Fortinet black logo

Administration Guide

Home FortiIsolator 2.1.2 Administration Guide
2.1.2
2.4.4
2.4.3
2.4.2
2.4.1
2.4.0
2.3.4
2.3.1
2.3.0
2.2.0
2.1.2
2.1.1
2.1.0
2.0.1
2.0.0
1.2.2
1.2.1
1.2.0
1.1.0

Adding Web Isolation Profile from FortiProxy to FortiIsolator

Adding Web Isolation Profile from FortiProxy to FortiIsolator

FortiIsolator supports adding a web isolation profile from FortiProxy to FortiIsolator.

FortiIsolator setup

Download FortiIsolator CA Certificate
  1. Connect to FortiIsolator
  2. Go to Dashboard > System Information > Isolator CA Certificate > Backup/Restore.
  3. Backup the CA Certificates by pressing Click here. Save the ca.tgz file to your local system
  4. Unzip ca.tgz, you get 3 files under a new folder; these files will be use later when configuring FortiProxy.
Configure Default Policy
  1. Set the Guest Type to guest only.
  2. Set Default Isolator Profile Name to system_default.
  3. Click OK.
Note

FortiProxy Header content must be named consistently with the FortiIsolator Profile name that is selected in FortiIsolator Default Policy setting.

Currently the profile name "system_default" is being used in the example below. All settings, as in FortiProxy header content, FortiIsolator Isolator Profile Name, and FortiIsolator Default Isolator Profile, are using the same profile name "system_default."

Example

FortiProxy setup

Enable Explicit Web Proxy On FortiProxy
  1. Connect to FortiProxy portal GUI: Network > Interfaces > Port2.
  2. Enable Explicit Web Proxy: Enable.
  3. Click OK.
Import FortiIsolator CA certificate and Create a new SSL/SSH Inspection Profile

Step 1: Import FortiIsolator CA Certificate.

  1. Connect to FortiProxy portal GUI by going to System > Certificates > Import > CA Certificate.
  2. Set Type: File.
  3. Upload: ca.crt browser to where you save the FortiIsolator CA certificate.

  4. Click OK.

    Note

    This is so that FortiProxy will trust FortiIsolator when dealing with HTTPS traffics.
  5. Go to System > Certificates > Import > Local Certificate.
  6. Type: Certificate
  7. Certificate file: ca.crt
  8. Key file: ca.key
  9. Certificate name: FIS_CA_Cert
  10. Leave eveything else as it is

  11. Click OK.

    Note

    This is so that FortiProxy can use SSL Deep Inspection.

Step 2: Create Web Proxy Profile

  1. Go to Policy & Objects > Web Proxy Profile > Create New.

    Name: FIS-read-only

    Header Client IP: pass

    Header Via Request: pass

    Header Via Response: pass

    Header X Forwarded For: add

    Header Front End Https: pass

    Header X Authenticated User: pass

    Header X Authenticated Groups: pass

    Strip Encoding: Disable

    Log Header Change: Disable

  2. Go to Header > Create New.

    ID: 1

    Name: fis-isolator-profile

    Action: add-to-request

    Header Content: system_default

    Base64 Encoding: Disable

    Add Option: new

    Protocol: HTTP HTTPS

Step 3: Create SSL/SSH Inspection Profile

  1. Go to Security Profiles > SSL/SSH Inspection > Create New.

    Name: deep_inspection2

    CA Certificate: FIS_CA_Cert

    Leave everything else as is.

  2. Leave everything else as it is
  3. Click OK.
Create Isolator Server

To create FIS as Isolator Server

  1. Go to Policy & Objects > Isolator Server > Create New.

    Name: FIS

    Comments: FortiIsolator

    Address Type: IP

    IP: 192.168.1.18

    Port: 8888

  2. Click OK.
Create Explicit Web Proxy Policy

To create a policy to isolate Unrated/Malicious websites:

  1. Go to Policy & Objects > Policy > Create New.

    Type: Explicit

    Name: FortiProxy_FIS

    Explicit Web Proxy: web-proxy

    Outgoing Interface: Internet(port1)

    Source: all

    Destination: all

    Schedule: always

    Application/Service: webproxy1

    Action: ISOLATE

    Isolator Server: FIS

    Webproxy Profile: FIS-read-only

    SSL/SSH Inspection: deep_inspection2

    Log Allow Traffic: All Sessions

    Log HTTP Transaction: Enable

    Enable this policy: Enable

    Leave the rest as it is

  2. Click OK.
Previous
Next

Adding Web Isolation Profile from FortiProxy to FortiIsolator

FortiIsolator supports adding a web isolation profile from FortiProxy to FortiIsolator.

FortiIsolator setup

Download FortiIsolator CA Certificate
  1. Connect to FortiIsolator
  2. Go to Dashboard > System Information > Isolator CA Certificate > Backup/Restore.
  3. Backup the CA Certificates by pressing Click here. Save the ca.tgz file to your local system
  4. Unzip ca.tgz, you get 3 files under a new folder; these files will be use later when configuring FortiProxy.
Configure Default Policy
  1. Set the Guest Type to guest only.
  2. Set Default Isolator Profile Name to system_default.
  3. Click OK.
Note

FortiProxy Header content must be named consistently with the FortiIsolator Profile name that is selected in FortiIsolator Default Policy setting.

Currently the profile name "system_default" is being used in the example below. All settings, as in FortiProxy header content, FortiIsolator Isolator Profile Name, and FortiIsolator Default Isolator Profile, are using the same profile name "system_default."

Example

FortiProxy setup

Enable Explicit Web Proxy On FortiProxy
  1. Connect to FortiProxy portal GUI: Network > Interfaces > Port2.
  2. Enable Explicit Web Proxy: Enable.
  3. Click OK.
Import FortiIsolator CA certificate and Create a new SSL/SSH Inspection Profile

Step 1: Import FortiIsolator CA Certificate.

  1. Connect to FortiProxy portal GUI by going to System > Certificates > Import > CA Certificate.
  2. Set Type: File.
  3. Upload: ca.crt browser to where you save the FortiIsolator CA certificate.

  4. Click OK.

    Note

    This is so that FortiProxy will trust FortiIsolator when dealing with HTTPS traffics.
  5. Go to System > Certificates > Import > Local Certificate.
  6. Type: Certificate
  7. Certificate file: ca.crt
  8. Key file: ca.key
  9. Certificate name: FIS_CA_Cert
  10. Leave eveything else as it is

  11. Click OK.

    Note

    This is so that FortiProxy can use SSL Deep Inspection.

Step 2: Create Web Proxy Profile

  1. Go to Policy & Objects > Web Proxy Profile > Create New.

    Name: FIS-read-only

    Header Client IP: pass

    Header Via Request: pass

    Header Via Response: pass

    Header X Forwarded For: add

    Header Front End Https: pass

    Header X Authenticated User: pass

    Header X Authenticated Groups: pass

    Strip Encoding: Disable

    Log Header Change: Disable

  2. Go to Header > Create New.

    ID: 1

    Name: fis-isolator-profile

    Action: add-to-request

    Header Content: system_default

    Base64 Encoding: Disable

    Add Option: new

    Protocol: HTTP HTTPS

Step 3: Create SSL/SSH Inspection Profile

  1. Go to Security Profiles > SSL/SSH Inspection > Create New.

    Name: deep_inspection2

    CA Certificate: FIS_CA_Cert

    Leave everything else as is.

  2. Leave everything else as it is
  3. Click OK.
Create Isolator Server

To create FIS as Isolator Server

  1. Go to Policy & Objects > Isolator Server > Create New.

    Name: FIS

    Comments: FortiIsolator

    Address Type: IP

    IP: 192.168.1.18

    Port: 8888

  2. Click OK.
Create Explicit Web Proxy Policy

To create a policy to isolate Unrated/Malicious websites:

  1. Go to Policy & Objects > Policy > Create New.

    Type: Explicit

    Name: FortiProxy_FIS

    Explicit Web Proxy: web-proxy

    Outgoing Interface: Internet(port1)

    Source: all

    Destination: all

    Schedule: always

    Application/Service: webproxy1

    Action: ISOLATE

    Isolator Server: FIS

    Webproxy Profile: FIS-read-only

    SSL/SSH Inspection: deep_inspection2

    Log Allow Traffic: All Sessions

    Log HTTP Transaction: Enable

    Enable this policy: Enable

    Leave the rest as it is

  2. Click OK.
Previous
Next