Technical Tip: Transparent proxy with proxy-chaining

emalayan · ‎10-22-2024

Description

This article describes how to deploy a transparent web-proxy policy that will redirect all web HTTPS/HTTP traffic from LAN to a remote proxy server. This set up can be applied to deployment in which the proxy is not configured in clients/workstations.

Scope

FortiGate.

Solution

Configure a web proxy forwarding server via the CLI:

config web-proxy forward-server

edit "ProxychainFTNT"

set addr-type fqdn
set fqdn "test.proxy.ftnt"
set port 8080

Configure or edit existing LAN to WAN policy with the following:

Inspection-mode set to proxy.
http-policy-redirect set to enable.
Set 'deep-inspection' on SSL/SSH profile.
Specify the webproxy-forward-server that was created.
The rest of the UTM profiles should be disabled as the inspection will be done by the external web proxy server.

Below is an example configuration:

config firewall policy

edit 0

set name "LAN->Internet"
set srcintf "port5" <--- LAN
set dstintf "port1" <--- WAN
set action accept
set srcaddr "LAN_Subnet"
set dstaddr "all"
set schedule "always"
set service "ALL"
set inspection-mode proxy
set http-policy-redirect enable
set ssl-ssh-profile "deep-inspection"
set logtraffic all
set webproxy-forward-server "ProxychainFTNT"
set nat enable

Configure a transparent proxy policy specifying the webproxy-forward-server:

config firewall proxy-policy

edit 0

set name "proxy-policy-transparent"
set proxy transparent-web
set srcintf "port5"
set dstintf "port1"
set srcaddr "LAN_Subnet"
set dstaddr "all"
set service "webproxy"
set action accept
set schedule "always"
set webproxy-forward-server "ProxychainFTNT"

Technical Tip: Transparent proxy with proxy-chaining

You are leaving our website