FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
princes
Staff
Staff
Article Id 342824
Description This article describes how to configure a transparent proxy in FortiGate to forward specific destination traffic to Web Proxy Forwarding Servers.
Scope All supported versions of FortiGate (make sure the FortiGate support for proxies - some devices with less RAM will not have this feature in 7.6.x).
Solution

In the transparent proxy configuration, the user has no visibility into proxy settings (no need to configure them explicitly on the endpoint).

 

Traffic flow in transparent proxy mode (on FortiGate):

  • User traffic will hit the regular firewall policy (listening interface to wan interface).
  • In the FortiGate firewall policy, the following command will redirect the traffic to the proxy policy.

 

http-policy-redirect

 

  • Now, the traffic will hit the Proxy policy and will be sent out via the policy on FortiGate.

 

Make sure that if an HTTPS redirect is required, the SSL deep inspection is required in the regular firewall policy.

FortiGate regular firewall policy:

 

config firewall policy

edit 1

set name "1"
set srcintf "Proxy listening interface"
set dstintf "wan-port"
set srcaddr "all" <- Here, optionally specify particular source traffic or destination traffic to be forwarded to the forward proxy.
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set inspection-mode proxy
set http-policy-redirect enable
set ssl-ssh-profile "deep-inspection"
set nat enable

next

 

FortiGate proxy policy:

 

config firewall proxy-policy

edit 5

set proxy transparent-web
set srcintf "listening proxy interface"
set dstintf "wan-link"
set srcaddr "all"
set dstaddr "all" <- Can specify source or destination address to forward.
set service "webproxy"
set action accept
set schedule "always"

next

end

 

No special configuration is required on the client to use FortiGate transparent proxy. As the client is using the FortiGate as its default gateway, requests will first hit the regular firewall policy, and then be redirected to the transparent proxy policy.

 

By default, while sending the traffic to the forward web proxy, FortiGate will use the wan-link IP address used in the firewall policy.

To specify the outgoing IP address, use the following option:

 

config web-proxy explicit

set outgoing-ip 172.28.52.101 <- Make sure this IP address is assigned on any of the FortiGate interfaces.

end

 

It is also possible to specify the address object in proxy configuration based on URL category so that only the matching category traffic will be forwarded to the forward proxy servers.

 

In this address type, a user can create a URL category based on a FortiGuard URL ID. Once created, the address can be selected as a destination of a proxy policy. This means that a policy will only allow or block requests that match the URL category.

For more information about categories, see this FortiGuard page.

 

config firewall proxy-address

edit "url-category"

set uuid 7a5465d2-57cf-51e9-49fd-0c6b5ad2ff4f
set type category
set host "all"
set category 30 <- The category ID for the specific URL.

next

 

Reference configuration guide:

Transparent Proxy - FortiGate cookbook

Contributors