Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bmeta
Staff
Staff

Created on ‎03-25-2015 03:20 AM Edited on ‎11-30-2024 10:03 PM By Community Manager

Article Id 193039

Technical Tip: Configuring explicit web proxy with FSSO

Description


This article describes how to configure FortiGate to act as an explicit web proxy.
FSSO, as passive authentication, is used to collect user logon event from active directory.

Related link:
Explicit proxy authentication

 

Scope

 

FortiGate.

Solution

 

The FortiGate acts as an Explicit Web Proxy granting Internet Access to FSSO users. Settings displayed here are an example.
Fortinet Single Sign-On settings:
 
 
 
 
 
  1. Enable Explicit Proxy.

 

From GUI:
Go to System -> Feature Visibility.

From CLI:

 

config system settings
    set gui-explicit-proxy enable
end

 

  1. Enable Explicit Web Proxy.


From GUI:
Go to Network -> Explicit Proxy -> Enable Web Proxy. Select the Interface on which to listen.

From CLI:

 

config web-proxy explicit
    set status enable
    set http-incoming-port 8080
end

 

  1. Create an Authentication Scheme.
 
 
config authentication scheme
    edit "NewFSSO"       
        set method fsso   
    next
end
 
  1. Create an Authentication RULE.
 
 
config authentication rule
    edit "AuthRule"
        set srcaddr "WindowsAD" "WindowsCLIENT"          <-----which source addresses this rule match to.
        set sso-auth-method "NewFSSO"
    next
end
 
Related document:
 
  1. Create a Proxy Policy.
 
 
config firewall proxy-policy
    edit 1
        set proxy explicit-web
        set dstintf "port1"
        set srcaddr "WindowsAD" "WindowsCLIENT"
        set dstaddr "all"
        set service "webproxy"
        set action accept
        set schedule "always"
        set groups "FSSO_Group1" (created in step 1)
    next
end

 

  1. Configure the Browser/System for Explicit Web Proxy.
 
 
  1. Add the certificate and root CA to the host to avoid getting certificate errors.

   8. Monitoring.

 
 
 
Whereas as g_id, pol_id are dynamic in this view and can change if other policies with different address objects are hit.
 
diag firewall auth list
 
It gives a good result, but also shows the combination in the GUI under the Monitoring widget (starting 6.4) or the Monitoring section (6.2 and lower).
 

 

Related article:

Technical Tip: FSSO advanced mode with explicit proxy

32096
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.