Scribd Logo
Upload

Welcome to Scribd!

  • LAB 8 - Web Proxy

    Uploaded by

    Juan Perez
    46 views14 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    46 views14 pages

    LAB 8 - Web Proxy

    Uploaded by

    Juan Perez

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 14

    DO NOT REPRINT

    © FORTINET
    Lab 8: Web Proxy

    In this lab, you will learn how to configure FortiGate to be an explicit and transparent web proxy.

    Objectives
    l Configure FortiGate to act as a web proxy.
    l Apply security policies to web proxy traffic based on HTTP headers.
    l Authenticate, authorize, and monitor web proxy users.

    Time to Complete
    Estimated: 40 minutes

    Prerequisites
    Before beginning this lab, you must restore a configuration file to Local-FortiGate.

    To restore the Local-FortiGate configuration file


    1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user
    name admin and password password.
    2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.

    3. Select Local PC, and then click Upload.


    4. Click Desktop > Resources > FortiGate-Infrastructure > Web-Proxy > local-web-proxy.conf, and then
    click Open.
    5. Click OK.
    6. Click OK to reboot.

    126 FortiGate Infrastructure 6.0 Lab Guide


    Fortinet Technologies Inc.
    DO NOT REPRINT
    © FORTINET
    Exercise 1: Configuring an Explicit Web Proxy

    During this exercise, you will configure the FortiGate to act as an explicit web proxy. You will also configure the
    FortiGate to authenticate and authorize Internet access for specific users. The authentication enforcement is
    done with an authentication scheme and an authentication rule. The authorization is done by adding the allowed
    user groups to the source of the proxy policy.

    After that, you will manually configure Firefox with the proxy IP address and port.

    Show the Explicit Web Proxy Settings

    By default, the explicit web proxy settings are hidden on the GUI. You will show them.

    To show the explicit web proxy settings


    1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user
    name admin and password password.
    2. Click System > Feature Visibility.
    3. Under the Security Features section, enable Explicit Proxy.
    4. Click Apply.

    Enable Explicit Web Proxy

    You will enable explicit web proxy on the network setting.

    To enable explicit web proxy


    1. Continuing on the Local-FortiGate GUI, click Network > Explicit Proxy.
    2. Enable Explicit Web Proxy.
    3. Click Listen on Interfaces, and select the interface port3.
    4. In the HTTP port field, type 8080 - 8080.
    5. In the HTTPS port field, select Use HTTP Port.
    6. Click Apply.

    Create an Authentication Scheme

    You will create an authentication scheme to use the local user database for web proxy authentication.

    To create an authentication scheme


    1. Continuing on the Local-Windows VM, open PuTTY and connect over SSH to the LOCAL_FORTIGATE saved
    session.

    FortiGate Infrastructure 6.0 Lab Guide 127


    Fortinet Technologies Inc.
    DO Create
    NOT REPRINT
    an Authentication Rule Exercise 1: Configuring an Explicit Web Proxy

    © FORTINET
    2. At the login prompt, enter the user name admin and password password.
    3. Enter the following commands to create the authentication scheme:
    config authentication scheme
    edit WebProxyScheme
    set method form
    set user-database local
    next
    end

    Create an Authentication Rule

    You will enforce web proxy authentication by creating an authentication rule that matches all traffic coming from
    the internal subnet. You will use the authentication scheme created in the previous procedure.

    To create an authentication rule


    1. Continuing on the Local-FortiGate PuTTY session, enter the following commands to create the authentication
    rule:
    config authentication rule
    edit WebProxyRule
    set srcaddr LOCAL_SUBNET
    set active-auth-method WebProxyScheme
    set protocol http
    next
    end
    2. Leave the PuTTY session open (you can minimize it on your desktop).

    Create a Proxy Policy

    You will create the policy to allow explicit proxy traffic to access the Internet. Only the user student will be
    authorized to browse the Internet through the proxy.

    To create a proxy policy


    1. Return to the browser tab where you are logged in to the Local-FortiGate GUI, and click Policy & Objects >
    Proxy Policy.
    2. Click Create New.
    3. Configure the following settings:

    Field Value

    Proxy Type Explicit Web

    Enabled On port3

    Outgoing Interface port1

    128 FortiGate Infrastructure 6.0 Lab Guide


    Fortinet Technologies Inc.
    DO Exercise
    NOT1: Configuring
    REPRINT an Explicit Web Proxy Configure Firefox for Explicit Web Proxy

    © FORTINET
    Field Value

    Source Address > LOCAL_SUBNET

    User > STUDENTS (under the USER GROUP section)

    Destination all

    Schedule always

    Service webproxy

    Action ACCEPT

    4. Click OK.

    Configure Firefox for Explicit Web Proxy

    You have configured Local-FortiGate as an explicit web proxy. Now, you will configure Firefox to use the explicit
    web proxy.

    To configure Firefox to use the explicit web proxy


    1. Continuing on the Local-Windows VM, and the Firefox browser, click the Open Menu icon in the upper-right
    corner.

    2. Click Options.

    FortiGate Infrastructure 6.0 Lab Guide 129


    Fortinet Technologies Inc.
    DO Configure
    NOTFirefoxREPRINT
    for Explicit Web Proxy Exercise 1: Configuring an Explicit Web Proxy

    © FORTINET

    3. Scroll down to the Network Proxy section, and click Settings.

    4. Select Manual proxy configuration, and configure the following settings:

    Field Value

    HTTP Proxy 10.0.1.254

    Port 8080

    130 FortiGate Infrastructure 6.0 Lab Guide


    Fortinet Technologies Inc.
    DO Exercise
    NOT1: Configuring
    REPRINT an Explicit Web Proxy Test the Explicit Web Proxy Configuration

    © FORTINET
    5. Select Use this proxy server for all protocols.
    6. In the No Proxy for field, add the subnet 10.0.1.0/24 (separated by a comma).
    This list contains the names, IP addresses, and subnets of websites that will be exempted from using the
    proxy.

    7. Click OK.
    8. Close Firefox.

    Test the Explicit Web Proxy Configuration

    You will test the explicit web proxy configuration.

    To test the explicit web proxy configuration


    1. Continuing on the Local-Windows VM, open Firefox, and browse to any HTTP website, such as:
    l http://www.pearsonvue.com/fortinet/
    l http://cve.mitre.org
    l http://www.eicar.org
    FortiGate will request authentication.

    2. Use the following credentials:

    FortiGate Infrastructure 6.0 Lab Guide 131


    Fortinet Technologies Inc.
    DO List
    NOT REPRINT
    the Active Explicit Web Proxy Users Exercise 1: Configuring an Explicit Web Proxy

    © FORTINET
    Field Value

    User Name student

    Password fortinet

    After entering these credentials, you should have Internet access through the explicit web proxy.

    List the Active Explicit Web Proxy Users

    You will execute a CLI command to display the list of active web proxy users.

    To list the active web proxy users


    1. Return to your Local- FortiGate PuTTY session, and type the following CLI command to check the list of active
    web proxy users:

    # diagnose wad user list

    List the Active Explicit Web Proxy Sessions

    For each explicit web proxy connection to a website, two TCP connections are usually created: one from the client
    to the proxy, and one from the proxy to the server.

    You will run some debug commands to list the sessions established between the client and the proxy. Then, you
    will list the sessions established between the proxy and the servers.

    To list the active explicit web proxy sessions between the client and the proxy
    1. Continuing on the Local-Windows VM, open a few tabs in Firefox, and generate some HTTP traffic, such as:
    l http://www.pearsonvue.com/fortinet/
    l http://cve.mitre.org
    l http://www.eicar.org
    2. Return to the Local-FortiGate PuTTY session, and type these CLI commands:

    diagnose sys session filter clear


    diagnose sys session filter dport 8080
    diagnose sys session list

    You can also use the grep command to display only the source and destination IP addresses and ports for
    each session:
    diagnose sys session list | grep hook=pre

    3. Now browse the websites you just launched.


    4. Review the Local-FortiGate PuTTY session output.

    132 FortiGate Infrastructure 6.0 Lab Guide


    Fortinet Technologies Inc.
    DO Exercise
    NOT1: Configuring
    REPRINT an Explicit Web Proxy List the Active Explicit Web Proxy Sessions

    © FORTINET
    Stop and think!
    Why is the source IP address of all those sessions 10.0.1.10?

    Why is the destination IP address of all those sessions 10.0.1.254?

    Why don’t you see any public IP address listed in those sessions?

    Two TCP sessions are usually created for any client-to-server connection that goes through an explicit web
    proxy: one from the client to the proxy, and one from the proxy to the server. By using the destination port
    8080 as the filter, you are listing only the sessions from the client (10.0.1.10) to the proxy's internal
    interface (10.0.1.254).

    5. Close your broswer.

    To list the active explicit web proxy sessions between the proxy and the servers
    1. Continuing on the Local-Windows VM, open a few tabs in Firefox, and generate some HTTP traffic, such as:
    l http://www.pearsonvue.com/fortinet/
    l http://cve.mitre.org
    l http://www.eicar.org
    2. Return to the Local-FortiGate PuTTY session, and type these CLI commands:

    diagnose sys session filter clear


    diagnose sys session filter dport 80
    diagnose sys session list | grep hook=out

    3. Now browse the websites you just launched.


    4. Review the Local-FortiGate PuTTY session output.

    Stop and think!


    Why is the source IP address of all these sessions 10.200.1.1?

    Why don’t you see the IP address of the Windows server (10.0.1.10)?

    By using the destination port 80 as the filter, you are listing only the sessions from the proxy's external
    interface (10.200.1.1) to the server. The client's IP, in these cases, is not the source or the destination.

    FortiGate Infrastructure 6.0 Lab Guide 133


    Fortinet Technologies Inc.
    DO NOT REPRINT
    © FORTINET
    Exercise 2: Configuring the Transparent Web Proxy

    During this exercise, you will configure the FortiGate to act as a transparent web proxy. You will use a proxy
    address to selectively block web traffic to the Fortinet website while allowing traffic to other destinations.

    Disable the Explicit Web Proxy in Firefox

    With transparent web proxy, browsers do not need to be explicitly configured to send traffic to the proxy
    IP address. HTTP packets are transparently inspected by the proxy as they flow from the client to the server.

    To disable the explicit web proxy in Firefox


    1. On the Local-Windows VM, open Firefox.
    2. In the upper-right corner, click the Open Menu icon.

    3. Click Options.
    4. Scroll down to the Network Proxy section and click Settings.
    5. Select No proxy.

    6. Click OK.
    7. Close Firefox.

    134 FortiGate Infrastructure 6.0 Lab Guide


    Fortinet Technologies Inc.
    DO Exercise
    NOT2: Configuring
    REPRINT the Transparent Web Proxy Redirect the Traffic to the Transparent Web Proxy

    © FORTINET
    Redirect the Traffic to the Transparent Web Proxy

    To transparently redirect HTTP packets to the web proxy, the web traffic must match an allowed firewall policy
    that is using a proxy options profile with the setting HTTP Policy Redirect enabled. So, you will create a proxy
    options profile with this setting enabled and assign it to the outbound firewall policy.

    To create a proxy options profile


    1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user
    name admin and password password.
    2. Click Security Profiles > Proxy Options.
    3. In the upper-right corner, click the plus (+) icon to create a new proxy options profile.

    4. Complete the following:

    Field Value

    Name HTTP_Redirect

    HTTP Policy Redirect <enable>

    FortiGate Infrastructure 6.0 Lab Guide 135


    Fortinet Technologies Inc.
    DO Redirect
    NOTtheREPRINT
    Traffic to the Transparent Web Proxy Exercise 2: Configuring the Transparent Web Proxy

    © FORTINET

    5. Click OK.

    To apply the proxy profile to the firewall policy


    1. Continuing on the Local-FortiGate GUI, click Policy & Objects > IPv4 Policy.
    2. Edit the Full_Access firewall policy that goes from port3 to port1.
    3. Under the Security Profiles section, change the Proxy Options profile to HTTP_Redirect.

    4. Click OK.

    136 FortiGate Infrastructure 6.0 Lab Guide


    Fortinet Technologies Inc.
    DO Exercise
    NOT2: Configuring
    REPRINT the Transparent Web Proxy Create the Proxy Policies

    © FORTINET
    Create the Proxy Policies

    You will create two proxy policies. One policy will block traffic to any hostname that contains eicar.org. The
    other policy will allow traffic to any other destination. For the first policy, you will use a proxy address to match
    traffic using the information in the host field of the HTTP headers.

    To create a proxy address


    1. Continuing on the Local-FortiGate GUI, click Policy & Objects > Addresses.
    2. Click Create New, and then click Address.
    3. Configure the following settings:

    Field Value

    Category Proxy Address

    Name EICAR

    Type Host Regex Match

    Host Regex Pattern .*eicar\.org

    Note that the regex pattern that you entered starts with a dot.

    4. Click OK.

    Take the Expert Challenge!


    On the Local-FortiGate GUI (10.0.1.254), complete the following:

    l Configure the first proxy policy to block traffic to the EICAR website using the proxy address created in To
    create a proxy address on page 137.
    l Configure a second proxy policy to allow all other traffic.
    If you require assistance, or to verify your work, use the step-by-step instructions that follow.

    After you complete the challenge, seeTesting the Transparent Web Proxy on page 138.

    To create a proxy policy to block traffic to the Fortinet web site


    1. Continuing on the Local-FortiGate GUI, click Policy & Objects > Proxy Policy.
    2. Click Create New.
    3. Configure the following settings:

    FortiGate Infrastructure 6.0 Lab Guide 137


    Fortinet Technologies Inc.
    DO Testing
    NOTthe REPRINT
    Transparent Web Proxy Exercise 2: Configuring the Transparent Web Proxy

    © FORTINET
    Field Value

    Proxy Type Transparent Web

    Incoming Interface port3

    Outgoing Interface port1

    Source LOCAL_SUBNET

    Destination EICAR (under the PROXY ADDRESS section)

    Schedule always

    Service webproxy

    Action DENY

    4. Click OK.

    To create a proxy policy to allow traffic to other destinations


    1. Continuing on the Local-FortiGate GUI, click Policy & Objects > Proxy Policy.
    2. Click Create New.
    3. Configure the following settings:

    Field Value

    Proxy Type Transparent Web

    Incoming Interface port3

    Outgoing Interface port1

    Source LOCAL_SUBNET

    Destination all

    Schedule always

    Service webproxy

    Action ACCEPT

    4. Click OK.

    Testing the Transparent Web Proxy

    You will test the two transparent proxy policies.

    138 FortiGate Infrastructure 6.0 Lab Guide


    Fortinet Technologies Inc.
    DO Exercise
    NOT2: Configuring
    REPRINT the Transparent Web Proxy Testing the Transparent Web Proxy

    © FORTINET
    To test the transparent web proxy
    1. Continuing on the Local-Windows VM, open a new Firefox browser tab.
    2. In the upper-right corner, click the Open Menu icon.

    3. Click History and click Clear Recent History.


    4. Click Clear Now.
    5. Open a new browser and try to connect to www.eicar.org.
    You should get an Access Denied message.

    6. Try to connect to any other HTTP site, such as:


    l http://www.pearsonvue.com/fortinet/
    l http://cve.mitre.org
    Traffic should be allowed.

    7. Close your browser.

    FortiGate Infrastructure 6.0 Lab Guide 139


    Fortinet Technologies Inc.

    You might also like