Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
emnoc
Esteemed Contributor III

Created on ‎02-12-2025 03:12 PM

Fortigate web-proxy auth rules

Has anybody ever gotten a local user db working with an explicit proxy? on any FortiOS version? I have cfg and policy and it looks good but every time I test it shows needs authentication.

 

sample of the cfg I've been testing on now 3 different fortigate


homefgt (root) # show authentication rule
config authentication rule
edit "proxy-auth"
set srcaddr "all"
set active-auth-method "Auth-scheme-Negotiate"
next
end

homefgt (root) # show authentication setting
config authentication setting
set active-auth-scheme "Auth-scheme-Negotiate"
end

homefgt (root) # show user group proxy_user
config user group
edit "proxy_user"
set member "kfelix1" "kfelix"
next
end

homefgt (root) # show firewall proxy-policy
config firewall proxy-policy
edit 1
set uuid 0428149c-e925-51ef-1e15-2684e04091ae
set proxy explicit-web
set dstintf "wan1" "wan2"
set srcaddr "all"
set dstaddr "all"
set service "webproxy"
set action accept
set schedule "always"
set logtraffic all
set groups "proxy_user"
next
end

 

diag wad debug enable auth

 

show my Basic AUTHORIZATION which decodes correctly but I believe I'm not matching the authrule, I'm using the simplest auth schema also

 

 

homefgt (root) # show authentication scheme
config authentication scheme
edit "exproxy"
set method negotiate
next
edit "Auth-scheme-Negotiate"
set method basic
set user-database "local-user-db"
next
end

 

Any ideals?

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels:
195
0 Kudos
1 REPLY 1
emnoc
Esteemed Contributor III

Created on ‎02-12-2025 09:36 PM

Okay I made headway with curl but my browser is hosed up

 

 

homefgt (root) # diag wad session list

Session: explicit proxy 192.168.1.111:51005(xxxx.xxx.xxxx.xxx:8568)->23.223.33.16:80
id=668058720 vd=0:0 fw-policy=1
duration=0 expire=3600 session-ttl=3600
state=3 app=http sub_type=0 dd_mode=0 dd_method=0
SSL disabled
to-client
TCP Port:
state=2 r_blocks=1 w_blocks=0 read_blocked=0
bytes_in=184 bytes_out=0 shutdown=0x0
to-server
TCP Port:
state=2 r_blocks=0 w_blocks=0 read_blocked=0
bytes_in=0 bytes_out=103 shutdown=0x0

Sessions total=1

homefgt (root) # diag wad user
list List proxy users.
clear Clear all users or clear a particular user using: diagnose wad user clear <ID> <IP> <VDOM>.
info Query user info with <type> and <value>. [Take 0-2 arg(s)]
exchange Test connectivity with user-exchange.
device Get device info. [Take 0-4 arg(s)]

homefgt (root) # diag wad user list

ID: 4, IP: 192.168.1.111, VDOM: root
user name : kfelix
duration : 155
auth_type : IP
auth_method : Basic
pol_id : 1
g_id : 7
user_based : 0
expire : 300
LAN:
bytes_in=187128 bytes_out=1519115
WAN:
bytes_in=1543523 bytes_out=104751

 

So I'm still investigating why 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
166
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.