Configuring transparent proxy on fortigate

Today I will write about implicit proxy configuration on fortigate in 6.2 version. I had quite a lot of problem when configuring it on lab, so here we go.

You have to enable explicit proxy feature in system/feature. No licence is required.
This kind of proxy is very usefull because you don’t have to change anything on client PC. This is totaly transparent for them. However, FGT certificat must be trusted by clients.

You have to configure an IPV4 policy in proxy inspection mode. Regarding HTTPS, you have to enable http-redirect-policy (only in cli). Funny things, when it is not enable, radio button to enable this option through GUI is hidden. But when it is enable, radio button is on GUI…

When Http-redirect-policy is disable, no button

When Http-redirect-policy is enable through CLI, you can disable with GUI

As you may know, in HTTPS, domain name is transmitted in clear (hello packet) but complete URL (path and parameters) is encrypted after TCP connexion is established.
Fortigate is performing actions in this order

As you can see, if ssl decryption is not enabled, proxy will be unable to filter website. After enabling ssl decryption, traffic is going again in proxy engine. So if your are going to https://amazon.com, and you have a rule blocking this website, it will not work. You have to enable at least certificate-inspection and http-policy-redirect (was before in proxy option in previous FortiOS version) on IPv4 policy.

config firewall policy
edit 42
set srcintf "DATA CTS"
set dstintf "lan5"
set srcaddr "172.31.254.2"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set inspection-mode proxy
set http-policy-redirect enable
set ssl-ssh-profile "certificate-inspection"

set logtraffic disable
set fsso disable
next
end

Configuration of proxy policy is straightforward, just add website you want to block :

If you want to display a disclaimer to your users. This is how it is working :
– certificat-inspection enabled on IPV4 policy
-> Disclaimer is only showed when going to HTTP websites
– deep-inspection enabled on IPV4 policy
-> Disclaimer is showed when going to HTTP and HTTPS websites
How to troubleshoot it?
Sources:
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/15908/transparent-proxy
https://kb.fortinet.com/kb/documentLink.do?externalID=FD40584
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/15908/transparent-proxy
https://kb.fortinet.com/kb/documentLink.do?externalID=FD45864
https://docs.fortinet.com/document/fortigate/6.2.0/parallel-path-processing-life-of-a-packet/200486/utm-ngfw-packet-flow-proxy-based-inspection
https://docs.fortinet.com/document/fortigate/6.2.2/cli-reference/253620/firewall-proxy-policy
https://kb.fortinet.com/kb/documentLink.do?externalID=FD42352
https://docs.fortinet.com/document/fortigate/6.2.1/cli-reference/235620/firewall-ssl-ssh-profile

Author: Kévin SAS

I am Kévin SAS and live in France. I am an engineer in network and security. I worked for a lot of customers in these domains : Wireless, LAN, Datacenter, VoIP with several brands like Cisco, HPE, Aruba, Palo Alto amongst others. Previously working for a service provider. I currently work for an integrator while giving me lots of opportunity to learn. This blog stores some technicals notes I wanted to share.

Leave a Reply

Your email address will not be published. Required fields are marked *