Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiIsolator 2.3.0 Administration Guide
    2.3.0
    2.4.5
    2.4.4
    2.4.3
    2.4.2
    2.4.1
    2.4.0
    2.3.4
    2.3.1
    2.3.0
    2.2.0
    2.1.2
    2.1.1
    2.1.0
    2.0.1
    2.0.0
    1.2.2
    1.2.1
    1.2.0
    1.1.0

    Adding Web Isolation Profile from FortiProxy to FortiIsolator

    Adding Web Isolation Profile from FortiProxy to FortiIsolator

    FortiIsolator supports adding a web isolation profile from FortiProxy to FortiIsolator.

    FortiIsolator setup

    Download FortiIsolator CA Certificate
    1. Connect to FortiIsolator
    2. Go to Dashboard > System Information > Isolator CA Certificate > Backup/Restore.
    3. Backup the CA Certificates by pressing Click here. Save the ca.tgz file to your local system
    4. Unzip ca.tgz, you get 3 files under a new folder; these files will be use later when configuring FortiProxy.
    Configure Default Policy
    1. Set the Guest Type to guest only.
    2. Set Default Isolator Profile Name to system_default.
    3. Click OK.
    Note

    FortiProxy Header content must be named consistently with the FortiIsolator Profile name that is selected in FortiIsolator Default Policy setting.

    Currently the profile name "system_default" is being used in the example below. All settings, as in FortiProxy header content, FortiIsolator Isolator Profile Name, and FortiIsolator Default Isolator Profile, are using the same profile name "system_default."

    Example

    FortiProxy setup

    Enable Explicit Web Proxy On FortiProxy
    1. Connect to FortiProxy portal GUI: Network > Interfaces > Port2.
    2. Enable Explicit Web Proxy: Enable.
    3. Click OK.
    Import FortiIsolator CA certificate and Create a new SSL/SSH Inspection Profile

    Step 1: Import FortiIsolator CA Certificate.

    1. Connect to FortiProxy portal GUI by going to System > Certificates > Import > CA Certificate.
    2. Set Type: File.
    3. Upload: ca.crt browser to where you save the FortiIsolator CA certificate.

    4. Click OK.

      Note

      This is so that FortiProxy will trust FortiIsolator when dealing with HTTPS traffics.
    5. Go to System > Certificates > Import > Local Certificate.
    6. Type: Certificate
    7. Certificate file: ca.crt
    8. Key file: ca.key
    9. Certificate name: FIS_CA_Cert
    10. Leave eveything else as it is

    11. Click OK.

      Note

      This is so that FortiProxy can use SSL Deep Inspection.

    Step 2: Create Web Proxy Profile

    1. Go to Policy & Objects > Web Proxy Profile > Create New.

      Name: FIS-read-only

      Header Client IP: pass

      Header Via Request: pass

      Header Via Response: pass

      Header X Forwarded For: add

      Header Front End Https: pass

      Header X Authenticated User: pass

      Header X Authenticated Groups: pass

      Strip Encoding: Disable

      Log Header Change: Disable

    2. Go to Header > Create New.

      ID: 1

      Name: fis-isolator-profile

      Action: add-to-request

      Header Content: system_default

      Base64 Encoding: Disable

      Add Option: new

      Protocol: HTTP HTTPS

    Step 3: Create SSL/SSH Inspection Profile

    1. Go to Security Profiles > SSL/SSH Inspection > Create New.

      Name: deep_inspection2

      CA Certificate: FIS_CA_Cert

      Leave everything else as is.

    2. Leave everything else as it is
    3. Click OK.
    Create Isolator Server

    To create FIS as Isolator Server

    1. Go to Policy & Objects > Isolator Server > Create New.

      Name: FIS

      Comments: FortiIsolator

      Address Type: IP

      IP: 192.168.1.18

      Port: 8888

    2. Click OK.
    Create Explicit Web Proxy Policy

    To create a policy to isolate Unrated/Malicious websites:

    1. Go to Policy & Objects > Policy > Create New.

      Type: Explicit

      Name: FortiProxy_FIS

      Explicit Web Proxy: web-proxy

      Outgoing Interface: Internet(port1)

      Source: all

      Destination: all

      Schedule: always

      Application/Service: webproxy1

      Action: ISOLATE

      Isolator Server: FIS

      Webproxy Profile: FIS-read-only

      SSL/SSH Inspection: deep_inspection2

      Log Allow Traffic: All Sessions

      Log HTTP Transaction: Enable

      Enable this policy: Enable

      Leave the rest as it is

    2. Click OK.
    Previous
    Next

    Adding Web Isolation Profile from FortiProxy to FortiIsolator

    Adding Web Isolation Profile from FortiProxy to FortiIsolator

    FortiIsolator supports adding a web isolation profile from FortiProxy to FortiIsolator.

    FortiIsolator setup

    Download FortiIsolator CA Certificate
    1. Connect to FortiIsolator
    2. Go to Dashboard > System Information > Isolator CA Certificate > Backup/Restore.
    3. Backup the CA Certificates by pressing Click here. Save the ca.tgz file to your local system
    4. Unzip ca.tgz, you get 3 files under a new folder; these files will be use later when configuring FortiProxy.
    Configure Default Policy
    1. Set the Guest Type to guest only.
    2. Set Default Isolator Profile Name to system_default.
    3. Click OK.
    Note

    FortiProxy Header content must be named consistently with the FortiIsolator Profile name that is selected in FortiIsolator Default Policy setting.

    Currently the profile name "system_default" is being used in the example below. All settings, as in FortiProxy header content, FortiIsolator Isolator Profile Name, and FortiIsolator Default Isolator Profile, are using the same profile name "system_default."

    Example

    FortiProxy setup

    Enable Explicit Web Proxy On FortiProxy
    1. Connect to FortiProxy portal GUI: Network > Interfaces > Port2.
    2. Enable Explicit Web Proxy: Enable.
    3. Click OK.
    Import FortiIsolator CA certificate and Create a new SSL/SSH Inspection Profile

    Step 1: Import FortiIsolator CA Certificate.

    1. Connect to FortiProxy portal GUI by going to System > Certificates > Import > CA Certificate.
    2. Set Type: File.
    3. Upload: ca.crt browser to where you save the FortiIsolator CA certificate.

    4. Click OK.

      Note

      This is so that FortiProxy will trust FortiIsolator when dealing with HTTPS traffics.
    5. Go to System > Certificates > Import > Local Certificate.
    6. Type: Certificate
    7. Certificate file: ca.crt
    8. Key file: ca.key
    9. Certificate name: FIS_CA_Cert
    10. Leave eveything else as it is

    11. Click OK.

      Note

      This is so that FortiProxy can use SSL Deep Inspection.

    Step 2: Create Web Proxy Profile

    1. Go to Policy & Objects > Web Proxy Profile > Create New.

      Name: FIS-read-only

      Header Client IP: pass

      Header Via Request: pass

      Header Via Response: pass

      Header X Forwarded For: add

      Header Front End Https: pass

      Header X Authenticated User: pass

      Header X Authenticated Groups: pass

      Strip Encoding: Disable

      Log Header Change: Disable

    2. Go to Header > Create New.

      ID: 1

      Name: fis-isolator-profile

      Action: add-to-request

      Header Content: system_default

      Base64 Encoding: Disable

      Add Option: new

      Protocol: HTTP HTTPS

    Step 3: Create SSL/SSH Inspection Profile

    1. Go to Security Profiles > SSL/SSH Inspection > Create New.

      Name: deep_inspection2

      CA Certificate: FIS_CA_Cert

      Leave everything else as is.

    2. Leave everything else as it is
    3. Click OK.
    Create Isolator Server

    To create FIS as Isolator Server

    1. Go to Policy & Objects > Isolator Server > Create New.

      Name: FIS

      Comments: FortiIsolator

      Address Type: IP

      IP: 192.168.1.18

      Port: 8888

    2. Click OK.
    Create Explicit Web Proxy Policy

    To create a policy to isolate Unrated/Malicious websites:

    1. Go to Policy & Objects > Policy > Create New.

      Type: Explicit

      Name: FortiProxy_FIS

      Explicit Web Proxy: web-proxy

      Outgoing Interface: Internet(port1)

      Source: all

      Destination: all

      Schedule: always

      Application/Service: webproxy1

      Action: ISOLATE

      Isolator Server: FIS

      Webproxy Profile: FIS-read-only

      SSL/SSH Inspection: deep_inspection2

      Log Allow Traffic: All Sessions

      Log HTTP Transaction: Enable

      Enable this policy: Enable

      Leave the rest as it is

    2. Click OK.
    Previous
    Next