Description
This article describes the best practices for explicit proxies.
Scope
FortiGate.
Solution
- For explicit proxies, when configuring limits on the number of concurrent users, allow for the number of users based on the authentication method. Otherwise, user resources may run out prematurely.
- Each session-based authenticated user is counted as a single user using the authentication membership (RADIUS, LDAP, FSSO, local database etc.) to match users in other sessions. One authenticated user in multiple sessions is still one user.
- For all other situations, the source IP address is used to determine a user. All sessions from a single source address are assumed to be from the same user.
- Set the explicit web proxy and explicit FTP proxy Default Firewall Policy Action to Deny. This means that a firewall policy is required to use these explicit proxies, allowing to control access and impose security features.
- Do not enable the explicit web or FTP proxy on an interface connected to the Internet. This is a security risk because anyone on the Internet who finds the proxy could use it to hide their source address. If the proxy has to be enabled on such an interface, make sure authentication is required to use the proxy.
- Use NAT mode or transparent mode as needed. In NAT/Route mode, before packets exit the outgoing interface, the explicit web proxy performs source NAT, changing the source IP address to that of the exiting interface. In Transparent mode, the source IP address is changed to the FortiGate's management IP address.
