Description
Scope
Solution
By default, explicit proxy users have the ability to browse an HTTP or HTTPS website on any destination port, such as http://portquiz.net:81/.
However, configuring the FortiOS explicit proxy to only allow requests for certain destination ports and/or protocols is often desired for an organization with more strict security requirements.
This article describes how to use the CLI to modify an existing explicit proxy firewall policy to meet these requirements.
Note that the explicit proxy “listening port” will not be restricted on the user <-> proxy side of the connection, for example port 8080, but instead restricting the proxy <-> website side of the connection that is made based on the user’s request in the web browser.
However, configuring the FortiOS explicit proxy to only allow requests for certain destination ports and/or protocols is often desired for an organization with more strict security requirements.
This article describes how to use the CLI to modify an existing explicit proxy firewall policy to meet these requirements.
Note that the explicit proxy “listening port” will not be restricted on the user <-> proxy side of the connection, for example port 8080, but instead restricting the proxy <-> website side of the connection that is made based on the user’s request in the web browser.
Scope
FortiGates running FortiOS 5.2, 5.4, or 5.6 that have explicit proxy feature enabled and configured.
Solution
Solution – GUI Method
All screenshots and CLI commands are taken from FortiOS 5.6.2.
1.) Under Policy & Objects > Services, create the explicit proxy service objects representing the protocols and/or destination ports for which the explicit proxy is to allow traffic.
2.) Identify the existing explicit proxy policy ID number that is to be restricted under Policy & Objects > Proxy Policy.
Note that on FortiOS 5.4 and 5.2, this is under Policy & Objects > Explicit Proxy Policy
3.) Use the CLI to modify the default service object on the explicit proxy policy to the new service object that was created in step 1.
Note that in FortiOS 5.2 and 5.4, the configuration is done under “config firewall explicit-proxy-policy” instead of “config firewall proxy-policy”
All screenshots and CLI commands are taken from FortiOS 5.6.2.
1.) Under Policy & Objects > Services, create the explicit proxy service objects representing the protocols and/or destination ports for which the explicit proxy is to allow traffic.
2.) Identify the existing explicit proxy policy ID number that is to be restricted under Policy & Objects > Proxy Policy.
Note that on FortiOS 5.4 and 5.2, this is under Policy & Objects > Explicit Proxy Policy
3.) Use the CLI to modify the default service object on the explicit proxy policy to the new service object that was created in step 1.
Note that in FortiOS 5.2 and 5.4, the configuration is done under “config firewall explicit-proxy-policy” instead of “config firewall proxy-policy”
config firewall proxy-policy
edit 1
set service "proxy-http-80" "proxy-connect-443"
next
end
Solution – CLI Method
1.) Create the explicit proxy service objects representing the protocols and/or destination ports for which the explicit proxy is to allow traffic.
2.) Identify the existing explicit proxy policy ID number that is to be restricted.
Note that in FortiOS 5.2 and 5.4, the configuration is done under “config firewall explicit-proxy-policy” instead of “config firewall proxy-policy”
3.) Use the CLI to modify the default service object on the explicit proxy policy to the new service object that was created in step 1.
Note that in FortiOS 5.2 and 5.4, the configuration is done under “config firewall explicit-proxy-policy” instead of “config firewall proxy-policy”
1.) Create the explicit proxy service objects representing the protocols and/or destination ports for which the explicit proxy is to allow traffic.
config firewall service custom
edit "proxy-http-80"
set proxy enable
set protocol HTTP
set tcp-portrange 80
next
edit "proxy-connect-443"
set proxy enable
set protocol CONNECT
set tcp-portrange 443
next
end
2.) Identify the existing explicit proxy policy ID number that is to be restricted.
Note that in FortiOS 5.2 and 5.4, the configuration is done under “config firewall explicit-proxy-policy” instead of “config firewall proxy-policy”
config firewall proxy-policy
show
3.) Use the CLI to modify the default service object on the explicit proxy policy to the new service object that was created in step 1.
Note that in FortiOS 5.2 and 5.4, the configuration is done under “config firewall explicit-proxy-policy” instead of “config firewall proxy-policy”
config firewall proxy-policy
edit {policy ID number}
set service "proxy-http-80" "proxy-connect-443"
next
end
