|
First, configure the SD-WAN. See this document: Configuring the SD-WAN interface for more information.
In this example, port1 and port2 are members of the SD-WAN:
config system sdwan
set status enable
config zone
edit "virtual-wan-link"
next
end
config members
edit 1
set interface "port1"
set gateway x.x.x.x
next
edit 2
set interface "port2"
set gateway y.y.y.y
next
end
end
Additionally, establish a static route for the SD-WAN interface's internet connectivity.
config router static
edit 1
set distance 1
set sdwan-zone "virtual-wan-link"
next
end
Performance SLAs and SD-WAN rules can also be added to the configuration as required.
Next, to enable the proxy features on the FortiGate that are usually hidden, go to System->Feature Visibility -> Enable Explicit Proxy.
The default values can be used. Configuring explicit proxy settings is beyond the scope of this article.
After, create two policies:
- One normal firewall policy in proxy mode.
- Another proxy policy in transparent mode.
In a transparent proxy deployment, the user's client software (such as a browser) is unaware that it is communicating with a proxy.
Users request Internet content as usual, without any special client configuration, and the proxy serves their requests.
To configure the firewall policy in proxy mode through the CLI, see the following example:
config firewall policy
edit 1
set name "fwproxypolicy"
set uuid 5f591e2a-ca63-51ed-6468-5c7f24abb156
set srcintf "port3"
set dstintf "virtual-wan-link"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set inspection-mode proxy
set http-policy-redirect enable
set nat enable
next
end
The 'set http-policy-redirect enable' section is essential to ensure traffic is redirected to the transparent proxy policy.
In older versions of FortiGate, this was only configurable in the CLI. In newer versions, it can also be configured in the GUI.
To configure the transparent proxy policy in the CLI:
config firewall proxy-policy
edit 1
set uuid 71c4fec6-ca63-51ed-ff18-c62fb581e3fe
set name "transparentProxy"
set proxy transparent-web
set srcintf "port3"
set dstintf "virtual-wan-link"
set srcaddr "all"
set dstaddr "all"
set service "webproxy"
set action accept
set schedule "always"
set ssl-ssh-profile "deep-inspection"
next
end
No special client configuration is necessary to use a FortiGate transparent proxy. Because the client is using the FortiGate as its default gateway, requests will pass through the regular firewall policy first and then be redirected to the transparent proxy policy.
See the following article for more information about the differences between explicit proxies and transparent proxies:
Technical Tip: Explicit proxy vs. transparent proxy vs. NGFW proxy-mode
The following article explains how to configure a transparent proxy with FSSO authentication:
Technical Tip: How to configure a transparent proxy with FSSO |
