Proxy Options
Certain inspections defined in security profiles require that the traffic be held in proxy while the inspection is carried out. When a security profile requiring the use of a proxy is enabled in a policy, the Proxy Options field is displayed. The proxy options define the parameters of how the traffic will be processed and to what level the traffic will be processed. There can be multiple security profiles of a single type. There can also be a number of unique proxy option profiles. As the requirements for a policy differ from one policy to the next, a different proxy option profile for each individual policy can be configured or one profile can be repeatedly applied.
The proxy options refer to the handling of the following protocols:
- HTTP
- SMTP
- POP3
- IMAP
- FTP
- NNTP
- MAPI
- DNS
- CIFS
The configuration for each of these protocols is handled separately.
Just like other components of the FortiProxy unit, different proxy option profiles can be configured to allow for granular control of the FortiProxy unit. In the case of the proxy option profiles, you need to match the correct profile to a firewall policy that is using the appropriate protocols. If you are creating a proxy option profile that is designed for policies that control SMTP traffic into your network, you only want to configure the settings that apply to SMTP. You do not need or want to configure the HTTP components.
To view the available proxy option profiles, go to Proxy Settings > Proxy Options.
Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the columns to display or to reset all the columns to their default settings. You can also drag column headings to change their order.
The following options are available:
|
Create New |
Create a proxy option profile. See Create or edit a proxy option profile and Create a CIFS proxy option. |
|
Edit |
Modify the selected proxy option profile. See Create or edit a proxy option profile. |
|
Clone |
Make a copy of the selected proxy option profile. |
|
Delete |
Remove the selected proxy option profile. |
|
Search |
Enter a search term to find in the proxy option profile list. |
|
Name |
The name of the proxy option profile. |
|
Read Only |
The |
|
Comments |
An optional description of the proxy option profile. |
|
Ref. |
Displays the number of times the object is referenced to other objects. To view the location of the referenced object, select the number in Ref.; the Object Usage window opens and displays the various locations of the referenced object. |
Video streaming splitting
The following are the most popular audio/video streaming protocols:
- Real-time Transport Protocol (RTP)
- Real Time Streaming Protocol (RTSP )
- MPEG-Dynamic Adaptive Streaming over HTTP (DASH)
- Apple HTTP Live Streaming (HLS)
- Adobe HTTP Dynamic Streaming (HDS)
- Microsoft Smooth Streaming (MSS)
To deliver streams smoothly and transmit as much information as possible, video stream splitting splits streams into fragments, and their size is negotiated dynamically between the client and server. Sometimes, the fragment is kept unchanged. The default fragment sizes are 64 bytes for audio data and 128 bytes for video data and most other data types. Fragments from different streams can then be interleaved and multiplexed over a single connection. Streams can carry, for example, video and one or more audio channels, next to a control channel to control the streams. This is like an FTP command versus data session.
FortiProxy supports Apple HLS and MPEG-DASH stream splitting, which can be transferred over HTTP(S) or TCP port 1935.
Configuring TCP windows
Some file transfer applications can negotiate large TCP windows. For example, WinSCP can negotiate an initial TCP window size of about 2 GB.
The TCP window options can be used to prevent overly large initial TCP window sizes, helping avoid channel flow control issues. It allows stream‑based scan's flow control to limit peers from sending data that exceeds a policy's configured oversize limit.
To configure TCP window size options:
config firewall profile-protocol-options
edit <string>
config {ftp | ssh}
...
set stream-based-uncompressed-limit <integer>
set tcp-window-type {auto-tuning | system | static | dynamic}
set tcp-window-size <integer>
set tcp-window-minimum <integer>
set tcp-window-maximum <integer>
...
end
next
end
|
{ftp | ssh} |
|
|
stream-based-uncompressed-limit <integer> |
The maximum stream-based uncompressed data size that will be scanned, in MB (default = 0 (unlimited)). Stream-based uncompression used only under certain conditions.). |
|
tcp-window-type {auto-tuning | system | static | dynamic} |
The TCP window type to use for this protocol.
|
|
tcp-window-size <integer> |
The TCP static window size (65536 - 33554432, default = 262144). This option is only available when |
|
tcp-window-minimum <integer> |
The minimum TCP dynamic window size (65536 - 1048576, default = 131072). This option is only available when |
|
tcp-window-maximum <integer> |
The maximum TCP dynamic window size (1048576 - 33554432, default = 8388608). This option is only available when |
Handling SSL offloaded traffic from an external decryption device
In scenarios where the FortiProxy unit is sandwiched between load-balancers and SSL processing is offloaded on the external load-balancers, the FortiProxy unit can perform scanning on the unencrypted traffic by specifying the ssl-offloaded option in firewall profile-protocol-options.
To configure SSL offloading:
config firewall profile-protocol-options
edit <name>
config http
set ports <1-65535>
set ssl-offloaded {no | yes}
end
config ftp
set ports <1-65535>
set ssl-offloaded {no | yes}
end
config imap
set ports <1-65535>
set ssl-offloaded {no | yes}
end
config pop3
set ports <1-65535>
set ssl-offloaded {no | yes}
end
config smtp
set ports <1-65535>
set ssl-offloaded {no | yes}
end
config ssh
set ports <1-65535>
set ssl-offloaded {no | yes}
end
next
end
HTTP domain fronting blocking
To block HTTP domain fronting:
config firewall profile-protocol-options
edit <name>
config http
set domain-fronting block
end
next
end