Technical Tip: Explicit proxy authentication using local authentication on FortiProxy

hpenmetsa · ‎03-17-2024

Description

This article describes detailed configuration steps for enabling explicit proxy with local user authentication on a FortiProxy.

Scope

FortiProxy.

Solution

Enable and configure the explicit proxy.

In the GUI:

Go to Policy & objects -> Proxy settings -> Explicit Proxy.
Select the interface on which the proxy will listen (e.g. port2).
Set the port number.

In the CLI:

config web-proxy explicit-proxy

edit "web-proxy"

set status enable

set interface "port2"
set http-incoming-port 8080

Enable the explicit web proxy on the interface:

In the GUI:

Go to Network -> Interface and edit the interface.
Enable the 'Explicit web proxy' option.

From the CLI:

config system interface

edit "port2"

set ip 10.133.1.182 255.255.240.0
set allowaccess ping https ssh http telnet
set type physical
set explicit-web-proxy enable
set role lan
set snmp-index 2

Create a local user group for Authentication. Go to User & Authentication -> User Group. Select Create New and set the type to Firewall.

In the GUI:

In the CLI:

config user group

edit "Test Group"

set member "hari"

Create Authentication rules and schemes (Explicit Proxy Authentication is managed by the authentication rules and schemes).
1. Create an authentication scheme under Policy & Objects -> Authentication rules.
2. Select Create a new Authentication scheme.

Set the method to 'basic' and the User database to 'local-user-db' to match the local user group.

In the GUI:

In the CLI:

config authentication scheme

edit "Test"

set method basic

set user-database "local-user-db"

Create an authentication rule to match the source and incoming traffic to authenticate.

Create a New rule. Select source interface Source address all and Destination address all. Enable the authentication scheme and select the created Auth-scheme.

In the CLI:

config authentication rule

edit "TEST"

set srcintf "port2"

set srcaddr "all"

set dstaddr "all"

set active-auth-method "Test"

Configure an Explicit Proxy policy and add the user group to the policy.
1. Go to Policy & objects -> Policy.
2. Create new.
3. Select the created Explicit web proxy and outgoing interface.
4. In the Source address select all and the created user group.

In the GUI:

In the CLI:

config firewall policy
edit 1
set type explicit-web
set name "To_Internet"
set uuid 98da8fc8-de01-51ee-5b2a-9a2905f15638
set dstintf "port4"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "webproxy"
set explicit-web-proxy "web-proxy"
set logtraffic all
set groups "Test Group"
set ssl-ssh-profile "certificate-inspection"
next
end

Configure Client Proxy Settings: On the PC (e.g. Windows), navigate to Settings -> Network & internet -> Proxy. Enable the Manual Proxy setup. Enter the FortiGate configured Explicit web proxy IP Address and Port.

In the GUI:

Web Browsing Authentication: When users attempt to browse the internet through the web proxy, the browser will offer a prompt for a username and password.

To verify the authenticated users list from the FortiGate CLI, run the following command:

diagnose wad user list

ID: 10, VDOM: root, IPv4: 10.133.1.178
user name : hari
worker : 1
duration : 90 seconds
auth_type : IP
auth_method : Basic
pol_id : 1
g_id : 2
user_based : 0
expire : N/A (in use)
LAN:
bytes_in=153493 bytes_out=24642103
WAN:
bytes_in=23932351 bytes_out=138436