Fortinet black logo

Administration Guide

Home FortiProxy 7.2.9 Administration Guide
7.2.9
7.4.3
7.4.2
7.4.1
7.4.0
7.2.10
7.2.9
7.2.8
7.2.7
7.2.0
7.0.17
7.0.0
2.0.0
1.2.0
1.1.0
1.0.0

Proxy Options

Proxy Options

Certain inspections defined in security profiles require that the traffic be held in proxy while the inspection is carried out. When a security profile requiring the use of a proxy is enabled in a policy, the Proxy Options field is displayed. The proxy options define the parameters of how the traffic will be processed and to what level the traffic will be processed. There can be multiple security profiles of a single type. There can also be a number of unique proxy option profiles. As the requirements for a policy differ from one policy to the next, a different proxy option profile for each individual policy can be configured or one profile can be repeatedly applied.

The proxy options refer to the handling of the following protocols:

  • HTTP
  • SMTP
  • POP3
  • IMAP
  • FTP
  • NNTP
  • MAPI
  • DNS
  • CIFS

The configuration for each of these protocols is handled separately.

Just like other components of the FortiProxy unit, different proxy option profiles can be configured to allow for granular control of the FortiProxy unit. In the case of the proxy option profiles, you need to match the correct profile to a firewall policy that is using the appropriate protocols. If you are creating a proxy option profile that is designed for policies that control SMTP traffic into your network, you only want to configure the settings that apply to SMTP. You do not need or want to configure the HTTP components.

To view the available proxy option profiles, go to Proxy Settings > Proxy Options.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the columns to display or to reset all the columns to their default settings. You can also drag column headings to change their order.

The following options are available:

Create New

Create a proxy option profile. See Create or edit a proxy option profile and Create a CIFS proxy option.

Edit

Modify the selected proxy option profile. See Create or edit a proxy option profile.

Clone

Make a copy of the selected proxy option profile.

Delete

Remove the selected proxy option profile.

Search

Enter a search term to find in the proxy option profile list.

Name

The name of the proxy option profile.

Read Only

The default proxy option profile is read only. It cannot be changed or deleted.

Comments

An optional description of the proxy option profile.

Ref.

Displays the number of times the object is referenced to other objects.

To view the location of the referenced object, select the number in Ref.; the Object Usage window opens and displays the various locations of the referenced object.

Video streaming splitting

The following are the most popular audio/video streaming protocols:

  1. Real-time Transport Protocol (RTP)
  2. Real Time Streaming Protocol (RTSP )
  3. MPEG-Dynamic Adaptive Streaming over HTTP (DASH)
  4. Apple HTTP Live Streaming (HLS)
  5. Adobe HTTP Dynamic Streaming (HDS)
  6. Microsoft Smooth Streaming (MSS)

To deliver streams smoothly and transmit as much information as possible, video stream splitting splits streams into fragments, and their size is negotiated dynamically between the client and server. Sometimes, the fragment is kept unchanged. The default fragment sizes are 64 bytes for audio data and 128 bytes for video data and most other data types. Fragments from different streams can then be interleaved and multiplexed over a single connection. Streams can carry, for example, video and one or more audio channels, next to a control channel to control the streams. This is like an FTP command versus data session.

FortiProxy supports Apple HLS and MPEG-DASH stream splitting, which can be transferred over HTTP(S) or TCP port 1935.

Configuring TCP windows

Some file transfer applications can negotiate large TCP windows. For example, WinSCP can negotiate an initial TCP window size of about 2 GB.

The TCP window options can be used to prevent overly large initial TCP window sizes, helping avoid channel flow control issues. It allows stream‑based scan's flow control to limit peers from sending data that exceeds a policy's configured oversize limit.

To configure TCP window size options:
config firewall profile-protocol-options
    edit <string>
        config {ftp | ssh}
            ...
            set stream-based-uncompressed-limit <integer>
            set tcp-window-type {auto-tuning | system | static | dynamic}
            set tcp-window-size <integer>
            set tcp-window-minimum <integer>
            set tcp-window-maximum <integer>
            ...
        end
    next
end

{ftp | ssh}

  • ftp: Configure FTP protocol options.

  • ssh: Configure SFTP and SCP protocol options.

stream-based-uncompressed-limit <integer>

The maximum stream-based uncompressed data size that will be scanned, in MB (default = 0 (unlimited)).

Stream-based uncompression used only under certain conditions.).

tcp-window-type {auto-tuning | system | static | dynamic}

The TCP window type to use for this protocol.

  • auto-tuning: Allow the system to automatically tune the TCP window size (default). When memory usage reaches the threshold of 80%, FortiProxy automatically changes the value to system to protect memory usage.

  • system: Use the system default TCP window size for this protocol.

  • static: Manually specify the TCP window size.

  • dynamic: Vary the TCP window size based on available memory within the limits configured in tcp‑window‑minimum and tcp‑window‑maximum.

tcp-window-size <integer>

The TCP static window size (65536 - 33554432, default = 262144).

This option is only available when tcp‑window‑type is static.

tcp-window-minimum <integer>

The minimum TCP dynamic window size (65536 - 1048576, default = 131072).

This option is only available when tcp‑window‑type is dynamic.

tcp-window-maximum <integer>

The maximum TCP dynamic window size (1048576 - 33554432, default = 8388608).

This option is only available when tcp‑window‑type is dynamic.

Handling SSL offloaded traffic from an external decryption device

In scenarios where the FortiProxy unit is sandwiched between load-balancers and SSL processing is offloaded on the external load-balancers, the FortiProxy unit can perform scanning on the unencrypted traffic by specifying the ssl-offloaded option in firewall profile-protocol-options.

To configure SSL offloading:
config firewall profile-protocol-options
    edit <name>
        config http
            set ports <1-65535>
            set ssl-offloaded {no | yes}
        end
        config ftp
            set ports <1-65535>
            set ssl-offloaded {no | yes}
        end
        config imap
            set ports <1-65535>
            set ssl-offloaded {no | yes}
        end
        config pop3
            set ports <1-65535>
            set ssl-offloaded {no | yes}
        end
        config smtp
            set ports <1-65535>
            set ssl-offloaded {no | yes}
        end
        config ssh
            set ports <1-65535>
            set ssl-offloaded {no | yes}
        end
    next
end

HTTP domain fronting blocking

To block HTTP domain fronting:
config firewall profile-protocol-options
    edit <name>
        config http
            set domain-fronting block
        end
    next
end
Previous
Next

Proxy Options

Certain inspections defined in security profiles require that the traffic be held in proxy while the inspection is carried out. When a security profile requiring the use of a proxy is enabled in a policy, the Proxy Options field is displayed. The proxy options define the parameters of how the traffic will be processed and to what level the traffic will be processed. There can be multiple security profiles of a single type. There can also be a number of unique proxy option profiles. As the requirements for a policy differ from one policy to the next, a different proxy option profile for each individual policy can be configured or one profile can be repeatedly applied.

The proxy options refer to the handling of the following protocols:

  • HTTP
  • SMTP
  • POP3
  • IMAP
  • FTP
  • NNTP
  • MAPI
  • DNS
  • CIFS

The configuration for each of these protocols is handled separately.

Just like other components of the FortiProxy unit, different proxy option profiles can be configured to allow for granular control of the FortiProxy unit. In the case of the proxy option profiles, you need to match the correct profile to a firewall policy that is using the appropriate protocols. If you are creating a proxy option profile that is designed for policies that control SMTP traffic into your network, you only want to configure the settings that apply to SMTP. You do not need or want to configure the HTTP components.

To view the available proxy option profiles, go to Proxy Settings > Proxy Options.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the columns to display or to reset all the columns to their default settings. You can also drag column headings to change their order.

The following options are available:

Create New

Create a proxy option profile. See Create or edit a proxy option profile and Create a CIFS proxy option.

Edit

Modify the selected proxy option profile. See Create or edit a proxy option profile.

Clone

Make a copy of the selected proxy option profile.

Delete

Remove the selected proxy option profile.

Search

Enter a search term to find in the proxy option profile list.

Name

The name of the proxy option profile.

Read Only

The default proxy option profile is read only. It cannot be changed or deleted.

Comments

An optional description of the proxy option profile.

Ref.

Displays the number of times the object is referenced to other objects.

To view the location of the referenced object, select the number in Ref.; the Object Usage window opens and displays the various locations of the referenced object.

Video streaming splitting

The following are the most popular audio/video streaming protocols:

  1. Real-time Transport Protocol (RTP)
  2. Real Time Streaming Protocol (RTSP )
  3. MPEG-Dynamic Adaptive Streaming over HTTP (DASH)
  4. Apple HTTP Live Streaming (HLS)
  5. Adobe HTTP Dynamic Streaming (HDS)
  6. Microsoft Smooth Streaming (MSS)

To deliver streams smoothly and transmit as much information as possible, video stream splitting splits streams into fragments, and their size is negotiated dynamically between the client and server. Sometimes, the fragment is kept unchanged. The default fragment sizes are 64 bytes for audio data and 128 bytes for video data and most other data types. Fragments from different streams can then be interleaved and multiplexed over a single connection. Streams can carry, for example, video and one or more audio channels, next to a control channel to control the streams. This is like an FTP command versus data session.

FortiProxy supports Apple HLS and MPEG-DASH stream splitting, which can be transferred over HTTP(S) or TCP port 1935.

Configuring TCP windows

Some file transfer applications can negotiate large TCP windows. For example, WinSCP can negotiate an initial TCP window size of about 2 GB.

The TCP window options can be used to prevent overly large initial TCP window sizes, helping avoid channel flow control issues. It allows stream‑based scan's flow control to limit peers from sending data that exceeds a policy's configured oversize limit.

To configure TCP window size options:
config firewall profile-protocol-options
    edit <string>
        config {ftp | ssh}
            ...
            set stream-based-uncompressed-limit <integer>
            set tcp-window-type {auto-tuning | system | static | dynamic}
            set tcp-window-size <integer>
            set tcp-window-minimum <integer>
            set tcp-window-maximum <integer>
            ...
        end
    next
end

{ftp | ssh}

  • ftp: Configure FTP protocol options.

  • ssh: Configure SFTP and SCP protocol options.

stream-based-uncompressed-limit <integer>

The maximum stream-based uncompressed data size that will be scanned, in MB (default = 0 (unlimited)).

Stream-based uncompression used only under certain conditions.).

tcp-window-type {auto-tuning | system | static | dynamic}

The TCP window type to use for this protocol.

  • auto-tuning: Allow the system to automatically tune the TCP window size (default). When memory usage reaches the threshold of 80%, FortiProxy automatically changes the value to system to protect memory usage.

  • system: Use the system default TCP window size for this protocol.

  • static: Manually specify the TCP window size.

  • dynamic: Vary the TCP window size based on available memory within the limits configured in tcp‑window‑minimum and tcp‑window‑maximum.

tcp-window-size <integer>

The TCP static window size (65536 - 33554432, default = 262144).

This option is only available when tcp‑window‑type is static.

tcp-window-minimum <integer>

The minimum TCP dynamic window size (65536 - 1048576, default = 131072).

This option is only available when tcp‑window‑type is dynamic.

tcp-window-maximum <integer>

The maximum TCP dynamic window size (1048576 - 33554432, default = 8388608).

This option is only available when tcp‑window‑type is dynamic.

Handling SSL offloaded traffic from an external decryption device

In scenarios where the FortiProxy unit is sandwiched between load-balancers and SSL processing is offloaded on the external load-balancers, the FortiProxy unit can perform scanning on the unencrypted traffic by specifying the ssl-offloaded option in firewall profile-protocol-options.

To configure SSL offloading:
config firewall profile-protocol-options
    edit <name>
        config http
            set ports <1-65535>
            set ssl-offloaded {no | yes}
        end
        config ftp
            set ports <1-65535>
            set ssl-offloaded {no | yes}
        end
        config imap
            set ports <1-65535>
            set ssl-offloaded {no | yes}
        end
        config pop3
            set ports <1-65535>
            set ssl-offloaded {no | yes}
        end
        config smtp
            set ports <1-65535>
            set ssl-offloaded {no | yes}
        end
        config ssh
            set ports <1-65535>
            set ssl-offloaded {no | yes}
        end
    next
end

HTTP domain fronting blocking

To block HTTP domain fronting:
config firewall profile-protocol-options
    edit <name>
        config http
            set domain-fronting block
        end
    next
end
Previous
Next