Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MidwestOpe
New Contributor

Created on ‎07-25-2023 06:25 AM

Proxy/Redirected FQDN

Hi folks,

 

Looking for some advice here. We have an access control system off-site (no Forti equipment) that sits behind what appears to be a "proxy" FQDN. LAN -> WAN -> URL -> Redirected IP/port -> ACS.

Every time the URL is accessed, it will redirect to a new IP and port combination - what I imagine is some kind of load-balancing. I can whitelist the redirected IP and the port, but it changes after a day or so. Efforts to glean the IP/port ranges I need to whitelist have been futile.

 

Is there a way to whitelist a FQDN's redirections? I port forwarded a customized port on the ISP router to the private IP of the ACS interface in the past (by being there physically)...but this WAN IP has changed - and I'm looking for a way to allow access remotely.

 

Am I overthinking it? Thanks for your thoughts!

Labels:
1045
0 Kudos
7 REPLIES 7
saneeshpv_FTNT
Staff
Staff

Created on ‎07-26-2023 05:06 AM

Hi

 

Not very clear with your setup. Could you please share the URL you are accessing? Is it publicly accessible? Where is this redirected IP/port pointing to ? Also where is the FortiGate placed in this traffic path ?

 

Maybe a diagram would help.

 

Best Regards,

1003
0 Kudos
nageentaj
Staff
Staff
In response to saneeshpv_FTNT

Created on ‎07-26-2023 08:26 AM

Hi Team,

Please share us the below details.

Is firewall acting as a proxy server or are you using any third party proxy ?

please share  us the clear  network diagram and proxy configuration settings on the user PC accessing the URL mentioning the URL you are accessing.
Also please let us know the exact requirement you are looking for by explaining in detail.

 

992
0 Kudos
MidwestOpe
New Contributor
In response to nageentaj

Created on ‎07-27-2023 05:40 AM Edited on ‎07-27-2023 05:43 AM

The FortiGate 60F is doing nothing special, just forwarding requests on as necessary. There seems to be a 3rd party proxy down the line, as seen in the diagram provided.

I'm looking to see if I can whitelist or "trust" the redirected IP/Port combination after hitting the initial URL. The proxy server uses different ports and IPs after a certain period of time, like 24 hours. I can whitelist the URL, but it seems FortiGate doesn't allow for access after it is redirected. I can provide the URL in a private message if necessary....RMC_workflow.PNG

975
0 Kudos
saneeshpv_FTNT
Staff
Staff
In response to MidwestOpe

Created on ‎07-27-2023 06:07 AM

Hi @MidwestOpe 

 

When the proxy server changes the IP and port, how does the user knows about this port change. I can understand with DNS, we know the IP changes for that FQDN/URL but what about the port change. Is the proxy going to sending back any redirected URL to the User ? If it changes the port, Is the Proxy going on listen on these random port when user connects ?

 

Usually with a Full Proxy, you will have two connection, One from User to Proxy and the Second one from Proxy to the ACS system. So if the proxy is changing the IP and port for the connection from Proxy to ACS, you don't really to change anything on the FortiGate because it is placed in between User and Proxy. 

 

If the IP/Port change happens on the connection between user and Proxy, please let me know the flow of traffic from user to proxy as this is something not very common.

 

Best Regards,

 

 

 

970
0 Kudos
MidwestOpe
New Contributor

Created on ‎07-28-2023 11:52 AM

Yeah, it's real funky. I'm going to try and attach a video of what I'm seeing. The "proxy" is essentially a load balanced black box it seems that redirects to the ACS...somewhow.

 

I've taken to going to the location physically and logging in to port forward certain requests to the ACS. But, it'd be nice to get this functionality working without having to whitelist the whole internet (because the IP/port combo changes so frequently).black_box_proxy.gif

937
0 Kudos
saneeshpv_FTNT
Staff
Staff
In response to MidwestOpe

Created on ‎07-30-2023 11:06 PM

Hi @MidwestOpe ,

 

From the video, it looks like when you access the RMC URL, the device on the other end is redirecting the user to this IP/Port and the subsequent request to this IP/port is being either blocked at your Fortigate (as you may not allow allow random ports to Untrust/Internet) or this request black holed some where. Please check fortigate logs for any traffic block for this IP or Port. If it does please try to create a Policy in FGT for testing with Destination and Service as "all".

 

Are you aware of this IP address (185.202.172.220) ? Also Please also confirm if there is any proxy in your local network.

 

Best Regards,

 

 

 

885
0 Kudos
MidwestOpe
New Contributor
In response to saneeshpv_FTNT

Created on ‎07-31-2023 05:31 AM

Yes, it's being blocked in the FortiGate and I can whitelist it - but a few hours later this IP/port combo will change requiring me to re-whitelist a new IP/port combo. That's the issue. After I'm redirected at the RMC URL, the firewall treats the new IP/port combo as a new FortiGate request, and no rules match so implicit deny is used.

872
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.