Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Block proxy external

Boys need their help. I have an user that is connected to internet with the proxy that there is external. I have a filter web in the fortinet and east user jumps this filter popr the proxy that this using, these proxy is connected by some strange ports which I have blocked but this using some that are connected by the port 80, is some signature to filter this behavior.
6 REPLIES 6
rwpatterson
Valued Contributor III

Do you mean that a user is browsing the Internet using an external proxy server to bypass your firewall policies? What version of firmware are you using? MR3 versions have a ' Proxy Avoidance' category built into the Fortigate Web Filtering categories. Enable this, and most proxy avoidance sites will be unreachable.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Prometejas
New Contributor

I have the similar situation - users over https are connecting to external proxy servers and cann' t control these sessions. Our content filtering (CF) is running on other machine. Does Proxy Avoidance in FG Web Filtering category is running without CF licence?
Fortinet Solutions in Lithuania http://www.beit.lt/fortinet SMS For Free http://www.smsforfree.lt
Fortinet Solutions in Lithuania http://www.beit.lt/fortinet SMS For Free http://www.smsforfree.lt
DrBrain
New Contributor

Hi Robert_M, Here are suggestion for you: 1. Use the option ' Rate URLs by domain and IP address' . This should pick up the proxy IP address in the request and block access to it. 2. Add a rule on the server to detect URLs of this form and rate it in the proxy avoidance category. (Turn on this on HTTP & HTTPS for v3.00MR3) 3. Add a firewall policy to block all proxy IP addresses. 4. Lock the end point machine from changing any Proxy setting. Hi Prometejas, FG Web Filtering will not work without valid CF licence.
Prometejas

Thanx for answers. I used Fortinet' s CF earlier, but I found very big CPU and memory load on device and slow traffic. Now I have it on other mashine (not FG) and I' m satisfied. In this case I eliminated SPF.
Fortinet Solutions in Lithuania http://www.beit.lt/fortinet SMS For Free http://www.smsforfree.lt
Fortinet Solutions in Lithuania http://www.beit.lt/fortinet SMS For Free http://www.smsforfree.lt
DrBrain
New Contributor

Hi Prometejas, Oh, this is a known issue for low end FortiGate, ex. FG60. My customer was complaining me everyday, hahaha. Learned the leason, I' ll only propose FG100A onward for new customer.
willmays
New Contributor

Remember services cost more for the bigger models (i.e. say around $600 for the bundle at the low end, but more like $400 per service at the FG100 end) ... FG60' s still have their place but definately less than 25 users with bandwidth less than about 4 mb.
Will Mays FCNSP
Will Mays FCNSP
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors