Fortinet black logo

Administration Guide

Domain name in XFF with ICAP

The FortiGate can forward additional domain-related information to the ICAP server. Once domain information is gathered from an external authentication server (such as LDAP or an FSSO collector agent), FortiOS incorporates this domain information in WinNT://DOMAIN/Username format and forwards it to the ICAP server.

Basic ICAP configuration

The ICAP server and profile are configured on the FortiGate. The ICAP profile's header settings uses the WinNT://$domain/$user variable for the user information provided by the remote authentication server.

To configure the ICAP settings:
  1. Configure the ICAP server:

    config icap server
        edit "content-filtration-server4"
            set ip-address 10.1.100.41
            set max-connections 200
        next
    end
  2. Configure the ICAP profile:

    config icap profile
        edit "Prop-Content-Filtration"
            set request enable
            set response enable
            set streaming-content-bypass enable
            set request-server "content-filtration-server4"
            set response-server "content-filtration-server4"
            set request-path "/proprietary_code/content-filter/"
            set response-path "/proprietary_code/content-filter/"
            set methods delete get head options post put trace other
            config icap-headers
                edit 1
                    set name "X-Authenticated-User"
                    set content "WinNT://$domain/$user"
                next
            end
        next
    end
  3. Configure the firewall policy:

    config firewall policy
        edit 4
            set name "icap_filter3"
            set srcintf "port10"
            set dstintf "port9"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set ssl-ssh-profile "deep-inspection"
            set icap-profile "Prop-Content-Filtration"
            set logtraffic all
            set nat enable
            set groups "ldap group" "AD-group"
        next
    end

LDAP example

In this example, an AD LDAP server and remote user group are configured. When successful user authentication occurs, FortiOS retrieves all the user information (such as the domain name) from the UserPrincipalName attribute. A packet capture is used to compare the user and domain information before and after authentication in the ICAP REQMOD message.

To configure the LDAP authentication:
  1. Configure the LDAP server:

    config user ldap
        edit "AD-ldap"
            set server "10.1.100.131"
            set cnid "cn"
            set dn "dc=fortinet-fsso,dc=com"
            set type regular
            set username "cn=Administrator,cn=users,dc=fortinet-fsso,dc=com"
            set password **********   
        next
    end
  2. Configure the LDAP user group:

    config user group
        edit "ldap group"
            set member "AD-ldap"
            config match
                edit 1
                    set server-name "AD-ldap"
                    set group-name "CN=group1,OU=Testing,DC=Fortinet-FSSO,DC=COM"
                next
                edit 2
                    set server-name "AD-ldap"
                    set group-name "CN=group2,OU=Testing,DC=Fortinet-FSSO,DC=COM"
                next
            end
        next
    end
  3. Start local traffic dump between the FortiGate and ICAP server before a user authenticates and save it in a PCAP file.

  4. Verify the PCAP file. The Fortinet-fsso.com domain appears in the ICAP REQMOD message.

  5. Optionally, run the following command to verify WAD debugs:

    # diagnose wad debug enable category icap

FSSO example

In this example, a local FSSO agent and remote user group are configured. When successful user authentication occurs, FortiOS retrieves all the user information (such as the domain name). A packet capture is used to compare the user and domain information before and after authentication in the ICAP REQMOD message.

To configure the FSSO authentication:
  1. Configure the FSSO agent:

    config user fsso
        edit "AD-fsso"
            set server "10.1.100.199"
            set password **********
        next
    end
  2. Configure the FSSO user group:

    config user group
        edit "AD-group"
            set group-type fsso-service
            set member "FORTINET-FSSO/GROUP1" "FORTINET-FSSO/GROUP2"
        next
    end
  3. Start local traffic dump between the FortiGate and ICAP server before a user authenticates and save it in a PCAP file.

  4. Verify the PCAP file. The fsso2022.com domain appears in the ICAP REQMOD message.

  5. Optionally, verify the FSSO log file and search for the get_dns_domain lines:

    ... 
    06/20/2023 14:58:58 [ 1484] FortiGate connection accepted, auth OK.
    06/20/2023 14:58:58 [ 1484] FortiGate:FG4H1E5819900343-root connected on socket (2004).
    06/20/2023 14:58:58 [ 1484] send AUTH, len:26
    06/20/2023 14:58:58 [ 1484] ready to read from socket
    06/20/2023 14:58:58 [ 1484] Bytes received from FortiGate: 26
    06/20/2023 14:58:58 [ 1484] process AD_INFO
    06/20/2023 14:58:58 [ 1484] group filter received from FortiGate: len:26
    06/20/2023 14:58:58 [ 1484] packet seq:2
    06/20/2023 14:58:58 [ 1484] ad info flag:1
    06/20/2023 14:58:58 [ 1484] FGT sends empty group list
    06/20/2023 14:58:58 [ 1484] ready to read from socket
    06/20/2023 14:58:58 [ 1484] Bytes received from FortiGate: 36
    06/20/2023 14:58:58 [ 1484] packet seq:3
    06/20/2023 14:58:58 [ 1484] option:00000001 ref point:00000000
    06/20/2023 14:58:58 [ 1484] toFGT set to:1
    06/20/2023 14:58:58 [ 1484] get_dns_domain_name:177 enable_dns_domain_name:1, netbios_domain_name:FSSO2022
    06/20/2023 14:58:58 [ 1484] get_dns_domain_name:185 dns_domain_name:FSSO2022.com
    06/20/2023 14:58:58 [ 1484] send LOGON_INFO, len:187
    06/20/2023 14:58:58 [ 1484] send_to_FGT() called:sock:2004 sendbuf:198f4498 sendlen:187

The FortiGate can forward additional domain-related information to the ICAP server. Once domain information is gathered from an external authentication server (such as LDAP or an FSSO collector agent), FortiOS incorporates this domain information in WinNT://DOMAIN/Username format and forwards it to the ICAP server.

Basic ICAP configuration

The ICAP server and profile are configured on the FortiGate. The ICAP profile's header settings uses the WinNT://$domain/$user variable for the user information provided by the remote authentication server.

To configure the ICAP settings:
  1. Configure the ICAP server:

    config icap server
        edit "content-filtration-server4"
            set ip-address 10.1.100.41
            set max-connections 200
        next
    end
  2. Configure the ICAP profile:

    config icap profile
        edit "Prop-Content-Filtration"
            set request enable
            set response enable
            set streaming-content-bypass enable
            set request-server "content-filtration-server4"
            set response-server "content-filtration-server4"
            set request-path "/proprietary_code/content-filter/"
            set response-path "/proprietary_code/content-filter/"
            set methods delete get head options post put trace other
            config icap-headers
                edit 1
                    set name "X-Authenticated-User"
                    set content "WinNT://$domain/$user"
                next
            end
        next
    end
  3. Configure the firewall policy:

    config firewall policy
        edit 4
            set name "icap_filter3"
            set srcintf "port10"
            set dstintf "port9"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set ssl-ssh-profile "deep-inspection"
            set icap-profile "Prop-Content-Filtration"
            set logtraffic all
            set nat enable
            set groups "ldap group" "AD-group"
        next
    end

LDAP example

In this example, an AD LDAP server and remote user group are configured. When successful user authentication occurs, FortiOS retrieves all the user information (such as the domain name) from the UserPrincipalName attribute. A packet capture is used to compare the user and domain information before and after authentication in the ICAP REQMOD message.

To configure the LDAP authentication:
  1. Configure the LDAP server:

    config user ldap
        edit "AD-ldap"
            set server "10.1.100.131"
            set cnid "cn"
            set dn "dc=fortinet-fsso,dc=com"
            set type regular
            set username "cn=Administrator,cn=users,dc=fortinet-fsso,dc=com"
            set password **********   
        next
    end
  2. Configure the LDAP user group:

    config user group
        edit "ldap group"
            set member "AD-ldap"
            config match
                edit 1
                    set server-name "AD-ldap"
                    set group-name "CN=group1,OU=Testing,DC=Fortinet-FSSO,DC=COM"
                next
                edit 2
                    set server-name "AD-ldap"
                    set group-name "CN=group2,OU=Testing,DC=Fortinet-FSSO,DC=COM"
                next
            end
        next
    end
  3. Start local traffic dump between the FortiGate and ICAP server before a user authenticates and save it in a PCAP file.

  4. Verify the PCAP file. The Fortinet-fsso.com domain appears in the ICAP REQMOD message.

  5. Optionally, run the following command to verify WAD debugs:

    # diagnose wad debug enable category icap

FSSO example

In this example, a local FSSO agent and remote user group are configured. When successful user authentication occurs, FortiOS retrieves all the user information (such as the domain name). A packet capture is used to compare the user and domain information before and after authentication in the ICAP REQMOD message.

To configure the FSSO authentication:
  1. Configure the FSSO agent:

    config user fsso
        edit "AD-fsso"
            set server "10.1.100.199"
            set password **********
        next
    end
  2. Configure the FSSO user group:

    config user group
        edit "AD-group"
            set group-type fsso-service
            set member "FORTINET-FSSO/GROUP1" "FORTINET-FSSO/GROUP2"
        next
    end
  3. Start local traffic dump between the FortiGate and ICAP server before a user authenticates and save it in a PCAP file.

  4. Verify the PCAP file. The fsso2022.com domain appears in the ICAP REQMOD message.

  5. Optionally, verify the FSSO log file and search for the get_dns_domain lines:

    ... 
    06/20/2023 14:58:58 [ 1484] FortiGate connection accepted, auth OK.
    06/20/2023 14:58:58 [ 1484] FortiGate:FG4H1E5819900343-root connected on socket (2004).
    06/20/2023 14:58:58 [ 1484] send AUTH, len:26
    06/20/2023 14:58:58 [ 1484] ready to read from socket
    06/20/2023 14:58:58 [ 1484] Bytes received from FortiGate: 26
    06/20/2023 14:58:58 [ 1484] process AD_INFO
    06/20/2023 14:58:58 [ 1484] group filter received from FortiGate: len:26
    06/20/2023 14:58:58 [ 1484] packet seq:2
    06/20/2023 14:58:58 [ 1484] ad info flag:1
    06/20/2023 14:58:58 [ 1484] FGT sends empty group list
    06/20/2023 14:58:58 [ 1484] ready to read from socket
    06/20/2023 14:58:58 [ 1484] Bytes received from FortiGate: 36
    06/20/2023 14:58:58 [ 1484] packet seq:3
    06/20/2023 14:58:58 [ 1484] option:00000001 ref point:00000000
    06/20/2023 14:58:58 [ 1484] toFGT set to:1
    06/20/2023 14:58:58 [ 1484] get_dns_domain_name:177 enable_dns_domain_name:1, netbios_domain_name:FSSO2022
    06/20/2023 14:58:58 [ 1484] get_dns_domain_name:185 dns_domain_name:FSSO2022.com
    06/20/2023 14:58:58 [ 1484] send LOGON_INFO, len:187
    06/20/2023 14:58:58 [ 1484] send_to_FGT() called:sock:2004 sendbuf:198f4498 sendlen:187