Description
By default, explicit proxy users have the ability to browse an HTTP or HTTPS website on any destination port, such as http://portquiz.net:81/.
However, configuring the FortiOS explicit proxy to only allow requests for certain destination ports and/or protocols is often desired for an organization with more strict security requirements.
This article describes how to use the CLI to modify an existing explicit proxy firewall policy to meet these requirements.
Note that the explicit proxy “listening port” will not be restricted on the user <-> proxy side of the connection, for example port 8080, but instead restricting the proxy <-> website side of the connection that is made based on the user’s request in the web browser.
However, configuring the FortiOS explicit proxy to only allow requests for certain destination ports and/or protocols is often desired for an organization with more strict security requirements.
This article describes how to use the CLI to modify an existing explicit proxy firewall policy to meet these requirements.
Note that the explicit proxy “listening port” will not be restricted on the user <-> proxy side of the connection, for example port 8080, but instead restricting the proxy <-> website side of the connection that is made based on the user’s request in the web browser.
Scope
FortiGates running FortiOS 7.0, 7.2, or 7.4 which have the explicit proxy feature enabled and configured.
Solution
GUI Method:
All screenshots and CLI commands are taken from FortiOS 7.0.14.
All screenshots and CLI commands are taken from FortiOS 7.0.14.
- Under Policy & Objects -> Services, create the explicit proxy service objects representing the protocols and/or destination ports for which the explicit proxy is to allow traffic.
- Identify the existing explicit proxy policy ID number that is to be restricted under Policy & Objects -> Proxy Policy.
Note that on FortiOS 7.0.14, this is under Policy & Objects -> Explicit Proxy Policy.
- Use the CLI to modify the default service object on the explicit proxy policy to the new service object that was created in step 1.
config firewall proxy-policy
edit 1
set service "proxy-http-80" "proxy-connect-443"
next
end
CLI Method:
- Create the explicit proxy service objects representing the protocols and/or destination ports for which the explicit proxy is to allow traffic.
config firewall service custom
edit "proxy-http-80"
set proxy enable
set protocol HTTP
set tcp-portrange 80
next
edit "proxy-connect-443"
set proxy enable
set protocol CONNECT
set tcp-portrange 443
next
end
- Identify the existing explicit proxy policy ID number that is to be restricted.
config firewall proxy-policy
show
- Use the CLI to modify the default service object on the explicit proxy policy to the new service object that was created in step 1.
config firewall proxy-policy
edit {policy ID number}
set service "proxy-http-80" "proxy-connect-443"
next
end
