Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ezhupa
Staff
Staff

Created on ‎03-28-2023 02:10 AM Edited on ‎03-28-2023 02:16 AM By Moderator

Article Id 250507

Technical Tip: Set up a transparent proxy within an SD-WAN

Description This article describes how to perform the initial setup of a transparent proxy with an SD-WAN.
Scope Any supported versions of FortiGate and FortiOS.
Solution

First, configure the SD-WAN. See the documentation for more information.

 

In this example, port1 and port2 are members of the SD-WAN:


# config system sdwan

set status enable

# config zone

edit "virtual-wan-link"

next

end

config members

edit 1

set interface "port1"

set gateway x.x.x.x

next

edit 2

set interface "port2"

set gateway y.y.y.y

next

end

end

 

Additionally, establish a static route for the SD-WAN interface's internet connectivity.

 

# config router static

edit 1

set distance 1

set sdwan-zone "virtual-wan-link"

next

end

 

Performance SLAs and and SD-WAN rules can also be added to the configuration as required.

 

Next, to enable the proxy features on the FortiGate that are usually hidden, go to System->Feature Visibility->Enable Explicit Proxy.
The default values can be used. Configuring explicit proxy settings is beyond the scope of this article.

 

After, create two policies:

- One normal firewall policy in proxy mode.

- Another proxy policy in transparent mode.

 

In a transparent proxy deployment, the user's client software (such as a browse) is unaware that it is communicating with a proxy.

Users request Internet content as usual, without any special client configuration, and the proxy serves their requests.

 

To configure the firewall policy in proxy mode through the CLI, see the following example:

 

# config firewall policy

edit 1

set name "fwproxypolicy"

set uuid 5f591e2a-ca63-51ed-6468-5c7f24abb156

set srcintf "port3"

set dstintf "virtual-wan-link"

set action accept

set srcaddr "all"

set dstaddr "all"

set schedule "always"

set service "ALL"

set inspection-mode proxy

set http-policy-redirect enable

set nat enable

next

end

 

The 'set http-policy-redirect enable' section is essential to ensure traffic is redirected to the transparent proxy policy. 
In older versions of FortiGate, this was only configurable in the CLI. In newer versions, it can also be configured in the GUI. 

 

To configure the transparent proxy policy in the CLI:

 

# config firewall proxy-policy

edit 1

set uuid 71c4fec6-ca63-51ed-ff18-c62fb581e3fe

set name "transparentProxy"

set proxy transparent-web

set srcintf "port3"

set dstintf "virtual-wan-link"

set srcaddr "all"

set dstaddr "all"

set service "webproxy"

set action accept

set schedule "always"

set ssl-ssh-profile "deep-inspection"

next

end

 

No special client configuration is necessary to use a FortiGate transparent proxy. Because the client is using the FortiGate as its default gateway, requests will pass through the regular firewall policy first and then be redirected to the transparent proxy policy.

 

See the following article for more information about the differences between explicit proxies and transparent proxies:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explicit-proxy-vs-transparent-proxy-vs-NGF...

The following article explains how to configure a transparent proxy with FSSO authentication:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-a-transparent-proxy-with-...
183
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.