Fortinet black logo

Browser Isolation Deployment

Home FortiProxy 7.2.0 Browser Isolation Deployment
7.2.0
7.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.10
7.2.9
7.2.8
7.2.7
7.2.0

Configuring native browser isolation in FortiProxy

Configuring native browser isolation in FortiProxy

To configure native browser isolation in the FortiProxy GUI:

  1. Configure an HTTP portal for the client to download the isolator image:

    1. Go to Policy & Objects > Addresses and click Create New > Address.

    2. Enter a name for the address.

    3. Set Type to FQDN.

    4. Enter the FQDN.

    5. Click OK.

  2. Enable Captive Portal:

    1. Go to Policy & Objects > Proxy Auth Setting.

    2. Enable Captive Portal and select the just create address.

    3. Set the Captive Portal Port.

    4. Set Captive Portal Type to FQDN.

    5. Click Apply.

  3. Enable captive portal on the interface:

    1. Go to Network > Interfaces and edit the interface.

    2. Enable Proxy Captive Portal.

    3. Click OK.

  4. Configure a firewall proxy address:

    1. Go to Policy & Objects > Addresses and click Create New > Address.

    2. Set Category to Proxy Address.

    3. Enter a name for the address, such as 1.

    4. Set Host to all and enter the URL Path Regex.

    5. Click OK.

  5. Configure an isolator profile that uses the proxy address:

    1. Go to Security Profiles > Isolator Profile and click Create New.

    2. Enter a name for the profile.

    3. In the Entries table, click Create New.

    4. Select the Proxy Address.

    5. Set Action to Isolate.

    6. Click OK.

    7. Click OK.

  6. Configure an SSL/SSH profile with full ssl inspection:

    1. Go to SSL/SSH Inspection and click Create New.

    2. Enter a name for the profile, such as test.

    3. In Enable SSL inspection of, select Multiple Clients Connecting to Multiple Servers.

    4. In Inspection method, select Full SSL Inspection.

    5. In CA Certificate, select a CA certificate from the drop-down menu.

      Later you will need to install the certificate in the browser of each machine that uses Native Browser Isolation to avoid certificate warnings.

    6. Configure the other settings as required, then click OK.

      See the FortiProxy Administration Guide for more information about the configuration options.

  7. Configure a firewall policy that uses the isolator and SSL/SSH profiles:

    1. Go to Policy & Objects > Policy and click Create New.

    2. Configure the following:

      Type

      Explicit

      Explicit Web Proxy

      web-proxy

      Outgoing Intergave

      any

      Source

      all

      Destination

      all

      Schedule

      always

      Service

      webproxy

      Action

      Accept

      SSL/SSH Inspection

      test

      Isolator

      1

      Comments

      isolator traffic inspect

    3. Click OK.

To configure native browser isolation in the CLI:

  1. Configure an HTTP portal for the client to download the FortiNBI isolator image:

    config firewall address
    edit "Fortinet"
        set type fqdn
        set fqdn "fortinet.com"
    next
end

  2. In the authentication settings, set the captive portal name:

    config authentication setting
    set captive-portal "Fortinet"
end

  3. Enable captive portal on the interface:

    config system interface
    edit <interface>
        set proxy-captive-portal enable
    next
end

  4. Configure a firewall proxy address:

    config firewall proxy-address
    edit "1"        
        set host "all"
    next
end

  5. Configure an isolator profile that uses the proxy address:

    config isolator profile
    edit "1"
        config entries
            edit 1
                set proxy-address "1"
                set action isolate
                set status enable
            next
        end
    next
end

    proxy-address <proxy-address>

    Choose the proxy-address for this isolator profile entry.

    action {block | allow | freeze | isolate}

    Choose the action for this isolator entry:

    • isolate: Open the website in an isolated browser (default).

    • freeze: Freeze the website. The user is able to unfreeze and get access to the website when they accept the risk.

    • block: Block the traffic to the website.

    • allow: Bypass the traffic to the website.

    status {enable | disable}

    Enable/disable this isolator entry (default = enable).

  6. Configure an SSL/SSH profile with full SSL inspection:

    config firewall ssl-ssh-profile
    edit "test"
        config https
            set ports 443
            set status deep-inspection
        end
        config ftps
            set ports 990
            set status deep-inspection
        end
        config imaps
            set ports 993
            set status deep-inspection
        end
        config pop3s
            set ports 995
            set status deep-inspection
        end
        config smtps
            set ports 465
            set status deep-inspection
        end
        config ssh
            set ports 22
            set status disable
        end
        config dot
            set status disable
        end
    next
end

  7. Configure a firewall policy that uses the isolator and SSL/SSH profiles:

    config firewall policy
    edit 2
        set type explicit-web       
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "webproxy"
        set explicit-web-proxy "web-proxy"
        set utm-status enable
        set comments "isolator traffic inspect"
        set ssl-ssh-profile "test"
        set isolator-profile "1"
    next
end
Previous
Next

Configuring native browser isolation in FortiProxy

To configure native browser isolation in the FortiProxy GUI:

  1. Configure an HTTP portal for the client to download the isolator image:

    1. Go to Policy & Objects > Addresses and click Create New > Address.

    2. Enter a name for the address.

    3. Set Type to FQDN.

    4. Enter the FQDN.

    5. Click OK.

  2. Enable Captive Portal:

    1. Go to Policy & Objects > Proxy Auth Setting.

    2. Enable Captive Portal and select the just create address.

    3. Set the Captive Portal Port.

    4. Set Captive Portal Type to FQDN.

    5. Click Apply.

  3. Enable captive portal on the interface:

    1. Go to Network > Interfaces and edit the interface.

    2. Enable Proxy Captive Portal.

    3. Click OK.

  4. Configure a firewall proxy address:

    1. Go to Policy & Objects > Addresses and click Create New > Address.

    2. Set Category to Proxy Address.

    3. Enter a name for the address, such as 1.

    4. Set Host to all and enter the URL Path Regex.

    5. Click OK.

  5. Configure an isolator profile that uses the proxy address:

    1. Go to Security Profiles > Isolator Profile and click Create New.

    2. Enter a name for the profile.

    3. In the Entries table, click Create New.

    4. Select the Proxy Address.

    5. Set Action to Isolate.

    6. Click OK.

    7. Click OK.

  6. Configure an SSL/SSH profile with full ssl inspection:

    1. Go to SSL/SSH Inspection and click Create New.

    2. Enter a name for the profile, such as test.

    3. In Enable SSL inspection of, select Multiple Clients Connecting to Multiple Servers.

    4. In Inspection method, select Full SSL Inspection.

    5. In CA Certificate, select a CA certificate from the drop-down menu.

      Later you will need to install the certificate in the browser of each machine that uses Native Browser Isolation to avoid certificate warnings.

    6. Configure the other settings as required, then click OK.

      See the FortiProxy Administration Guide for more information about the configuration options.

  7. Configure a firewall policy that uses the isolator and SSL/SSH profiles:

    1. Go to Policy & Objects > Policy and click Create New.

    2. Configure the following:

      Type

      Explicit

      Explicit Web Proxy

      web-proxy

      Outgoing Intergave

      any

      Source

      all

      Destination

      all

      Schedule

      always

      Service

      webproxy

      Action

      Accept

      SSL/SSH Inspection

      test

      Isolator

      1

      Comments

      isolator traffic inspect

    3. Click OK.

To configure native browser isolation in the CLI:

  1. Configure an HTTP portal for the client to download the FortiNBI isolator image:

    config firewall address
    edit "Fortinet"
        set type fqdn
        set fqdn "fortinet.com"
    next
end

  2. In the authentication settings, set the captive portal name:

    config authentication setting
    set captive-portal "Fortinet"
end

  3. Enable captive portal on the interface:

    config system interface
    edit <interface>
        set proxy-captive-portal enable
    next
end

  4. Configure a firewall proxy address:

    config firewall proxy-address
    edit "1"        
        set host "all"
    next
end

  5. Configure an isolator profile that uses the proxy address:

    config isolator profile
    edit "1"
        config entries
            edit 1
                set proxy-address "1"
                set action isolate
                set status enable
            next
        end
    next
end

    proxy-address <proxy-address>

    Choose the proxy-address for this isolator profile entry.

    action {block | allow | freeze | isolate}

    Choose the action for this isolator entry:

    • isolate: Open the website in an isolated browser (default).

    • freeze: Freeze the website. The user is able to unfreeze and get access to the website when they accept the risk.

    • block: Block the traffic to the website.

    • allow: Bypass the traffic to the website.

    status {enable | disable}

    Enable/disable this isolator entry (default = enable).

  6. Configure an SSL/SSH profile with full SSL inspection:

    config firewall ssl-ssh-profile
    edit "test"
        config https
            set ports 443
            set status deep-inspection
        end
        config ftps
            set ports 990
            set status deep-inspection
        end
        config imaps
            set ports 993
            set status deep-inspection
        end
        config pop3s
            set ports 995
            set status deep-inspection
        end
        config smtps
            set ports 465
            set status deep-inspection
        end
        config ssh
            set ports 22
            set status disable
        end
        config dot
            set status disable
        end
    next
end

  7. Configure a firewall policy that uses the isolator and SSL/SSH profiles:

    config firewall policy
    edit 2
        set type explicit-web       
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "webproxy"
        set explicit-web-proxy "web-proxy"
        set utm-status enable
        set comments "isolator traffic inspect"
        set ssl-ssh-profile "test"
        set isolator-profile "1"
    next
end
Previous
Next