|
Many applications access the Internet and have their own user agent. If a particular application is experiencing problems authenticating and has a unique user agent. It is possible to configure the bypass authentication based on the user agent.
Below are the steps to bypass authentication based on a user agent. 'Curl' is used as an example to extract the user agent.
- Take a sniffer packet to check the user agent name. In this case, the user agent name is 'curl/8.0.1'.
GET http://www.example.com/ HTTP/1.1
Host: www.example.com
User-Agent: curl/8.4.0
Accept: */*
Proxy-Connection: Keep-Alive
- Create a proxy address:
config firewall proxy-address
edit "Curl_User_Agent"
set type header
set host "all"
set header-name "User-Agent"
set header "curl/8.4.0"
- Create a Policy on top of other Policies without an authentication group and make sure to specify the destination to avoid impacting other policies:
edit 1
set type explicit-web
set status enable
set dstintf "port1" "port2"
set srcaddr "Curl_User_Agent"
set dstaddr "example"
set action accept
set schedule "always"
set service "webproxy"
set explicit-web-proxy "web-proxy"
set ssl-ssh-profile "SSL Interception"
config firewall address
edit "example"
set type fqdn
set fqdn "www.example.com" -> HTTP requests header show destination is www.example.com.
edit 3
set type explicit-web
set name "Test"
set dstintf "port1" "port2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "webproxy"
set explicit-web-proxy "web-proxy"
set ssl-ssh-profile "SSL Interception"
set groups "Kerberos_MK3" <----- Authentication Required.
Test results: (No authentication is required)
C:\>curl -vv --proxy http://10.176.2.91:8080 --proxy-insecure --insecure https://dlptoolbox.com
* Trying 10.176.2.91:8080...
* Connected to 10.176.2.91 (10.176.2.91) port 8080
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Establish HTTP proxy tunnel to dlptoolbox.com:443
> CONNECT dlptoolbox.com:443 HTTP/1.1
> Host: dlptoolbox.com:443
> User-Agent: curl/8.4.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
< Proxy-Agent: Fortinet-Proxy/1.0
<
* CONNECT phase completed
* CONNECT tunnel established, response 200
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* ALPN: server accepted http/1.1
* using HTTP/1.1
> GET / HTTP/1.1
> Host: dlptoolbox.com
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Cache-Control: private
< Content-Type: text/html; charset=utf-8
< Server: Microsoft-IIS/10.0
< X-AspNet-Version: 4.0.30319
< X-Powered-By: ASP.NET
< X-Powered-By-Plesk: PleskWin
< Date: Tue, 05 Dec 2023 06:30:06 GMT
< Content-Length: 35265
<
<!DOCTYPE html>
If the requirement must have authentication before it can reach to Internet, it is possible to use 'Basic Authentication' for that specific user agent name, provided it supports the basic authentication method.
config firewall proxy-address
edit "Curl_User_Agent"
set uuid 31344240-8354-51ee-ee4d-29045210ac2d
set type header
set host "all"
set header-name "User-Agent"
set header "curl/8.0.1" <----- User agent Curl will do the Basic Authentication.
set case-sensitivity disable
edit 1 <----- Make sure to set it to the top.
set type explicit-web
set status enable
set dstintf "port1" "port2"
set srcaddr "Curl_User_Agent"
set dstaddr "all"
set action accept
set schedule "always"
set service "webproxy"
set explicit-web-proxy "web-proxy"
set ssl-ssh-profile "SSL Interception"
set groups "Basic_Auth_Group"
|
