Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiGate / FortiOS 7.6.5 Administration Guide
    7.6.5
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.0

    Isolator servers in proxy policies

    Isolator servers in proxy policies

    Web proxy isolator servers, such as FortiIsolator, are supported in proxy policies. Isolators are fundamentally the same as web proxy forward servers because both will redirect HTTP and HTTPS requests to an HTTP or HTTPS proxy server. However, isolators have the specific function of isolating potentially unsafe traffic from a user environment.

    The isolate action in proxy policies can be used to distinguish isolated traffic from normal traffic in logs. Isolator servers can only be applied in explicit and transparent proxy policies. See Explicit web proxy and Transparent proxy.

    To configure an isolator server in the CLI:

    1. Configure the isolator server:

      config web-proxy isolator-server
    edit <name>
        set addr-type {ip | ipv6 | fqdn}
        set ip <any_ip>
        set ipv6 <IPv6 address>
        set fqdn <string>
        set port <port>
    next
end

    2. Apply the server to a proxy policy:

      config firewall proxy-policy
    edit <id>
        set action isolate
        set isolator-server <name>
    next
end
    To configure an isolator server in the GUI:

    1. Go to Network > Explicit Proxy.

    2. Enable Explicit Web Proxy and scroll to FortiIsolator Servers.

    3. Click Create New.

    4. Configure the isolator server.

    5. Click OK.

    6. Configure the other explicit proxy fields, as needed, and click Apply.

    7. Apply the isolator server to a proxy policy:

      1. Go to Policy & Objects > Proxy Policy.

      2. Click Create New.

      3. Set the Type to Explicit Web or Transparent Web.

      4. Set Action to Isolate.

      5. Set FortiIsolator server to the new server you configured.

      6. Configure other proxy policy fields, as needed.

      7. Click OK.

    Example

    The following example demonstrates how to apply an isolator server to a proxy policy. Two explicit proxy policies are configured:

    • A web proxy forward server is applied to one policy with the action set to accept.

    • An isolator server is applied to the other policy with the action set to isolate.

    Each proxy policy uses a different destination IP address to separate traffic. Once traffic passes, logs are generated for the specific actions.

    To configure an isolator server in the CLI:

    1. Configure the isolator server:

      config web-proxy isolator-server
    edit "isolator"
        set ip 172.16.200.7
        set port 8080
    next
end

    2. Configure the forward server:

      config web-proxy forward-server
    edit "fgt-b"
        set ip 172.16.200.7
        set port 8080
    next
end

    3. Apply each server to a proxy policy:

      config firewall proxy-policy
    edit 1
        set proxy explicit-web
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "IT"
        set service "webproxy"
        set action accept
        set schedule "always"
        set logtraffic all
        set webproxy-forward-server "fgt-b"
        set utm-status enable
        set ssl-ssh-profile "deep-custom"
        set av-profile "av"
    next
    edit 3
        set proxy explicit-web
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "Finance"
        set service "webproxy"
        set action isolate
        set schedule "always"
        set logtraffic all
        set isolator-server "isolator"
        set utm-status enable
        set ssl-ssh-profile "deep-custom"
        set av-profile "av"
    next
end

    4. Generate traffic for the proxy policies and go to Log & Report > Forward Traffic in the GUI to review the logs:

      1. When accessing www.fortinet.com, the traffic hits proxy policy 1 and is accepted.

        Since the traffic matches the destination address, it goes to the forward server and then to the internet. A traffic log is generated with the action set to accept.

      2. When accessing www.cibc.com, the traffic hits proxy policy 3 and is isolated.

        Since the traffic matches the destination address, it goes to the isolator server and then to the internet. A traffic log is generated with the action set to isolate.

    Previous
    Next

    Isolator servers in proxy policies

    Isolator servers in proxy policies

    Web proxy isolator servers, such as FortiIsolator, are supported in proxy policies. Isolators are fundamentally the same as web proxy forward servers because both will redirect HTTP and HTTPS requests to an HTTP or HTTPS proxy server. However, isolators have the specific function of isolating potentially unsafe traffic from a user environment.

    The isolate action in proxy policies can be used to distinguish isolated traffic from normal traffic in logs. Isolator servers can only be applied in explicit and transparent proxy policies. See Explicit web proxy and Transparent proxy.

    To configure an isolator server in the CLI:

    1. Configure the isolator server:

      config web-proxy isolator-server
    edit <name>
        set addr-type {ip | ipv6 | fqdn}
        set ip <any_ip>
        set ipv6 <IPv6 address>
        set fqdn <string>
        set port <port>
    next
end

    2. Apply the server to a proxy policy:

      config firewall proxy-policy
    edit <id>
        set action isolate
        set isolator-server <name>
    next
end
    To configure an isolator server in the GUI:

    1. Go to Network > Explicit Proxy.

    2. Enable Explicit Web Proxy and scroll to FortiIsolator Servers.

    3. Click Create New.

    4. Configure the isolator server.

    5. Click OK.

    6. Configure the other explicit proxy fields, as needed, and click Apply.

    7. Apply the isolator server to a proxy policy:

      1. Go to Policy & Objects > Proxy Policy.

      2. Click Create New.

      3. Set the Type to Explicit Web or Transparent Web.

      4. Set Action to Isolate.

      5. Set FortiIsolator server to the new server you configured.

      6. Configure other proxy policy fields, as needed.

      7. Click OK.

    Example

    The following example demonstrates how to apply an isolator server to a proxy policy. Two explicit proxy policies are configured:

    • A web proxy forward server is applied to one policy with the action set to accept.

    • An isolator server is applied to the other policy with the action set to isolate.

    Each proxy policy uses a different destination IP address to separate traffic. Once traffic passes, logs are generated for the specific actions.

    To configure an isolator server in the CLI:

    1. Configure the isolator server:

      config web-proxy isolator-server
    edit "isolator"
        set ip 172.16.200.7
        set port 8080
    next
end

    2. Configure the forward server:

      config web-proxy forward-server
    edit "fgt-b"
        set ip 172.16.200.7
        set port 8080
    next
end

    3. Apply each server to a proxy policy:

      config firewall proxy-policy
    edit 1
        set proxy explicit-web
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "IT"
        set service "webproxy"
        set action accept
        set schedule "always"
        set logtraffic all
        set webproxy-forward-server "fgt-b"
        set utm-status enable
        set ssl-ssh-profile "deep-custom"
        set av-profile "av"
    next
    edit 3
        set proxy explicit-web
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "Finance"
        set service "webproxy"
        set action isolate
        set schedule "always"
        set logtraffic all
        set isolator-server "isolator"
        set utm-status enable
        set ssl-ssh-profile "deep-custom"
        set av-profile "av"
    next
end

    4. Generate traffic for the proxy policies and go to Log & Report > Forward Traffic in the GUI to review the logs:

      1. When accessing www.fortinet.com, the traffic hits proxy policy 1 and is accepted.

        Since the traffic matches the destination address, it goes to the forward server and then to the internet. A traffic log is generated with the action set to accept.

      2. When accessing www.cibc.com, the traffic hits proxy policy 3 and is isolated.

        Since the traffic matches the destination address, it goes to the isolator server and then to the internet. A traffic log is generated with the action set to isolate.

    Previous
    Next