Description

This article describes a security hardening feature on FortiOS for Explicit Proxy.

Scope

FortiOS.

Solution

To prevent users from tunneling non HTTP/HTTPS traffic over TCP ports 80/443, perform the following changes:

Create a new Protocol Option Profile on the GUI:

Give it a name and select OK:

'Right-click' the new profile and select 'Edit in the CLI':

Perform the following changes:

config firewall profile-protocol-options

    edit "Test"

        config http

            set ports 80 443

            unset options

            unset post-lang

            set tunnel-non-http disable 

end               

If a user tries to tunnel traffic over TCP ports 80/443 that does not contain HTTP headers the traffic will be dropped at Proxy level.

This will require SSL Deep Inspection to be effective, so FortiGate will extract the headers for inspection.

For FortiOS versions earlier than 6.4, this feature is under 'config web-proxy global':

config web-proxy global

    set tunnel-non-http [enable|disable]

end

For more information about deep inspection, see:

Technical Tip: How to enable deep inspection and import a certificate in the browser.

Differences between SSL Certificate Inspection and Full SSL Inspection