Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gtapia_FTNT
Staff
Staff

Created on ‎01-05-2018 02:23 PM Edited on ‎03-29-2023 08:14 AM By Moderator

Article Id 192743

Technical Note: WAPD configuration using DHCP option 252

Description

 
This article explains why and how to use a WAPD configuration with DHCP operation 252 for an explicit proxy.
 
Scope
 
All FortiGate devices running FortiOS 6.0 and above.


Solution

 

An explicit proxy can be used to centralize traffic to be handled by one server in order to control and  monitor web access.
 
However, this has several disadvantages. One disadvantage is that every host in the network has to be configured manually adding proxy parameters to reach server and specifying the address that can be avoided or handled by it.
 
Another option is to use a PAC file which contains the address and proxy server configuration. However, the location of this file has to be known by hosts adding an HTTP address in order to download and install.
 
As a result, it is recommended to use a WAPD proxy configuration with DHCP option 252 to inform the host about the PAC file location so that it can be installed automatically on browsers. This makes ensures a simple and transparent process for administrators and users.

Prerequisites
- The explicit proxy feature must be enabled.
- The explicit proxy must be enabled on the interface.
 
1)  Explicit proxy configuration.

gtapia_FD40955_FD40955-1.jpg
# config web-proxy explicit
set status enable
set http-incoming-port 8080
set sec-default-action accept
set pac-file-server-status enable
set pac-file-data "function FindProxyForURL(url, host)
{
if (isInNet(host,\"200.198.0.0\",\"255.255.192.0\")){
    return \"DIRECT\";}
if (isInNet(host,\"192.168.0.0\",\"255.255.0.0\")){
    return \"DIRECT\";}
if (isInNet(host,\"172.16.0.0\",\"255.240.0.0\")){
    return \"DIRECT\";}
if (isInNet(host,\"127.0.0.0\",\"255.0.0.0\")){
    return \"DIRECT\";}
if (isInNet(host,\"10.0.0.0\",\"255.0.0.0\")){
    return \"DIRECT\";}
return \"PROXY 200.198.6.234:3128\";
}
"
end
 
2) Once the explicit proxy has been configured and the PAC file has been enabled and created, the has to be announced in the DHCP message exchanged between hosts and the DHCP server (the FortiGate). This  can be performed with DHCP option 52, which will enable the WAPD feature.
gtapia_FD40955_FD40955-2.jpg
 
# config system dhcp server
    edit 1
        set forticlient-on-net-status disable
        set dns-service default
        set default-gateway 10.3.151.193
        set netmask 255.255.255.192
        set interface "vlanWIFI"
        config ip-range
            edit 1
                set start-ip 10.3.151.199
                set end-ip 10.3.151.254
            next
        end
        set timezone-option default
        config options
            edit 1
                set code 252
                set type string
                set value "http://10.3.151.193:8080/proxy.pac"
            next
        end
    next
end
 
3) Release and renew the IP to get the PAC file over the DHCP request. Once the host has obtained a new IP address, it will gain access to the internet with proxy options configured. To verify this configuration is working as intended, execute the 'netstat' command in the Windows CLI.

 

14695
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.