Description
This article describes why and how to use a Web Proxy Auto-Discovery (WPAD) Protocol configuration with DHCP operation 252 for an explicit proxy.
Scope
All FortiGate devices running FortiOS v6.0 and above.
Solution
An explicit proxy can be used to centralize traffic to be handled by one server in order to control and monitor web access.
However, this has several disadvantages. One disadvantage is that every host in the network has to be configured manually, adding proxy parameters to reach the server and specifying the address that can be avoided or handled by it.
Another option is to use a PAC file, which contains the address and proxy server configuration. However, the location of this file has to be known by hosts adding an HTTP address to download and install.
As a result, it is recommended to use a WAPD proxy configuration with DHCP option 252 to inform the host about the PAC file location so that it can be installed automatically on browsers. This ensures a simple and transparent process for administrators and users.
Prerequisites:
Prerequisites:
- The explicit proxy feature must be enabled.
- The explicit proxy must be enabled on the interface.
- Explicit proxy configuration.
config web-proxy explicit
set status enable
set http-incoming-port 8080
set sec-default-action accept
set pac-file-server-status enable
set pac-file-data "function FindProxyForURL(url, host)
{
if (isInNet(host,\"200.198.0.0\",\"255.255.192.0\")){
return \"DIRECT\";}
if (isInNet(host,\"192.168.0.0\",\"255.255.0.0\")){
return \"DIRECT\";}
if (isInNet(host,\"172.16.0.0\",\"255.240.0.0\")){
return \"DIRECT\";}
if (isInNet(host,\"127.0.0.0\",\"255.0.0.0\")){
return \"DIRECT\";}
if (isInNet(host,\"10.0.0.0\",\"255.0.0.0\")){
return \"DIRECT\";}
return \"PROXY 200.198.6.234:3128\";
}
"
if (isInNet(host,\"200.198.0.0\",\"255.255.192.0\")){
return \"DIRECT\";}
if (isInNet(host,\"192.168.0.0\",\"255.255.0.0\")){
return \"DIRECT\";}
if (isInNet(host,\"172.16.0.0\",\"255.240.0.0\")){
return \"DIRECT\";}
if (isInNet(host,\"127.0.0.0\",\"255.0.0.0\")){
return \"DIRECT\";}
if (isInNet(host,\"10.0.0.0\",\"255.0.0.0\")){
return \"DIRECT\";}
return \"PROXY 200.198.6.234:3128\";
}
"
end
-
Once the explicit proxy has been configured and the PAC file has been enabled and created, it has to be announced in the DHCP message exchanged between hosts and the DHCP server (the FortiGate). This can be performed with DHCP option 52, which will enable the WAPD feature.
config system dhcp server
edit 1
set forticlient-on-net-status disable
set dns-service default
set default-gateway 10.3.151.193
set netmask 255.255.255.192
set interface "vlanWIFI"
config ip-range
edit 1
set start-ip 10.3.151.199
set end-ip 10.3.151.254
next
end
set timezone-option default
config options
edit 1
set code 252
set type string
set value "http://10.3.151.193:8080/proxy.pac"
next
end
next
end
edit 1
set forticlient-on-net-status disable
set dns-service default
set default-gateway 10.3.151.193
set netmask 255.255.255.192
set interface "vlanWIFI"
config ip-range
edit 1
set start-ip 10.3.151.199
set end-ip 10.3.151.254
next
end
set timezone-option default
config options
edit 1
set code 252
set type string
set value "http://10.3.151.193:8080/proxy.pac"
next
end
next
end
-
Release and renew the IP to get the PAC file over the DHCP request. Once the host has obtained a new IP address, it will gain access to the internet with proxy options configured. To verify this configuration is working as intended, execute the 'netstat' command in the Windows CLI.
