Configuring native browser isolation in FortiProxy

To configure native browser isolation in the FortiProxy GUI:

1. Configure an HTTP portal for the client to download the isolator image:

   1. Go to Policy & Objects > Addresses and click Create New > Address.

   2. Enter a name for the address.

   3. Set Type to FQDN.

   4. Enter the FQDN.

      

   5. Click OK.

2. Enable Captive Portal:

   1. Go to Policy & Objects > Proxy Auth Setting.

   2. Enable Captive Portal and select the just create address.

   3. Set the Captive Portal Port.

   4. Set Captive Portal Type to FQDN.

      

   5. Click Apply.

3. Enable captive portal on the interface:

   1. Go to Network > Interfaces and edit the interface.

   2. Enable Proxy Captive Portal.

      

   3. Click OK.

4. Configure a firewall proxy address:

   1. Go to Policy & Objects > Addresses and click Create New > Address.

   2. Set Category to Proxy Address.

   3. Enter a name for the address, such as 1.

   4. Set Host to all and enter the URL Path Regex.

      

   5. Click OK.

5. Configure an isolator profile that uses the proxy address:

   1. Go to Policy & Objects > Isolator Setting > Profiles and click Create New.

   2. Enter a name for the profile.

   3. In the Entries table, click Create New.

   4. Select the Proxy Address.

   5. Set Action to Isolate.

      

   6. Click OK.

      

   7. Click OK.

6. Configure the default isolator profile to use and action to perform on sessions with missing information (defective session) or do not match any existing policies (unmatched session):

   1. Go to Policy & Objects > Isolator Setting > Setting.

   2. Under Default Isolator Profile, select a profile from the list which will used when no policy is matched. By default, no profile is selected.

   3. In the Defective Session field, select the action to perform on rating requests for sessions with missing information. The default is Pass, which means defective sessions are bypassed.

   4. In the Unmatched Session field, select the action to perform on rating requests for sessions that do not match any policy. The default is Pass, which means unmatched sessions are bypassed. If use-default-profile is selected and the session does not match the default profile still, the session is passed.

   

7. Configure an SSL/SSH profile with full ssl inspection:

   1. Go to SSL/SSH Inspection and click Create New.

   2. Enter a name for the profile, such as test.

   3. In Enable SSL inspection of, select Multiple Clients Connecting to Multiple Servers.

   4. In Inspection method, select Full SSL Inspection.

   5. In CA Certificate, select a CA certificate from the drop-down menu.

      Later you will need to install the certificate in the browser of each machine that uses Native Browser Isolation to avoid certificate warnings.

   6. Configure the other settings as required, then click OK.

      See the FortiProxy Administration Guide for more information about the configuration options.

8. Configure a firewall policy that uses the isolator and SSL/SSH profiles:

   1. Go to Policy & Objects > Policy and click Create New.

   2. Configure the following:

      Type	Explicit
      Explicit Web Proxy	web-proxy
      Outgoing Intergave	any
      Source	all
      Destination	all
      Schedule	always
      Service	webproxy
      Action	Accept
      SSL/SSH Inspection	test
      Isolator	1
      Comments	isolator traffic inspect

   3. Click OK.

To configure native browser isolation in the CLI:

1. Configure an HTTP portal for the client to download the FortiNBI isolator image:

   config firewall address
       edit "Fortinet"
           set type fqdn
           set fqdn "fortinet.com"
       next
   end

2. In the authentication settings, set the captive portal name:

   config authentication setting
       set captive-portal "Fortinet"
   end

3. Enable captive portal on the interface:

   config system interface
       edit <interface>
           set proxy-captive-portal enable
       next
   end

4. Configure a firewall proxy address:

   config firewall proxy-address
       edit "1"        
           set host "all"
       next
   end

5. Configure an isolator profile that uses the proxy address:

   config isolator profile
       edit "1"
           config entries
               edit 1
                   set proxy-address "1"
                   set action isolate
                   set status enable
               next
           end
       next
   end

   proxy-address <proxy-address>	Choose the proxy-address for this isolator profile entry.
   action {block | allow | freeze | isolate}	Choose the action for this isolator entry: isolate: Open the website in an isolated browser (default). freeze: Freeze the website. The user is able to unfreeze and get access to the website when they accept the risk. block: Block the traffic to the website. allow: Bypass the traffic to the website.
   status {enable | disable}	Enable/disable this isolator entry (default = enable).

6. Configure the default isolator profile to use and action to perform on sessions with missing information (defective session) or do not match any existing policies (unmatched session):

   config isolator setting
      set default-isolator-profile {string}
      set defective-session [use-default-profile|pass|...]
      set unmatched-session [use-default-profile|pass|...]
   end

   default-isolator-profile	Choose the name of an isolator profile that will be used when no policy is matched.
   defective-session	Choose the action to perform on rating requests for sessions with missing information: use-default-profile: Use default isolator profile to handle the session. pass: Return bypass response to the rating request of the session (default). block: Return block response to the rating request of the session.
   unmatched-session	Choose the action to perform on rating requests for sessions that do not match any policy: use-default-profile: Use default isolator profile to handle the session. If the session does not match the default profile still, the session is passed. pass: Return bypass response to the rating request of the session (default). block: Return block response to the rating request of the session.

7. Configure an SSL/SSH profile with full SSL inspection:

   config firewall ssl-ssh-profile
       edit "test"
           config https
               set ports 443
               set status deep-inspection
           end
           config ftps
               set ports 990
               set status deep-inspection
           end
           config imaps
               set ports 993
               set status deep-inspection
           end
           config pop3s
               set ports 995
               set status deep-inspection
           end
           config smtps
               set ports 465
               set status deep-inspection
           end
           config ssh
               set ports 22
               set status disable
           end
           config dot
               set status disable
           end
       next
   end

8. Configure a firewall policy that uses the isolator and SSL/SSH profiles:

   config firewall policy
       edit 2
           set type explicit-web       
           set dstintf "any"
           set srcaddr "all"
           set dstaddr "all"
           set action accept
           set schedule "always"
           set service "webproxy"
           set explicit-web-proxy "web-proxy"
           set utm-status enable
           set comments "isolator traffic inspect"
           set ssl-ssh-profile "test"
           set isolator-profile "1"
       next
   end