Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
omontanez
Staff
Staff

Created on ‎01-11-2017 11:20 AM Edited on ‎01-30-2024 03:15 AM By Community Manager

Article Id 197351

Technical Tip: FSSO advanced mode with explicit proxy

Description
This article describes steps required to set up explicit proxy using FSSO authentication in advanced mode.

Scope
Explicit Proxy, FSSO advanced mode, Explicit Proxy firewall policy.

Solution
1) Add an AD group (where PCs with proxy configuration are).

Example: PROXYOU\PROXYGP.

Organization Unit (PROXYOU) with a group (PROXYGP) was created in AD to join users which use proxy.
Firewall policy settings will be applied for users into this OU/GRP.
Go to Authentication -> Single Sign-On -> server -> Groups -> select group and add selected.

 
 
omontanez_ene02.jpg
 
 
 
 
2) Create proxy option profile and configure HTTP port that will be used by web browser for do proxy connections.
Go to Policy and  Objects  -> Policy -> Proxy Options and add profile (in example port 3080 was selected).
 
 
 
omontanez_ene03.jpg
 
 
 
3) Enable Explicit Web Proxy on interface (internal)

Go to System -> Network -> Interfaces.
 
omontanez_FD39305_ene03_5.jpg
 
 
 
4) Create Explicit Proxy firewall policy for permit traffic for users that meet all next criteria:

- Users that use internal interface IP for explicit proxy.

- Users members of specific AD group and which they will have specific conditions set in the next steps (example PROXYGP).

- Users that are behind of internal interface subnet.

Policy and Objects -> Policy -> Explicit Proxy

Configure firewall policy settings

Source Address: internal interface subnet (previous must be defined in  Policy and Objects -> Objects-> Addresses.)

Outgoing Interface : WAN

Destination address: ALL

Action: Authenticate

Enable User 'Authentication Options' and under, 'Single Sign-On Method' select : FSSO.

 
 
omontanez_ene04.jpg
 
5) Create authentication rules and add AD Group (PROXYGP).

All members of this group will match with this policy and then will be handled under these UTM profiles.
For example, select an application control profile to block Youtube for all users that are members of PROXYGP in AD and use explicit proxy.
 
omontanez_ene05.jpg
 
 
6) Test.

Configure settings in Chrome for proxy, set internal interface IP as proxy server and use port previous configured in point 3 (3080, or another).

 
 
omontanez_FD39305_ene06.jpg
 

All another traffic that use explicit proxy and not belongs to PROXYGP in AD will be block.

 

Related Articles

Technical Note: User based authentication on FSSO, using LDAP and FSSO agent on advanced mode

Technical Tip: How to switch FSSO operation mode from Standard Mode to Advanced Mode

Technical Note : FortiGate Wan Optimization and Explicit Proxy FAQs

2467
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.