Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Wurstsalat
New Contributor III

Created on ‎04-20-2022 04:57 AM

FortiOS Explicit Proxy rule based on client(!) HTTP header

Hi there,

 

we want to establish Microsoft approach of a "mikro vm" with "application guard" and edge (+chrome+firefox). So in best case we can use one proxy for all use cases, free internet through application guard and restricted internet through default browsing.

Microsoft Edge and Microsoft Defender Application Guard | Microsoft Docs

 

When we enable ApplicationGuardTrafficIdentificationEnabled ( Microsoft Edge Browser Policy Documentation | Microsoft Docs ) the browser in the sandbox sends for his requests an additional http header "X-MS-ApplicationGuard-Initiated". So if i can believe in wireshark, yes this header is send but...it seems not to have any effect on the fortigate

 

We tried the following rule and used as "source"a proxy address (to be honest, we tried several other things but this seems to be the right way...from my understanding)

Wurstsalat_0-1650455389442.png

Just to mention, when we set the host in gui, after we apply, and reopen it, this field is empty again...but when we check in the cli, it is all there.

Wurstsalat_0-1650455789984.png

 

So anyway, we set this as source but the rule seems not to have any effect. Any ideas how we can archive this to be handleb by fortigate?

 

Kind regards

Labels:
2757
0 Kudos
1 Solution
pminarik
Staff
Staff
In response to Wurstsalat

Created on ‎05-17-2022 02:53 AM Edited on ‎05-17-2022 02:53 AM

"X-MS-ApplicationGuard-Initiated: 1" should be trivial to match:

HTTP host header proxy address objectHTTP host header proxy address object

(replace the Host option with whichever source-IP address object you need).

 

The HTTP/HTTPs part is a good question.
Are these headers supposed to be included in the outer request to the proxy (proxy will always see them), or are they supposed to be included in the inner request? (they would be sent to the real destination server, and DPI would be needed to see them inside encrypted traffic)

Only the first one (outer request to proxy) makes sense to me, but I'm not a MS expert. :)

[ corrections always welcome ]

View solution in original post

2606
12 REPLIES 12
xsilver_FTNT
Staff
Staff
In response to Wurstsalat

Created on ‎05-17-2022 01:53 AM

How about to export/copy HTTP headers as plain text from Wireshark and place them to something like https://regexr.com to test.
It's more about to make sure that string in header is exactly what you expect, because your "/string/g" regex is pretty simple.
I just guess you are logging "All sessions" on that Proxy-policy at least now for debug purposes. So is anything hitting that policy and showed up in logs?

Is it HTTP or HTTPS traffic ? ;)

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

712
0 Kudos
Wurstsalat
New Contributor III
In response to xsilver_FTNT

Created on ‎05-17-2022 03:38 AM

thanks for your help, followed this which leads to the solution. the value is 1 and we had previously no matches on the policy. Solved now

 

693
0 Kudos
xsilver_FTNT
Staff
Staff
In response to Wurstsalat

Created on ‎05-17-2022 03:41 AM

great to hear that it's fixed now.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

692
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.