DO NOT REPRINT

FORTINET

Explicit Proxy

In this lesson, we will show you how your web browsers can use FortiGate as an explicit proxy.

DO NOT REPRINT
FORTINET

Explicit Proxy

After completing this lesson, you should have these practical skills.
You will learn how to configure both FortiGate and the web browsers that will use it as an explicit proxy.
Since you can alternatively use an implicit proxy, we will also explain why in some cases you might want
an explicit proxy instead.

DO NOT REPRINT
FORTINET

Explicit Proxy

A proxy receives or intercepts requests from a client to a server. If allowed, and if no cache is available,
it forwards the request to the server on behalf of the client.
Two sessions are created: one from the client to the proxy, and another one from the proxy to the server.
How is this different from an implicit proxy, sometimes called a transparent proxy?

DO NOT REPRINT
FORTINET

Explicit Proxy

An implicit proxy server does not require any configuration change on the clients. Clients continue to use
the web just like they would without a proxy.
Clients send requests to the web servers IP address and port number. The proxy intercepts the clients
requests transparently that is, at the IP layer, the destination address doesnt change.
Does this mean that implicit proxies dont require any configuration changes, anywhere? Not
necessarily.
Usually, both incoming and outgoing traffic is routed through FortiGate. As a result, web browsing is
already being routed through FortiGate, where it can be intercepted by the transparent proxy. But if
clients traffic isnt currently routed through FortiGate, then you must reconfigure routing so that the
packets will be routed through FortiGate, where the implicit proxy can intercept.

DO NOT REPRINT
FORTINET

Explicit Proxy

How is an explicit proxy different?

With explicit proxy servers, you must configure clients to send the requests to the proxys IP address, not
the web sites servers. But because clients are specifically sending web traffic to your FortiGate, though,
you shouldnt need to reconfigure any routers.
Methods vary by web browser or other HTTP client.

DO NOT REPRINT
FORTINET

Explicit Proxy

How do you configure users web browsers to use an explicit web proxy?
In large networks, you wont configure the browser settings individually, on each computer; instead, for
example, you may use an Active Directory login script or roaming profile.
Alternatively, you can configure browsers to use an explicit proxy by installing PAC file, or using the web
proxy autodiscovery protocol (WAPD).
Lets look at each.

DO NOT REPRINT
FORTINET

Explicit Proxy

With manual configuration, you must provide one proxys FQDN or IP address. It is limited to only one
proxy.
If you want to exempt specific IP addresses, subnets and FQDNs from using the proxy, you can add
them to a list. For those destinations, the browser will send requests directly to the web servers.

DO NOT REPRINT
FORTINET

Explicit Proxy

The second possible method is a standard explicit auto-configuration file, called a PAC file. A PAC file
contains instructions that tell the browser when to use a proxy, and which proxy to use, depending on the
destination.
This method supports use of multiple proxy servers.
To deploy the PAC file, first you must install it on an HTTP server that the clients can reach. (Your
FortiGate can act as the HTTP server for the PAC file.) Then you must configure all browsers with the
PAC files URL. Again, in larger networks, you usually wont do this individually; instead, you will use
your domain to define the PAC files URL.

DO NOT REPRINT
FORTINET

Explicit Proxy

What does a PAC file contain?

A PAC file is a JavaScript. When browsers run it, determines whether the request will be proxied, and
what the addresses should be in packets, including in the URL and Host: header at the Layer 7 HTTP
layer.
In this example:
The PAC file allows any connection to example.com to bypass the proxy.
Connections to servers in the 10.0.0.0/24 subnet use the proxy named fastproxy.example.com
whose FQDN is resolved to an IP address by a DNS query at the time of the request, so it could be
separate for clients on the private vs. public network.
All other requests are made through proxy.example.com.

DO NOT REPRINT
FORTINET

Explicit Proxy

Browsers can automatically discover the URL where the PAC files is located via the web proxy autodiscovery protocol.
There are two methods you can use to do this. One is to use a DNS server; the other is to use a DHCP
server.
Most browsers try the DHCP method first. If it fails, they try the DNS method.

DO NOT REPRINT
FORTINET

Explicit Proxy

(slide contains animation)

With the DHCP method, the browser sends a DHCPINFORM request to the DHCP server. The DHCP
server replies with PAC files URL.
(click)
The browser downloads the PAC file.

DO NOT REPRINT
FORTINET

Explicit Proxy

(slide contains animation)

The DNS method is very similar; differences are in the required PAC URL.
First, the browser queries the DNS server to resolve the FQDN wpad.<local-domain>.
(click)
The DNS server replies with the IP address of the web server (in this case, a FortiGate) where the
browser can download the PAC file. This method always uses TCP port 80 and the PAC file name
wpad.dat.
(click)
The browser downloads the PAC file, then accesses the web through the proxies indicated in the PAC
file.

DO NOT REPRINT
FORTINET

Explicit Proxy

Usually, you will enable the proxy to cache responses from web servers.
A web cache stores responses from web servers so that the next time a client requests the same thing,
FortiGate can quickly send the cached content, instead of forwarding the request and waiting for the
response. This reduces WAN bandwidth usage, server load, and delay. We will review how web caching
works in the next slides.

DO NOT REPRINT
FORTINET

Explicit Proxy

(slide contains animation)

If youve enabled caching, when the client makes a request, the proxy checks first if the URL that the
client requested is already in memory.
(click)
If it is not, the proxy forwards the request to the server. When it responds, FortiGate stores the response
in memory that is, it adds content to its cache.
(click)
The proxy also forwards a copy of the content to the client.

DO NOT REPRINT
FORTINET

Explicit Proxy

(slide contains animation)

If any client using FortiGates proxy requests the exact same URL
(click)
FortiGate will recognize it, and immediately forward a copy of that content from the cache to the client.
Unless the content on the server has changed, the proxy does not need to request content from the
server again, so from the clients perspective, each response after the initial request is faster.
Notice that because dynamic URLs are not exactly the same, and their content may be personalized for
each client, dynamic URLs are usually not cached.

DO NOT REPRINT
FORTINET

Explicit Proxy

Given that cache consumes system resources, do you want all users to be able to use the cache?
You can configure FortiGates HTTP proxy to allow access only to authenticated users that belong to
specific user groups. Authentication can be either based on either source IP address or HTTP session
cookies.
How should you decide which to use?
IP-based authentication requires less RAM to remember the authenticated sessions. However, it should
only be used when each user has a different IP address from the perspective of the source address in
the IP header.
If your users are behind source NAT, such as with a remote office that uses Internet sharing, use HTTP
session-based authentication instead. In this mode, each browser inserts an HTTP cookie in its
requests. The cookie identifies the users sessions. This method requires slightly more RAM because
FortiGate must remember all session cookies. However, it can even differentiate the same person using
multiple accounts multiple tabs in multiple browsers.

DO NOT REPRINT
FORTINET

Explicit Proxy

What does the traffic flow look like when a user authenticates with the explicit proxy, using HTTP
session-based authentication?
If a user connects and the request doesnt have any associated authentication session, first FortiGate
replies to the browser, requesting login credentials. The browser prompts the user to authenticate, and
remembers the authenticated state by storing a cookie.
If the same user makes more requests later, the browser automatically sends the same cookie again.
FortiGate identifies the user via a lookup in its table of current session cookies, so the user does not
need to authenticate for every request only the first time.

DO NOT REPRINT
FORTINET

Explicit Proxy

These are the steps for configuring a FortiGate as an explicit web proxy. We will show the details of
each step next.

DO NOT REPRINT
FORTINET

Explicit Proxy

By default, the explicit web proxy settings are hidden in the GUI. To show them, in the dashboards
Features widget, enable explicit proxy.

DO NOT REPRINT
FORTINET

Explicit Proxy

Once explicit proxy settings are visible in the GUI, you can enable and configure them.
You can configure the TCP port where the proxy is listening, edit and upload the PAC file, and choose
the default action that FortiGate will take if there is any traffic that doesnt match a proxy policy.
We will talk about the proxy policies later.

DO NOT REPRINT
FORTINET

Explicit Proxy

After enabling the explicit web proxy globally, you must specify which on which interfaces the proxy will
listen for connections.

DO NOT REPRINT
FORTINET

Explicit Proxy

The next step is to create explicit proxy policies to specify which traffic and users are allow to use the
proxy. Starting from FortiOS 5.2, policies for explicit proxy are configured in a different configuration
section than the regular firewall policies.
Proxy traffic can be inspected. We can do antivirus, web filtering, application control and IPS inspection.
Additionally, the use of web caching can be enabled or disabled per policy.
When the proxy traffic matches a proxy policy, the FortiGate take one of three possible actions: Accept
the traffic, deny it, or request authentication before accepting it.

DO NOT REPRINT
FORTINET

Explicit Proxy

If you select authentication as the action, you will be presented with the option to add authentication
rules. These rules specify which users and users groups are allowed, and what kind of inspection is
going to be done over each of them.

DO NOT REPRINT
FORTINET

Explicit Proxy

Authentication for the explicit proxy behaves differently than it usually does for firewall policies.
With the explicit proxy, FortiGate will not fall through to try the next authentication rule.
FortiGate always applies the first policy that matches all criteria: the source IP address, the destination
IP address, and the outgoing interface. It doesnt evaluate any policy after the first match, even if the
user failed to authenticate with the first rule.
Lets look at an example next.

DO NOT REPRINT
FORTINET

Explicit Proxy

In this example, the first proxy policy matches traffic from 10.0.1.0/24. It only allows the user named
Student.
The second policy allows traffic without authentication only if the source address matches 10.0.0.0/8.
With this configuration, if traffic arrives from the 10.0.1.0/24 subnet, and that user has not authenticated
yet, then FortiGate prompts the user to authenticate. Traffic from that source IP address always matches
the first policy, and FortiGate does not continue to evaluate other policies in the list after it finds a match.
So FortiGate never applies the second policy for that subnet only for the rest of 10.0.0.0/8.

DO NOT REPRINT
FORTINET

Explicit Proxy

In the CLI, if you disable the setting strict-guest, then all users that do not belong to any user
group in the proxy policy will be treated as if they belong to a group named SSO_guest_user. In this
way, you can control their access even if the users cannot authenticate.

DO NOT REPRINT
FORTINET

Explicit Proxy

Like with firewall policies, when creating proxy policies, you use firewall address objects to specify the
source and destination.
With HTTP, the destination may appear in both the IP headers destination field, and the HTTP headers
Host: field. They arent always the same. Usually, the Host: header is a FQDN, indicating possibly
an Apache virtual host; it is not usually an IP address. But at the IP layer, the destination field always
contains an IP address. So if you are matching by using the IP Range object, keep in mind which layer
you are matching, and the effects of NAT at both layers.
Are IP addresses and domain names the only way you can use to match traffic with a proxy rule? No.
One type of firewall address object can only be used in proxy policies: the URL pattern object type. The
proxy can match policies based on the requested URL (not only the destination IP address). URL
address objects are used for that purpose.

DO NOT REPRINT
FORTINET

Explicit Proxy

In this example of the use of an URL Address object, the first proxy policy allows unrestricted access to
the URL update.microsoft.com. No authentication is required.
All other traffic would match the second policy, which enforces authentication when accessing any other
URL.

DO NOT REPRINT
FORTINET

Explicit Proxy

If you are using the WPAD DNS method to configure the browser, you may need to edit the PAC file to
indicate the file name and listening port number.
As we explained before, the DNS method always assumes that the PAC file is located at:
http://<FortiGate_IP_Address>:80/wpad.dat
So if your clients use the DNS method, you must configure FortiGate to offer the PAC file named
wpad.dat, and to listen for requests for it on port 80.

DO NOT REPRINT
FORTINET

Explicit Proxy

Also, you must check that the Local Domain Name setting is properly configured.
This indicates which requests that FortiGate will reply to; FortiGate will only reply if clients requests for
the WPAD file match the FortiGates own HTTP Host: header.

DO NOT REPRINT
FORTINET

Explicit Proxy

Once the web proxy is working, you can monitor which users that are connected to it that is, the
proxys session table. You can do this from the GUI, or from the CLI by using the command:
diagnose wad user list
You can also remove all entries from the list of users that are currently
authenticated with the proxy.

DO NOT REPRINT
FORTINET

Explicit Proxy

Here is a review of what we discussed.

We reviewed some explicit web proxy concepts. We also showed how to configure and monitor a
FortiGate that is acting as an explicit web proxy, and how to configure web browsers to use the proxy.
Depending on your situation, we explained that some configuration choices require more RAM, and
require specific FortiGate port numbers. Finally, we showed how to see which users are currently
authenticated with the explicit proxy.