FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jheadley_FTNT
Description
By default, explicit proxy users have the ability to browse an HTTP or HTTPS website on any destination port, such as http://portquiz.net:81/.

However, configuring the FortiOS explicit proxy to only allow requests for certain destination ports and/or protocols is often desired for an organization with more strict security requirements.

This article describes how to use the CLI to modify an existing explicit proxy firewall policy to meet these requirements.

Note that the explicit proxy “listening port” will not be restricted on the user <-> proxy side of the connection, for example port 8080, but instead restricting the proxy <-> website side of the connection that is made based on the user’s request in the web browser.

Scope
FortiGates running FortiOS 5.2, 5.4, or 5.6 that have explicit proxy feature enabled and configured.

Solution
Solution – GUI Method

All screenshots and CLI commands are taken from FortiOS 5.6.2.

1.)  Under Policy & Objects > Services, create the explicit proxy service objects representing the protocols and/or destination ports for which the explicit proxy is to allow traffic.

jheadley_FD40714_tn_FD40714-1.jpg

2.)  Identify the existing explicit proxy policy ID number that is to be restricted under Policy & Objects > Proxy Policy.

Note that on FortiOS 5.4 and 5.2, this is under Policy & Objects > Explicit Proxy Policy

jheadley_FD40714_tn_FD40714-2.jpg

3.)  Use the CLI to modify the default service object on the explicit proxy policy to the new service object that was created in step 1.

Note that in FortiOS 5.2 and 5.4, the configuration is done under “config firewall explicit-proxy-policy” instead of “config firewall proxy-policy”
    config firewall proxy-policy
        edit 1
            set service "proxy-http-80" "proxy-connect-443"
        next
    end


Solution – CLI Method

1.)  Create the explicit proxy service objects representing the protocols and/or destination ports for which the explicit proxy is to allow traffic.
    config firewall service custom
        edit "proxy-http-80"
            set proxy enable
            set protocol HTTP
            set tcp-portrange 80
        next
    edit "proxy-connect-443"
           set proxy enable
           set protocol CONNECT
           set tcp-portrange 443
        next
    end

2.)  Identify the existing explicit proxy policy ID number that is to be restricted.

Note that in FortiOS 5.2 and 5.4, the configuration is done under “config firewall explicit-proxy-policy” instead of “config firewall proxy-policy”
    config firewall proxy-policy
    show

3.)  Use the CLI to modify the default service object on the explicit proxy policy to the new service object that was created in step 1.

Note that in FortiOS 5.2 and 5.4, the configuration is done under “config firewall explicit-proxy-policy” instead of “config firewall proxy-policy”
    config firewall proxy-policy
        edit {policy ID number}
            set service "proxy-http-80" "proxy-connect-443"
        next
    end

Contributors