Description
Scope
Solution
Explicit proxy can be used to centralize traffic to be handled by one server in order to control and monitor web access.
However, this has several disadvantages. One of them is that every host in the network has to be configured manually adding proxy parameters to reach server and specifying the address that can be avoided or handled by it. Another option can be to use a PAC file. This file will contain the address and proxy server configuration but the location of this file has to be known by host adding an HTTP address to download and install.
Scope
FortiGate v5.4 and v5.6
Solution
WAPD using DHCP option 252 can solve this Proxy configuration to tell host about the PAC file location to be installed automatically on browsers. This makes it easy and transparent for administrators and users.
Prerequisites
1) Explicit proxy configuration.
2) Once Explicit proxy has been configured and PAC file has been enabled and created it has to be announced in the DHCP message exchanged, between hosts and DHCP server (FGT), this action can be made with DHCP option 52 which is going to enable the WAPD feature.
3) Release and renew IP to get the PAC file over DHCP request, once the host have got a new IP address it will get access to Internet with proxy options configured. To verify this configuration “netstat” command can be executed in windows command.
Prerequisites
- Explicit proxy feature enabled.
- Explicit proxy on interface enabled.
1) Explicit proxy configuration.
config web-proxy explicit
set status enable
set http-incoming-port 8080
set sec-default-action accept
set pac-file-server-status enable
set pac-file-data "function FindProxyForURL(url, host)
{
if (isInNet(host,\"200.198.0.0\",\"255.255.192.0\")){
return \"DIRECT\";}
if (isInNet(host,\"192.168.0.0\",\"255.255.0.0\")){
return \"DIRECT\";}
if (isInNet(host,\"172.16.0.0\",\"255.240.0.0\")){
return \"DIRECT\";}
if (isInNet(host,\"127.0.0.0\",\"255.0.0.0\")){
return \"DIRECT\";}
if (isInNet(host,\"10.0.0.0\",\"255.0.0.0\")){
return \"DIRECT\";}
return \"PROXY 200.198.6.234:3128\";
}
"
end
2) Once Explicit proxy has been configured and PAC file has been enabled and created it has to be announced in the DHCP message exchanged, between hosts and DHCP server (FGT), this action can be made with DHCP option 52 which is going to enable the WAPD feature.
config system dhcp server
edit 1
set forticlient-on-net-status disable
set dns-service default
set default-gateway 10.3.151.193
set netmask 255.255.255.192
set interface "vlanWIFI"
config ip-range
edit 1
set start-ip 10.3.151.199
set end-ip 10.3.151.254
next
end
set timezone-option default
config options
edit 1
set code 252
set type string
set value "http://10.3.151.193:8080/proxy.pac"
next
end
next
end
3) Release and renew IP to get the PAC file over DHCP request, once the host have got a new IP address it will get access to Internet with proxy options configured. To verify this configuration “netstat” command can be executed in windows command.
