Today I will write about implicit proxy configuration on fortigate in 6.2 version. I had quite a lot of problem when configuring it on lab, so here we go.
You have to enable explicit proxy feature in system/feature. No licence is required.
This kind of proxy is very usefull because you don’t have to change anything on client PC. This is totaly transparent for them. However, FGT certificat must be trusted by clients.
You have to configure an IPV4 policy in proxy inspection mode. Moreover, regarding HTTPS traffic, you have to enable http-redirect-policy (only in cli). Funny things, when it is not enable, radio button to enable this option through GUI is hidden. But when it is enable, radio button is displayed on GUI…
As you may know, in HTTPS, domain name is transmitted in clear (hello packet) but complete URL (path and parameters) is encrypted after TCP connexion is established.
Fortigate is performing actions in this order
As you can see, if ssl decryption is not enabled, proxy will be unable to filter website. After enabling ssl decryption, traffic is going again in proxy engine. So if your are going to https://amazon.com, and you have a rule blocking this website, it will not work. You have to enable at least certificate-inspection and http-policy-redirect (was before in proxy option in previous FortiOS version) on IPv4 policy.
config firewall policy
set srcintf "DATA CTS"
set dstintf "lan5"
set srcaddr "172.31.254.2"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set inspection-mode proxy
set http-policy-redirect enable
set ssl-ssh-profile "certificate-inspection"
set logtraffic disable
set fsso disable
Configuration of proxy policy is straightforward, just add website you want to block :
If you want to display a disclaimer to your users. This is how it is working :
– certificat-inspection enabled on IPV4 policy
-> Disclaimer is only showed when going to HTTP websites
– deep-inspection enabled on IPV4 policy
-> Disclaimer is showed when going to HTTP and HTTPS websites
How to troubleshoot it?