FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to deploy a transparent web-proxy policy that will redirect all web HTTPS/HTTP traffic from LAN to a remote proxy server. This set up can be applied to deployment in which the proxy is not configured in clients/workstations.
Scope
FortiGate.
Solution
Configure a web proxy forwarding server via the CLI:
config web-proxy forward-server
edit "ProxychainFTNT"
set addr-type fqdn set fqdn "test.proxy.ftnt" set port 8080
next
end
Configure or edit existing LAN to WAN policy with the following:
Inspection-mode set to proxy.
http-policy-redirect set to enable.
Set 'deep-inspection' on SSL/SSH profile.
Specify the webproxy-forward-server that was created.
The rest of the UTM profiles should be disabled as the inspection will be done by the external web proxy server.
Below is an example configuration:
config firewall policy
edit 0
set name "LAN->Internet" set srcintf "port5" <--- LAN set dstintf "port1" <--- WAN set action accept set srcaddr "LAN_Subnet" set dstaddr "all" set schedule "always" set service "ALL" set inspection-mode proxy set http-policy-redirect enable set ssl-ssh-profile "deep-inspection" set logtraffic all set webproxy-forward-server "ProxychainFTNT" set nat enable
next
end
Configure a transparent proxy policy specifying the webproxy-forward-server:
config firewall proxy-policy
edit 0
set name "proxy-policy-transparent" set proxy transparent-web set srcintf "port5" set dstintf "port1" set srcaddr "LAN_Subnet" set dstaddr "all" set service "webproxy" set action accept set schedule "always" set webproxy-forward-server "ProxychainFTNT"
