Fortinet white logo
Fortinet white logo

Administration Guide

Web proxy

Web proxy

Web proxy covers both transparent proxy and explicit proxy.

This section covers the following topics:

Web proxy concepts

This section covers the following concepts that apply to both transparent proxy and explicit proxy:

Proxy policy

Any time a security profile that uses a proxy is enabled, you need to configure the proxy options. Certain inspections defined in security profiles require that the traffic be held in proxy while the inspection is carried out, and the proxy options define how the traffic will be processed and to what level the traffic will be processed. In the same way that there can be multiple security profiles of a single type, there can also be a number of unique proxy option profiles so that, as the requirements for a policy differ from one policy to the next, you can also configure a different proxy option profile for each individual policy or you can use one profile repeatedly.

The proxy options support the following protocols:

  • HTTP
  • FTP
  • CIFS
  • SSH

The configuration for each of these protocols is handled separately.

Proxy authentication

Authentication is separated from authorization for user-based policies. You can add authentication to proxy policies to control access to the policy and to identify users and apply different UTM features to different users. The described authentication methodology works with explicit web proxy and transparent proxy.

Authentication of web proxy sessions uses HTTP basic and digest authentication as described in RFC 2617 (HTTP Authentication: Basic and Digest Access Authentication) and prompts the user for credentials from the browser allowing individual users to be identified by their web browser instead of IP address. HTTP authentication allows the FortiProxy unit to distinguish between multiple users accessing services from a shared IP address.

The authentication rule table defines how to identify user-ID. It uses the match factors:

  • Protocol
  • Source address

For one address and protocol, there is only one authentication rule. It is possible to configure multiple authentication methods for one address. The client browser will chose one authentication method from the authentication methods list, but you cannot control which authentication method will be chosen by the browser.

Proxy addresses

Proxy addresses are used for both transparent web proxy and explicit web proxy.

In some respects, they can be like FQDN addresses in that they refer to an alphanumeric string that is assigned to an IP address, but then they go an additional level of granularity by using additional information and criteria to further specify locations or types of traffic within the web site itself.

Proxy address group

In the same way that IPv4 and IPv6 addresses can only be grouped together, proxy addresses can only be grouped with other proxy addresses. Unlike other address groups, the proxy address groups are further divided into source address groups and destination address groups.

Web proxy firewall services and service groups

Web proxy services are similar to standard firewall services. You can configure web proxy services to define one or more protocols and port numbers that are associated with each web proxy service. Web proxy services can also be grouped into web proxy service groups.

One way in which web proxy services differ from firewall services is the protocol type you can select. The following protocol types are available:

  • ALL
  • CONNECT
  • FTP
  • HTTP
  • SOCKS-TCP
  • SOCKS-UDP

Learn client IP

If there is another NATing device between the FortiProxy unit and the client (browser), this feature can be used to identify the real client in spite of the address translation. Knowing the actual client is imperative in cases where authorization is taking place.

Explicit web proxy concepts

The following is information that is specific to explicit proxy. Any information that is common to web proxy in general is covered in Web proxy concepts.

You can use the FortiProxy explicit web proxy to enable explicit proxying of IPv4 and IPv6 HTTP and HTTPS traffic on one or more FortiProxy interfaces. The explicit web proxy also supports proxying FTP sessions from a web browser and proxy auto-config (PAC) to provide automatic proxy configurations for explicit web proxy users. From the CLI you can also configure the explicit web proxy to support SOCKS sessions from a web browser. The explicit web and FTP proxies can be operating at the same time on the same or on different FortiProxy interfaces.

In most cases, you would configure the explicit web proxy for users on a network by enabling the explicit web proxy on the FortiProxy interface connected to that network. Users on the network would configure their web browsers to use a proxy server for HTTP and HTTPS, FTP, or SOCKS and set the proxy server IP address to the IP address of the FortiProxy interface connected to their network. Users could also enter the PAC URL into their web browser PAC configuration to automate their web proxy configuration using a PAC file stored on the FortiProxy unit.

caution icon Enabling the explicit web proxy on an interface connected to the Internet is a security risk because anyone on the Internet who finds the proxy could use it to hide their source address.

If the FortiProxy unit is operating in transparent mode, users would configure their browsers to use a proxy server with the FortiProxy management IP address.

The web proxy receives web browser sessions to be proxied at FortiProxy interfaces with the explicit web proxy enabled. The web proxy uses FortiProxy routing to route sessions through the FortiProxy unit to a destination interface. Before a session leaves the exiting interface, the explicit web proxy changes the source addresses of the session packets to the IP address of the exiting interface. When the FortiProxy unit is operating in transparent mode, the explicit web proxy changes the source addresses to the management IP address. You can configure the explicit web proxy to keep the original client IP address.

Example explicit web proxy topology

To allow all explicit web proxy traffic to pass through the FortiProxy unit you can set the explicit web proxy default firewall policy action to ACCEPT. However, in most cases you would want to use security policies to control explicit web proxy traffic and apply security features such as access control/authentication, virus scanning, web filtering, application control, and traffic logging. You can do this by keeping the default explicit web proxy security policy action to DENY and then adding web-proxy security policies.

You can also change the explicit web proxy default security policy action to accept and add explicit web proxy security policies. If you do this, sessions that match web-proxy security policies are processed according to the security policy settings. Connections to the explicit web proxy that do not match a web-proxy security policy are allowed with no restrictions or additional security processing. NOTE: This configuration is not recommended and is not a best practice.

The explicit web-proxy can accept VIP addresses for destination addresses. If an external IP matches a VIP policy, the IP is changed to the mapped-IP of the VIP.

Web-proxy policies can selectively accept or deny traffic, apply authentication, enable traffic logging, and use security profiles to apply virus scanning, web filtering, IPS, application control, DLP, and SSL/SSH inspection to explicit web proxy traffic.

You cannot configure IPsec or traffic shaping for explicit web proxy traffic. Web proxy policies can only include firewall addresses not assigned to a FortiProxy unit interface or with interface set to any. (On the web-based manager, you must set the interface to any. In the CLI you must unset the associated interface.)

Authentication of explicit web proxy sessions uses HTTP authentication and can be based on the user’s source IP address or on cookies from the user’s web browser.

To use the explicit web proxy, you must add the IP address of a FortiProxy interface on which the explicit web proxy is enabled and the explicit web proxy port number (default 8080) to the proxy configuration settings of their web browsers.

You can also enable web caching for explicit web proxy sessions.

Transparent web proxy concepts

In addition to the explicit web proxy, the FortiProxy unit supports a transparent web proxy. While it does not have as many features as explicit web proxy, the transparent proxy has the advantage that nothing needs to be done on the userʼs system to forward supported web traffic over to the proxy. There is no need to reconfigure the browser or publish a PAC file. Everything is transparent to the end user, hence the name. This makes it easier to incorporate new users into a proxy deployment.

You can use the transparent proxy to apply web authentication to HTTP traffic accepted by a firewall policy.

Normal FortiProxy authentication is IP-address based. Users are authenticated according to their IP address and access is allowed or denied based on this IP address. On networks where authentication based on IP address will not work, you can use the transparent web proxy to apply web authentication that is based on the user's browser and not on their IP address. This authentication method allows you to identify individual users even if multiple users on your network are connecting to the FortiProxy unit from the same IP address.

Explicit web proxy topologies

You can configure a FortiProxy unit to be an explicit web proxy server for Internet web browsing of IPv4 and IPv6 web traffic. To use the explicit web proxy, users must add the IP address of the FortiProxy interface configured for the explicit web proxy to their web browser proxy configuration.

Explicit web proxy topology

If the FortiProxy unit supports web caching, you can also add web caching to the security policy that accepts explicit web proxy sessions. The FortiProxy unit then caches Internet web pages on a hard disk to improve web browsing performance.

Explicit web proxy with web caching topology

Web proxy

Web proxy

Web proxy covers both transparent proxy and explicit proxy.

This section covers the following topics:

Web proxy concepts

This section covers the following concepts that apply to both transparent proxy and explicit proxy:

Proxy policy

Any time a security profile that uses a proxy is enabled, you need to configure the proxy options. Certain inspections defined in security profiles require that the traffic be held in proxy while the inspection is carried out, and the proxy options define how the traffic will be processed and to what level the traffic will be processed. In the same way that there can be multiple security profiles of a single type, there can also be a number of unique proxy option profiles so that, as the requirements for a policy differ from one policy to the next, you can also configure a different proxy option profile for each individual policy or you can use one profile repeatedly.

The proxy options support the following protocols:

  • HTTP
  • FTP
  • CIFS
  • SSH

The configuration for each of these protocols is handled separately.

Proxy authentication

Authentication is separated from authorization for user-based policies. You can add authentication to proxy policies to control access to the policy and to identify users and apply different UTM features to different users. The described authentication methodology works with explicit web proxy and transparent proxy.

Authentication of web proxy sessions uses HTTP basic and digest authentication as described in RFC 2617 (HTTP Authentication: Basic and Digest Access Authentication) and prompts the user for credentials from the browser allowing individual users to be identified by their web browser instead of IP address. HTTP authentication allows the FortiProxy unit to distinguish between multiple users accessing services from a shared IP address.

The authentication rule table defines how to identify user-ID. It uses the match factors:

  • Protocol
  • Source address

For one address and protocol, there is only one authentication rule. It is possible to configure multiple authentication methods for one address. The client browser will chose one authentication method from the authentication methods list, but you cannot control which authentication method will be chosen by the browser.

Proxy addresses

Proxy addresses are used for both transparent web proxy and explicit web proxy.

In some respects, they can be like FQDN addresses in that they refer to an alphanumeric string that is assigned to an IP address, but then they go an additional level of granularity by using additional information and criteria to further specify locations or types of traffic within the web site itself.

Proxy address group

In the same way that IPv4 and IPv6 addresses can only be grouped together, proxy addresses can only be grouped with other proxy addresses. Unlike other address groups, the proxy address groups are further divided into source address groups and destination address groups.

Web proxy firewall services and service groups

Web proxy services are similar to standard firewall services. You can configure web proxy services to define one or more protocols and port numbers that are associated with each web proxy service. Web proxy services can also be grouped into web proxy service groups.

One way in which web proxy services differ from firewall services is the protocol type you can select. The following protocol types are available:

  • ALL
  • CONNECT
  • FTP
  • HTTP
  • SOCKS-TCP
  • SOCKS-UDP

Learn client IP

If there is another NATing device between the FortiProxy unit and the client (browser), this feature can be used to identify the real client in spite of the address translation. Knowing the actual client is imperative in cases where authorization is taking place.

Explicit web proxy concepts

The following is information that is specific to explicit proxy. Any information that is common to web proxy in general is covered in Web proxy concepts.

You can use the FortiProxy explicit web proxy to enable explicit proxying of IPv4 and IPv6 HTTP and HTTPS traffic on one or more FortiProxy interfaces. The explicit web proxy also supports proxying FTP sessions from a web browser and proxy auto-config (PAC) to provide automatic proxy configurations for explicit web proxy users. From the CLI you can also configure the explicit web proxy to support SOCKS sessions from a web browser. The explicit web and FTP proxies can be operating at the same time on the same or on different FortiProxy interfaces.

In most cases, you would configure the explicit web proxy for users on a network by enabling the explicit web proxy on the FortiProxy interface connected to that network. Users on the network would configure their web browsers to use a proxy server for HTTP and HTTPS, FTP, or SOCKS and set the proxy server IP address to the IP address of the FortiProxy interface connected to their network. Users could also enter the PAC URL into their web browser PAC configuration to automate their web proxy configuration using a PAC file stored on the FortiProxy unit.

caution icon Enabling the explicit web proxy on an interface connected to the Internet is a security risk because anyone on the Internet who finds the proxy could use it to hide their source address.

If the FortiProxy unit is operating in transparent mode, users would configure their browsers to use a proxy server with the FortiProxy management IP address.

The web proxy receives web browser sessions to be proxied at FortiProxy interfaces with the explicit web proxy enabled. The web proxy uses FortiProxy routing to route sessions through the FortiProxy unit to a destination interface. Before a session leaves the exiting interface, the explicit web proxy changes the source addresses of the session packets to the IP address of the exiting interface. When the FortiProxy unit is operating in transparent mode, the explicit web proxy changes the source addresses to the management IP address. You can configure the explicit web proxy to keep the original client IP address.

Example explicit web proxy topology

To allow all explicit web proxy traffic to pass through the FortiProxy unit you can set the explicit web proxy default firewall policy action to ACCEPT. However, in most cases you would want to use security policies to control explicit web proxy traffic and apply security features such as access control/authentication, virus scanning, web filtering, application control, and traffic logging. You can do this by keeping the default explicit web proxy security policy action to DENY and then adding web-proxy security policies.

You can also change the explicit web proxy default security policy action to accept and add explicit web proxy security policies. If you do this, sessions that match web-proxy security policies are processed according to the security policy settings. Connections to the explicit web proxy that do not match a web-proxy security policy are allowed with no restrictions or additional security processing. NOTE: This configuration is not recommended and is not a best practice.

The explicit web-proxy can accept VIP addresses for destination addresses. If an external IP matches a VIP policy, the IP is changed to the mapped-IP of the VIP.

Web-proxy policies can selectively accept or deny traffic, apply authentication, enable traffic logging, and use security profiles to apply virus scanning, web filtering, IPS, application control, DLP, and SSL/SSH inspection to explicit web proxy traffic.

You cannot configure IPsec or traffic shaping for explicit web proxy traffic. Web proxy policies can only include firewall addresses not assigned to a FortiProxy unit interface or with interface set to any. (On the web-based manager, you must set the interface to any. In the CLI you must unset the associated interface.)

Authentication of explicit web proxy sessions uses HTTP authentication and can be based on the user’s source IP address or on cookies from the user’s web browser.

To use the explicit web proxy, you must add the IP address of a FortiProxy interface on which the explicit web proxy is enabled and the explicit web proxy port number (default 8080) to the proxy configuration settings of their web browsers.

You can also enable web caching for explicit web proxy sessions.

Transparent web proxy concepts

In addition to the explicit web proxy, the FortiProxy unit supports a transparent web proxy. While it does not have as many features as explicit web proxy, the transparent proxy has the advantage that nothing needs to be done on the userʼs system to forward supported web traffic over to the proxy. There is no need to reconfigure the browser or publish a PAC file. Everything is transparent to the end user, hence the name. This makes it easier to incorporate new users into a proxy deployment.

You can use the transparent proxy to apply web authentication to HTTP traffic accepted by a firewall policy.

Normal FortiProxy authentication is IP-address based. Users are authenticated according to their IP address and access is allowed or denied based on this IP address. On networks where authentication based on IP address will not work, you can use the transparent web proxy to apply web authentication that is based on the user's browser and not on their IP address. This authentication method allows you to identify individual users even if multiple users on your network are connecting to the FortiProxy unit from the same IP address.

Explicit web proxy topologies

You can configure a FortiProxy unit to be an explicit web proxy server for Internet web browsing of IPv4 and IPv6 web traffic. To use the explicit web proxy, users must add the IP address of the FortiProxy interface configured for the explicit web proxy to their web browser proxy configuration.

Explicit web proxy topology

If the FortiProxy unit supports web caching, you can also add web caching to the security policy that accepts explicit web proxy sessions. The FortiProxy unit then caches Internet web pages on a hard disk to improve web browsing performance.

Explicit web proxy with web caching topology