Browser Isolation
FortiProxy Client-based Native Browser Isolation (NBI) uses a Windows Subsystem for Linux (WSL) distribution (distro) to isolate the browser from the rest of the computer. As browsers are one of the biggest windows to external networks, they are one of the biggest attack vectors. Isolating or sandboxing the browser in a container helps decrease the attack surface.
The FortiNBI does not support isolation with IPv6 due to WSL limitation. |
The endpoint must use FortiProxy as an HTTP proxy. The FortiNBI installer installs the browser extension, a WSL distro with a preloaded Chrome browser, a Windows Service to communicate with the FortiProxy that is providing the ratings, and a per-user application to launch the isolated browser and manage the system.
While FortiNBI allows multiple users on a machine, concurrent users are not supported. All users on a machine must have the same proxy settings for the FortiNBI to work properly. Make sure that the organizational security rule does not require distinct proxies for different users on the same machine. |
The browser extension monitors each browser tab, and reports every new tab invocation to FortiProxy over the communication channel that it maintains, with FortiProxy acting as a secure web gateway.
FortiProxy receives the web browsing information, applies the relevant explicit or transparent policy to it, generates a verdict, and then sends that verdict to the extension on the endpoint.
The browser extension acts based on the verdict: Allow, Block, Freeze, or Isolate. If the verdict is to isolate, the containerized browser opens in a new window and loads the URL. The user can then access the web through the isolated browser. When the user closes the browser, the WSL distro instance is closed, removing all of the web artifacts that were generated while browsing.
This guide covers the following topics about Browser Isolation: