Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    7.0.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Explicit proxy authentication over HTTPS

    Explicit proxy authentication over HTTPS

    When a HTTP request requires authentication in an explicit proxy, the authentication can be redirected to a secure HTTPS captive portal. Once authentication is complete, the client can be redirected back to the original destination over HTTP.

    Example

    A user visits a website via HTTP through the explicit web proxy on a FortiGate. The user is required to authenticate by either basic or form IP-based authentication for the explicit web proxy service. The user credentials need to be transmitted over the networks in a secured method over HTTPS rather than in plain text. The user credentials are protected by redirecting the client to a captive portal of the FortiGate over HTTPS for authentication where the user credentials are encrypted and transmitted over HTTPS.

    In this example, explicit proxy authentication over HTTPS is configured with form IP-based authentication. Once configured, you can enable authorization for an explicit web proxy by configuring users or groups in the firewall proxy policy.

    To configure explicit proxy authentication over HTTPS:
    1. Configure the authentication settings:
      config authentication setting
    set captive-portal-type fqdn   
    set captive-portal "fgt-cp"    
    set auth-https enable          
end
    2. Configure the authentication scheme:
      config authentication scheme
    edit "form"
        set method form
        set user-database "local-user-db"
    next
end
    3. Configure the authentication rule:
      config authentication rule
    edit "form"
        set srcaddr "all"
        set active-auth-method "form"
    next
end
      Note

      If a session-based basic authentication method is used, enable web-auth-cookie.

    4. Configure the firewall address:
      config firewall address
    edit "fgt-cp"
        set type fqdn
        set fqdn "fgt.fortinetqa.local"
    next
end
    5. Configure the interface:
      config system interface
    edit "port10"
        set ip 10.1.100.1 255.255.255.0  
        set explicit-web-proxy enable
        set proxy-captive-portal enable  
    next
end
    6. Configure a firewall proxy policy with users or groups (see Explicit web proxy).

    Verification

    When a client visits a HTTP website, the client will be redirected to the captive portal for authentication by HTTPS. For example, the client could be redirected to a URL by a HTTP 303 message similar to the following:

    HTTP/1.1 303 See Other

    Connection: close

    Content-Type: text/html

    Cache-Control: no-cache

    Location: https://fgt.fortinetqa.local:7831/XX/YY/ZZ/cpauth?scheme=http&4Tmthd=0&host=172.16.200.46&port=80&rule=75&uri=Lw==&

    Content-Length: 0

    The captive portal URL used for authentication is https://fgt.fortinetqa.local:7831/.... Once the authentication is complete with all user credentials protected by HTTPS, the client is redirected to the original HTTP website they intended to visit.

    Previous
    Next

    Explicit proxy authentication over HTTPS

    Explicit proxy authentication over HTTPS

    When a HTTP request requires authentication in an explicit proxy, the authentication can be redirected to a secure HTTPS captive portal. Once authentication is complete, the client can be redirected back to the original destination over HTTP.

    Example

    A user visits a website via HTTP through the explicit web proxy on a FortiGate. The user is required to authenticate by either basic or form IP-based authentication for the explicit web proxy service. The user credentials need to be transmitted over the networks in a secured method over HTTPS rather than in plain text. The user credentials are protected by redirecting the client to a captive portal of the FortiGate over HTTPS for authentication where the user credentials are encrypted and transmitted over HTTPS.

    In this example, explicit proxy authentication over HTTPS is configured with form IP-based authentication. Once configured, you can enable authorization for an explicit web proxy by configuring users or groups in the firewall proxy policy.

    To configure explicit proxy authentication over HTTPS:
    1. Configure the authentication settings:
      config authentication setting
    set captive-portal-type fqdn   
    set captive-portal "fgt-cp"    
    set auth-https enable          
end
    2. Configure the authentication scheme:
      config authentication scheme
    edit "form"
        set method form
        set user-database "local-user-db"
    next
end
    3. Configure the authentication rule:
      config authentication rule
    edit "form"
        set srcaddr "all"
        set active-auth-method "form"
    next
end
      Note

      If a session-based basic authentication method is used, enable web-auth-cookie.

    4. Configure the firewall address:
      config firewall address
    edit "fgt-cp"
        set type fqdn
        set fqdn "fgt.fortinetqa.local"
    next
end
    5. Configure the interface:
      config system interface
    edit "port10"
        set ip 10.1.100.1 255.255.255.0  
        set explicit-web-proxy enable
        set proxy-captive-portal enable  
    next
end
    6. Configure a firewall proxy policy with users or groups (see Explicit web proxy).

    Verification

    When a client visits a HTTP website, the client will be redirected to the captive portal for authentication by HTTPS. For example, the client could be redirected to a URL by a HTTP 303 message similar to the following:

    HTTP/1.1 303 See Other

    Connection: close

    Content-Type: text/html

    Cache-Control: no-cache

    Location: https://fgt.fortinetqa.local:7831/XX/YY/ZZ/cpauth?scheme=http&4Tmthd=0&host=172.16.200.46&port=80&rule=75&uri=Lw==&

    Content-Length: 0

    The captive portal URL used for authentication is https://fgt.fortinetqa.local:7831/.... Once the authentication is complete with all user credentials protected by HTTPS, the client is redirected to the original HTTP website they intended to visit.

    Previous
    Next