Unfortunately it doesn't mention the impact of any of this (will it screw up existing traffic?) and the options are confusing ( 5 different kinds of headers, none of which match the language in the google page)
We currently do not have anything like that defined, has anyone set this up? Of course there isn't anything in the GUI named "Proxy Header Control" Do I set that up in "Explicit proxy" or "Proxy Options" GUI or do I have to do it in the CLI?
not yet. I opened a ticket on it and was told we needed to implement proxy. So I have spent the last couple of months working out enabling proxy with AD integration. Once we had it set up, I opened another ticket and was told we didn't need a proxy....sigh. The issue is that it cannot be done from the GUI.
I was told to do (Ticket Number: 1693602)
config web-proxy profile
set name "X-YouTube-Edu-Filter"
set content "ABCD1234567890abcdef"
Finally configure the Explicit Proxy policy that is allowing the traffic to Youtube to use the just created web-proxy profile:
config firewall explicit-proxy-policy
edit 1 <- ID of the explicit proxy policy
set webproxy-profile "test-profile"
However that did not work so after more research, he said the problem is that "we used certificate inspection. I researched this further and we needed to use the deep inspection default "
and this is where we are now. I am reluctant to use deep-inspection because it changes the way certificates are handled and usually gives certificate errors on every website.
I have to admit, I am pretty dissapointed in Fortinet. Their flagship firewall product seems really old-school and barely able to handle common issues such as this. Having to manually code something as universal as safe-search or google issues implies they are not keeping up with how the internet is evolving. We also have a similar issue around google safesearch. It requires a forced URL change. The recommended solution is to modify DNS but that causes a whole host of problems around split-horizon foreign domains so I need to try and get the fortigate to do it.
update... we successfully were able to make this work.
however....two major hurdles exist.
1) "deep-inspection" of certificates IS required, which means either the Fortigate certificate must be installed on all workstations, or a trusted certificate must be installed on the Fortigate - we are still trying to get this to work.
2) the bigger problem. The GUI is incompatible with the configuration and every time the GUI is used to change any profiles (such as adding a category to exclude, or allowing a website to have access) then the configuration must be manually reprogrammed in the CLI. THis makes it so unweildy that it may not be worth doing. See my last paragraph of the previous entry.
I'm surprised that FortiOS provides for header rewrites - this is not something that you'd expect a normal firewall to do. Rather, a web firewall like the FortiWeb will do it out of the box but this is a dedicated device to control and manipulate HTTP traffic, not so easy to set up and quite expensive. A clear overkill for just YTfE.
Have you thought about redirecting the HTTP traffic out of the FGT to a dedicated (proxy) server via ICAP or WCCP? Both are supported in FortiOS. I admit the prospect of maintaining an additional server for one purpose alone is not promising but it might be an alternative.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.