Fortinet black logo

Administration Guide

Multiple dynamic header count

Multiple dynamic header count

Multiple dynamic headers are supported for web proxy profiles, as well as Base64 encoding and the append/new options.

Administrators only have to select the dynamic header in the profile. The FortiGate will automatically display the corresponding static value. For example, if the administrator selects the $client-ip header, the FortiGate will display the actual client IP address.

The supported headers are:

$client-ip

Client IP address

$user

Authentication user name

$domain

User domain name

$local_grp

Firewall group name

$remote_grp

Group name from authentication server

$proxy_name

Proxy realm name

To configure dynamic headers using the CLI:

Since authentication is required, FSSO NTLM authentication is configured in this example.

  1. Configure LDAP:

    config user ldap
        edit "ldap-kerberos"
            set server "172.18.62.220"
            set cnid "cn"a
            set dn "dc=fortinetqa,dc=local"
            set type regular
            set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
            set password *********
        next
    end
  2. Configure FSSO:

    config user fsso
        edit "1"
            set server "172.18.62.220"
            set password *********
        next
    end
  3. Configure a user group:

    config user group
        edit "NTLM-FSSO"
            set group-type fsso-service
            set member "FORTINETQA/FSSO"
        next
    end
  4. Configure an authentication scheme:

    config authentication scheme
        edit "au-sch-ntlm"
            set method ntlm
        next
    end
  5. Configure an authentication rule:

    config authentication rule
        edit "au-rule-fsso"
            set srcaddr "all"
            set active-auth-method "au-sch-ntlm"
        next
    end
  6. Create a web proxy profile that adds a new dynamic and custom Via header:

    config web-proxy profile
        edit "test"
            set log-header-change enable
            config headers
                edit 1
                    set name "client-ip"
                    set content "$client-ip"
                next
                edit 2
                    set name "Proxy-Name"
                    set content "$proxy_name"
                next
                edit 3
                    set name "user"
                    set content "$user"
                next
                edit 4
                    set name "domain"
                    set content "$domain"
                next
                edit 5
                    set name "local_grp"
                    set content "$local_grp"
                next
                edit 6
                    set name "remote_grp"
                    set content "$remote_grp"
                next
                edit 7
                    set name "Via"
                    set content "Fortigate-Proxy"
                next
            end
        next
    end
  7. In the proxy policy, append the web proxy profile created in the previous step:

    config firewall proxy-policy
        edit 1
            set proxy explicit-web
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set service "web"
            set action accept
            set schedule "always"
            set logtraffic all
            set groups "NTLM-FSSO"
            set webproxy-profile "test"
            set utm-status enable
            set av-profile "av"
            set webfilter-profile "content"
            set ssl-ssh-profile "deep-custom"
        next
    end
  8. Once traffic is being generated from the client, look at the web filter logs to verify that it is working.

    The corresponding values for all the added header fields are shown in the Web Filter card at Log & Report > Security Events, in the Change headers section at the bottom of the Log Details pane.

    1: date=2019-02-07 time=13:57:24 logid="0344013632" type="utm" subtype="webfilter" eventtype="http_header_change" level="notice" vd="vdom1" eventtime=1549576642 policyid=1 transid=50331689 sessionid=1712788383 user="TEST21@FORTINETQA" group="NTLM-FSSO" profile="test" srcip=10.1.100.116 srcport=53278 dstip=172.16.200.46 dstport=80 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTP" url="http://172.16.200.46/" agent="curl/7.22.0" chgheaders="Added=client-ip: 10.1.100.116|Proxy-Name: 1.1 100D.qa|user: TEST21|domain: FORTINETQA|local_grp: NTLM-FSSO|remote_grp: FORTINETQA/FSSO|Via: Fortigate-Proxy"

Multiple dynamic header count

Multiple dynamic headers are supported for web proxy profiles, as well as Base64 encoding and the append/new options.

Administrators only have to select the dynamic header in the profile. The FortiGate will automatically display the corresponding static value. For example, if the administrator selects the $client-ip header, the FortiGate will display the actual client IP address.

The supported headers are:

$client-ip

Client IP address

$user

Authentication user name

$domain

User domain name

$local_grp

Firewall group name

$remote_grp

Group name from authentication server

$proxy_name

Proxy realm name

To configure dynamic headers using the CLI:

Since authentication is required, FSSO NTLM authentication is configured in this example.

  1. Configure LDAP:

    config user ldap
        edit "ldap-kerberos"
            set server "172.18.62.220"
            set cnid "cn"a
            set dn "dc=fortinetqa,dc=local"
            set type regular
            set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
            set password *********
        next
    end
  2. Configure FSSO:

    config user fsso
        edit "1"
            set server "172.18.62.220"
            set password *********
        next
    end
  3. Configure a user group:

    config user group
        edit "NTLM-FSSO"
            set group-type fsso-service
            set member "FORTINETQA/FSSO"
        next
    end
  4. Configure an authentication scheme:

    config authentication scheme
        edit "au-sch-ntlm"
            set method ntlm
        next
    end
  5. Configure an authentication rule:

    config authentication rule
        edit "au-rule-fsso"
            set srcaddr "all"
            set active-auth-method "au-sch-ntlm"
        next
    end
  6. Create a web proxy profile that adds a new dynamic and custom Via header:

    config web-proxy profile
        edit "test"
            set log-header-change enable
            config headers
                edit 1
                    set name "client-ip"
                    set content "$client-ip"
                next
                edit 2
                    set name "Proxy-Name"
                    set content "$proxy_name"
                next
                edit 3
                    set name "user"
                    set content "$user"
                next
                edit 4
                    set name "domain"
                    set content "$domain"
                next
                edit 5
                    set name "local_grp"
                    set content "$local_grp"
                next
                edit 6
                    set name "remote_grp"
                    set content "$remote_grp"
                next
                edit 7
                    set name "Via"
                    set content "Fortigate-Proxy"
                next
            end
        next
    end
  7. In the proxy policy, append the web proxy profile created in the previous step:

    config firewall proxy-policy
        edit 1
            set proxy explicit-web
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set service "web"
            set action accept
            set schedule "always"
            set logtraffic all
            set groups "NTLM-FSSO"
            set webproxy-profile "test"
            set utm-status enable
            set av-profile "av"
            set webfilter-profile "content"
            set ssl-ssh-profile "deep-custom"
        next
    end
  8. Once traffic is being generated from the client, look at the web filter logs to verify that it is working.

    The corresponding values for all the added header fields are shown in the Web Filter card at Log & Report > Security Events, in the Change headers section at the bottom of the Log Details pane.

    1: date=2019-02-07 time=13:57:24 logid="0344013632" type="utm" subtype="webfilter" eventtype="http_header_change" level="notice" vd="vdom1" eventtime=1549576642 policyid=1 transid=50331689 sessionid=1712788383 user="TEST21@FORTINETQA" group="NTLM-FSSO" profile="test" srcip=10.1.100.116 srcport=53278 dstip=172.16.200.46 dstport=80 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTP" url="http://172.16.200.46/" agent="curl/7.22.0" chgheaders="Added=client-ip: 10.1.100.116|Proxy-Name: 1.1 100D.qa|user: TEST21|domain: FORTINETQA|local_grp: NTLM-FSSO|remote_grp: FORTINETQA/FSSO|Via: Fortigate-Proxy"