Domain name in XFF with ICAP
The FortiGate can forward additional domain-related information to the ICAP server. Once domain information is gathered from an external authentication server (such as LDAP or an FSSO collector agent), FortiOS incorporates this domain information in WinNT://DOMAIN/Username
format and forwards it to the ICAP server.
Basic ICAP configuration
The ICAP server and profile are configured on the FortiGate. The ICAP profile's header settings uses the WinNT://$domain/$user
variable for the user information provided by the remote authentication server.
To configure the ICAP settings:
-
Configure the ICAP server:
config icap server edit "content-filtration-server4" set ip-address 10.1.100.41 set max-connections 200 next end
-
Configure the ICAP profile:
config icap profile edit "Prop-Content-Filtration" set request enable set response enable set streaming-content-bypass enable set request-server "content-filtration-server4" set response-server "content-filtration-server4" set request-path "/proprietary_code/content-filter/" set response-path "/proprietary_code/content-filter/" set methods delete get head options post put trace other config icap-headers edit 1 set name "X-Authenticated-User" set content "WinNT://$domain/$user" next end next end
-
Configure the firewall policy:
config firewall policy edit 4 set name "icap_filter3" set srcintf "port10" set dstintf "port9" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set inspection-mode proxy set ssl-ssh-profile "deep-inspection" set icap-profile "Prop-Content-Filtration" set logtraffic all set nat enable set groups "ldap group" "AD-group" next end
LDAP example
In this example, an AD LDAP server and remote user group are configured. When successful user authentication occurs, FortiOS retrieves all the user information (such as the domain name) from the UserPrincipalName attribute. A packet capture is used to compare the user and domain information before and after authentication in the ICAP REQMOD message.
To configure the LDAP authentication:
-
Configure the LDAP server:
config user ldap edit "AD-ldap" set server "10.1.100.131" set cnid "cn" set dn "dc=fortinet-fsso,dc=com" set type regular set username "cn=Administrator,cn=users,dc=fortinet-fsso,dc=com" set password ********** next end
-
Configure the LDAP user group:
config user group edit "ldap group" set member "AD-ldap" config match edit 1 set server-name "AD-ldap" set group-name "CN=group1,OU=Testing,DC=Fortinet-FSSO,DC=COM" next edit 2 set server-name "AD-ldap" set group-name "CN=group2,OU=Testing,DC=Fortinet-FSSO,DC=COM" next end next end
-
Start local traffic dump between the FortiGate and ICAP server before a user authenticates and save it in a PCAP file.
-
Verify the PCAP file. The Fortinet-fsso.com domain appears in the ICAP REQMOD message.
-
Optionally, run the following command to verify WAD debugs:
# diagnose wad debug enable category icap
FSSO example
In this example, a local FSSO agent and remote user group are configured. When successful user authentication occurs, FortiOS retrieves all the user information (such as the domain name). A packet capture is used to compare the user and domain information before and after authentication in the ICAP REQMOD message.
To configure the FSSO authentication:
-
Configure the FSSO agent:
config user fsso edit "AD-fsso" set server "10.1.100.199" set password ********** next end
-
Configure the FSSO user group:
config user group edit "AD-group" set group-type fsso-service set member "FORTINET-FSSO/GROUP1" "FORTINET-FSSO/GROUP2" next end
-
Start local traffic dump between the FortiGate and ICAP server before a user authenticates and save it in a PCAP file.
-
Verify the PCAP file. The fsso2022.com domain appears in the ICAP REQMOD message.
-
Optionally, verify the FSSO log file and search for the
get_dns_domain
lines:... 06/20/2023 14:58:58 [ 1484] FortiGate connection accepted, auth OK. 06/20/2023 14:58:58 [ 1484] FortiGate:FG4H1E5819900343-root connected on socket (2004). 06/20/2023 14:58:58 [ 1484] send AUTH, len:26 06/20/2023 14:58:58 [ 1484] ready to read from socket 06/20/2023 14:58:58 [ 1484] Bytes received from FortiGate: 26 06/20/2023 14:58:58 [ 1484] process AD_INFO 06/20/2023 14:58:58 [ 1484] group filter received from FortiGate: len:26 06/20/2023 14:58:58 [ 1484] packet seq:2 06/20/2023 14:58:58 [ 1484] ad info flag:1 06/20/2023 14:58:58 [ 1484] FGT sends empty group list 06/20/2023 14:58:58 [ 1484] ready to read from socket 06/20/2023 14:58:58 [ 1484] Bytes received from FortiGate: 36 06/20/2023 14:58:58 [ 1484] packet seq:3 06/20/2023 14:58:58 [ 1484] option:00000001 ref point:00000000 06/20/2023 14:58:58 [ 1484] toFGT set to:1 06/20/2023 14:58:58 [ 1484] get_dns_domain_name:177 enable_dns_domain_name:1, netbios_domain_name:FSSO2022 06/20/2023 14:58:58 [ 1484] get_dns_domain_name:185 dns_domain_name:FSSO2022.com 06/20/2023 14:58:58 [ 1484] send LOGON_INFO, len:187 06/20/2023 14:58:58 [ 1484] send_to_FGT() called:sock:2004 sendbuf:198f4498 sendlen:187