Customizing the PAC file
FortiSASE secure web gateway (SWG) agentless mode involves configuring and hosting a proxy autoconfiguration (PAC) file for respective endpoints to connect to the FortiSASE gateway.
A PAC file is based on JavaScript and contains rules for the proxy client to follow to route traffic to the proxy server or directly to the Internet. For FortiSASE SWG users:
- The proxy client is a web browser or another proxy-aware application.
- The proxy server is the FortiSASE SWG.
- Routing traffic to the proxy uses the FortiSASE SWG as a web proxy.
- Routing traffic directly to the Internet bypasses the FortiSASE SWG.
Typically, some web applications require traffic to be routed directly to the Internet for specific domains which do not support redirection for security reasons or are required for authentication, such as common SAML identity providers, to load correctly. In these cases, you must customize the PAC file with specific IP addresses and hostnames, and then host the custom PAC file on a server that the endpoints can access.
The workflow for customizing and using a PAC file is as follows:
- FortiSASE provides a preconfigured PAC file hosted on the FortiSASE server for use. Download the PAC file to a computer for editing.
- Customize the PAC file in a text editor to exclude certain hosts from being proxied.
- Host the custom PAC file on a server accessible by the endpoints.
- On an endpoint, download and install the SWG certificates provided in the FortiSASE portal.
- On an endpoint, install and configure the client browser or OS settings to point to the hosted custom PAC file.