote forwarding server. You cannot configure the FortiGate unit to fail over to another remote forwarding server.

To configure proxy server monitor and health checking in the GUI:
  1. Go to Network > Explicit Proxy. The Explicit Proxy page opens.
  2. In the Web Proxy Forwarding Servers section, select a server and click Editi.
  3. Configure the Server Down Action and Health Monitor settings.
    Server Down Action

    Select the action the explicit web proxy will take if the forwarding server is down.

    • Block: Blocks the traffic if the remote server is down.
    • Use Original Server: Forwards the traffic from the FortiGate to its destination as if no forwarding server configured.
    Health MonitorSelect to enable health check monitoring.

    Health Check Monitor Site

    Enter the address of a remote site.

  4. Click OK.
Example

The following example enables health checking for a web proxy forwarding server and sets the server down option to bypass the forwarding server if it is down.

To configure proxy server monitor and health checking in the CLI:

config web-proxy forward-server

edit fwd-srv

set healthcheck enable

set monitor http://example.com

set server-down-option pass

end

Grouping forwarding servers and load balancing traffic to the servers

You can add multiple web proxy forwarding servers to a forwarding server group and then add the server group to an explicit web proxy policy instead of adding a single server. Forwarding server groups are created from the FortiGate CLI but can be added to policies from the web-based manager (or from the CLI).

When you create a forwarding server group you can select a load balancing method to control how sessions are load balanced to the forwarding servers in the server group. Two load balancing methods are available:

  • Weighted load balancing sends more sessions to the servers with higher weights. You can configure the weight for each server when you add it to the group.
  • Least-session load balancing sends new sessions to the forwarding server that is processing the fewest sessions.

When you create a forwarding server group you can also enable affinity. Enable affinity to have requests from the same client processed by the same server. This can reduce delays caused by using multiple servers for a single multi-step client operation. Affinity takes precedence over load balancing.

You can also configure the behavior of the group if all of the servers in the group are down. You can select to block traffic or you can select to have the traffic pass through the FortiGate explicit proxy directly to its destination instead of being sent to one of the forwarding servers.

Example

The following example adds a forwarding server group that uses weighted load balancing to load balance traffic to three forwarding servers. Server weights are configured to send most traffic to server2. The group has affinity enabled and blocks traffic if all of the forward servers are down.

To configure load balancing in the CLI:

config web-proxy forward-server

edit server_1

set ip 172.20.120.12

set port 8080

next

edit server_2

set ip 172.20.120.13

set port 8000

next

edit server_3

set ip 172.20.120.14

set port 8090

next

end

config web-proxy forward-server-group

edit New-fwd-group

set affinity enable

set ldb-method weighted

set group-down-option block

config server-list

edit server_1

set weight 10

next

edit server_2

set weight 40

next

edit server_3

set weight 10

next

end

Adding proxy chaining to an explicit web proxy policy

You can enable proxy chaining for web proxy sessions by adding a web proxy forwarding server or server group to an explicit web proxy policy. In a policy you can select one web proxy forwarding server or server group. All explicit web proxy traffic accepted by this security policy is forwarded to the specified web proxy forwarding server or server group.

To add an explicit web proxy forwarding server in the GUI:
  1. Go to Policy & Objects > Proxy Policy and click Create New.
  2. Configure the policy settings:
    Proxy TypeExplicit Web
    Outgoing Interfacewan1
    SourceInternal_subnet
    Destinationall
    Schedulealways
    Servicewebproxy
    ActionAccept
  3. Enable Web Proxy Forwarding Server and select the forwarding server, (for example,fwd-srv).
  4. Click OK.
Example

The following example adds a security policy that allows all users on the 10.31.101.0 subnet to use the explicit web proxy for connections through the wan1 interface to the Internet. The policy forwards web proxy sessions to a remote forwarding server named fwd-srv.

To add an explicit web proxy forwarding server in the CLI:

config firewall proxy-policy

edit 0

set proxy explicit-web

set dstintf "wan1"

set srcaddr "Internal_subnet"

set dstaddr "all"

set service "webproxy"

set action accept

set schedule "always"

set webproxy-forward-server "fwd-srv"

end

Using TLS 1.3 with web proxy forward servers

A FortiGate can handle TLS 1.3 traffic in both deep and certificate inspection modes.

Example

The following example demonstrates that the Squid server and the FortiGate can handle TLS 1.3 traffic.

The following output from the Squid server demonstrates that the FortiGate supports TLS 1.3 traffic and forwards the hello retry request back to the client PC. The client PC then sends the client hello again, and the connection is successfully established.