Professional Documents
Culture Documents
© FORTINET
Lab 8: Web Proxy
In this lab, you will learn how to configure FortiGate to be an explicit and transparent web proxy.
Objectives
l Configure FortiGate to act as a web proxy.
l Apply security policies to web proxy traffic based on HTTP headers.
l Authenticate, authorize, and monitor web proxy users.
Time to Complete
Estimated: 40 minutes
Prerequisites
Before beginning this lab, you must restore a configuration file to Local-FortiGate.
During this exercise, you will configure the FortiGate to act as an explicit web proxy. You will also configure the
FortiGate to authenticate and authorize Internet access for specific users. The authentication enforcement is
done with an authentication scheme and an authentication rule. The authorization is done by adding the allowed
user groups to the source of the proxy policy.
After that, you will manually configure Firefox with the proxy IP address and port.
By default, the explicit web proxy settings are hidden on the GUI. You will show them.
You will create an authentication scheme to use the local user database for web proxy authentication.
© FORTINET
2. At the login prompt, enter the user name admin and password password.
3. Enter the following commands to create the authentication scheme:
config authentication scheme
edit WebProxyScheme
set method form
set user-database local
next
end
You will enforce web proxy authentication by creating an authentication rule that matches all traffic coming from
the internal subnet. You will use the authentication scheme created in the previous procedure.
You will create the policy to allow explicit proxy traffic to access the Internet. Only the user student will be
authorized to browse the Internet through the proxy.
Field Value
Enabled On port3
© FORTINET
Field Value
Destination all
Schedule always
Service webproxy
Action ACCEPT
4. Click OK.
You have configured Local-FortiGate as an explicit web proxy. Now, you will configure Firefox to use the explicit
web proxy.
2. Click Options.
© FORTINET
Field Value
Port 8080
© FORTINET
5. Select Use this proxy server for all protocols.
6. In the No Proxy for field, add the subnet 10.0.1.0/24 (separated by a comma).
This list contains the names, IP addresses, and subnets of websites that will be exempted from using the
proxy.
7. Click OK.
8. Close Firefox.
© FORTINET
Field Value
Password fortinet
After entering these credentials, you should have Internet access through the explicit web proxy.
You will execute a CLI command to display the list of active web proxy users.
For each explicit web proxy connection to a website, two TCP connections are usually created: one from the client
to the proxy, and one from the proxy to the server.
You will run some debug commands to list the sessions established between the client and the proxy. Then, you
will list the sessions established between the proxy and the servers.
To list the active explicit web proxy sessions between the client and the proxy
1. Continuing on the Local-Windows VM, open a few tabs in Firefox, and generate some HTTP traffic, such as:
l http://www.pearsonvue.com/fortinet/
l http://cve.mitre.org
l http://www.eicar.org
2. Return to the Local-FortiGate PuTTY session, and type these CLI commands:
You can also use the grep command to display only the source and destination IP addresses and ports for
each session:
diagnose sys session list | grep hook=pre
© FORTINET
Stop and think!
Why is the source IP address of all those sessions 10.0.1.10?
Why don’t you see any public IP address listed in those sessions?
Two TCP sessions are usually created for any client-to-server connection that goes through an explicit web
proxy: one from the client to the proxy, and one from the proxy to the server. By using the destination port
8080 as the filter, you are listing only the sessions from the client (10.0.1.10) to the proxy's internal
interface (10.0.1.254).
To list the active explicit web proxy sessions between the proxy and the servers
1. Continuing on the Local-Windows VM, open a few tabs in Firefox, and generate some HTTP traffic, such as:
l http://www.pearsonvue.com/fortinet/
l http://cve.mitre.org
l http://www.eicar.org
2. Return to the Local-FortiGate PuTTY session, and type these CLI commands:
Why don’t you see the IP address of the Windows server (10.0.1.10)?
By using the destination port 80 as the filter, you are listing only the sessions from the proxy's external
interface (10.200.1.1) to the server. The client's IP, in these cases, is not the source or the destination.
During this exercise, you will configure the FortiGate to act as a transparent web proxy. You will use a proxy
address to selectively block web traffic to the Fortinet website while allowing traffic to other destinations.
With transparent web proxy, browsers do not need to be explicitly configured to send traffic to the proxy
IP address. HTTP packets are transparently inspected by the proxy as they flow from the client to the server.
3. Click Options.
4. Scroll down to the Network Proxy section and click Settings.
5. Select No proxy.
6. Click OK.
7. Close Firefox.
© FORTINET
Redirect the Traffic to the Transparent Web Proxy
To transparently redirect HTTP packets to the web proxy, the web traffic must match an allowed firewall policy
that is using a proxy options profile with the setting HTTP Policy Redirect enabled. So, you will create a proxy
options profile with this setting enabled and assign it to the outbound firewall policy.
Field Value
Name HTTP_Redirect
© FORTINET
5. Click OK.
4. Click OK.
© FORTINET
Create the Proxy Policies
You will create two proxy policies. One policy will block traffic to any hostname that contains eicar.org. The
other policy will allow traffic to any other destination. For the first policy, you will use a proxy address to match
traffic using the information in the host field of the HTTP headers.
Field Value
Name EICAR
Note that the regex pattern that you entered starts with a dot.
4. Click OK.
l Configure the first proxy policy to block traffic to the EICAR website using the proxy address created in To
create a proxy address on page 137.
l Configure a second proxy policy to allow all other traffic.
If you require assistance, or to verify your work, use the step-by-step instructions that follow.
After you complete the challenge, seeTesting the Transparent Web Proxy on page 138.
© FORTINET
Field Value
Source LOCAL_SUBNET
Schedule always
Service webproxy
Action DENY
4. Click OK.
Field Value
Source LOCAL_SUBNET
Destination all
Schedule always
Service webproxy
Action ACCEPT
4. Click OK.
© FORTINET
To test the transparent web proxy
1. Continuing on the Local-Windows VM, open a new Firefox browser tab.
2. In the upper-right corner, click the Open Menu icon.