During this exercise you will configure the FortiGate to be an explicit web proxy. You will also
configure the FortiGate to authenticate explicit web proxy users and allow Internet access to only one user.
After that, you will manually configure Firefox with the proxy IP address and port.
Un-hiding the Explicit Web Proxy Setting
Explicit web proxy settings are hidden from the GUI by default. You will un-hide them.
To un-hide the explicit web proxy setting
1. From the Local-Windows VM, open a browser and log in as admin to the Local-FortiGate GUI at 10.0.1.254.
2. Go to System > Feature Select.
3. Under Security Features, enable Explicit Proxy. 4. Click Apply.
Enabling Explicit Web Proxy
You will enable explicit web proxy on the network setting.
To enable explicit web proxy
1. In the Local-FortiGate GUI, go to Network > Explicit Proxy. 2. Enable Explicit Web Proxy.
3. For HTTPS port, select Use HTTP Port.
4. Click Apply.
Enabling Explicit Web Proxy on an Interface
You will specify which internal interface the explicit web proxy will listen on.
To enable explicit web proxy on an interface
1. In the Local-FortiGate GUI, go to Network > Interfaces 2. Edit the interface port3.
3. Enable the option Enable Explicit Web Proxy 4. Click OK.
DO NOT REPRINT
© FORTINET
LAB 8–Explicit Web Proxy
Creating an Explicit Proxy Policy
You will create the policy to allow explicit proxy traffic to the Internet. Only the user student will be allowed to browse the Internet through the proxy.
To create an explicit proxy policy
1. In the Local-FortiGate GUI, go to Policy & Objects > Explicit Proxy Policy. 2. Click Create New.
3. Configure these settings:
Field Value
Explicit Proxy Type Web Enabled On port3 Outgoing Interface port1
Source Address LOCAL_SUBNET Destination Address all
Action AUTHENTICATE
4. Click Create New to add an authentication rule:
5. Configure the following settings:
Field Value
Users/Groups student Schedule always
6. Click OK. 7. Click OK.
Configuring Firefox for Explicit Web Proxy
You have configured the Local-FortiGate as an explicit web proxy. Now you will configure Firefox to use it.
DO NOT REPRINT
© FORTINET
LAB 8–Explicit Web Proxy
To configure Firefox for explicit web proxy
1. On the Local-Windows VM, open Firefox.2. Click the Open Menu icon on the top right corner:
3. Select Options:
4. Go to the Advanced > Network tab. 5. Click Settings:
DO NOT REPRINT
© FORTINET
LAB 8–Explicit Web Proxy
6. Select Manual proxy configuration and enter:
Field Value
HTTP Proxy 10.0.1.254 Port 8080
7. Enable the option Use this proxy server for all protocols.
8. Add the subnet 10.0.1.0/24 (separated by a comma) to the No Proxy for list. This list contains the names, IP addresses and subnets of web sites that will be exempted from using the proxy:
9. Click OK.
10. Close Firefox and open it again.
DO NOT REPRINT
© FORTINET
LAB 8–Explicit Web Proxy
Testing the Explicit Web Proxy Configuration
You will test the explicit web proxy configuration.
To test the explicit web proxy configuration
1. From Local-Windows VM, open Firefox and browse to any HTTP web site, such as:
http://www.pearsonvue.com/fortinet/ http://cve.mitre.org
http://www.eicar.org
2. FortiGate will ask for authentication. Use these credentials:
Field Value
User Name student Password fortinet
After that, you should have Internet access through the explicit web proxy.
Listing the Active Explicit Web Proxy Users
You will execute a CLI command to display the list of active explicit web proxy users.
To list the active explicit web proxy users
1. In the Local-Windows VM, open PuTTY and connect to the LOCAL-FORTIGATE saved session
(connect over SSH).
2. Type the following CLI command to check the list of active web proxy users:
# diagnose wad user list
3. You can also check this list from the GUI, by going to Monitor > Firewall User Monitor.
Listing the Active Explicit Web Proxy Sessions
For each explicit web proxy connection to a web site, two TCP connections are usually created: one from the client to the proxy, and another one from the proxy to the server.
You will run some debug commands to list the sessions established between the client and the proxy; then the sessions established between the proxy and the servers.
To list the active explicit web proxy sessions between the client and the proxy
1. In the Local-Windows VM, open a few tabs in Firefox and generate some HTTP traffic, such
as:
http://www.pearsonvue.com/fortinet/ http://cve.mitre.org
DO NOT REPRINT
© FORTINET
LAB 8–Explicit Web Proxy
http://www.eicar.org
2. From the Local-FortiGate CLI, type these CLI commands while browsing some HTTP sites:
diagnose sys session filter clear diagnose sys session filter dport 8080 diagnose sys session list
You can also use the grep command to display only the source and destination IP addresses and ports for each session:
diagnose sys session list | grep hook=pre Why is the source IP address of all those sessions 10.0.1.10? Why is the destination IP address of all those sessions 10.0.1.254? Why don’t we see any public IP address listed in those sessions?
To list the active explicit web proxy sessions between the proxy and the servers
1. In the Local-Windows VM, open a few tabs in Firefox and generate some HTTP traffic, such as: http://www.pearsonvue.com/fortinet/
http://cve.mitre.org http://www.eicar.org
2. From the Local-FortiGate CLI, type these CLI commands while browsing some HTTP sites:
diagnose sys session filter clear diagnose sys session filter dport 80 diagnose sys session list | grep hook=out Why is the source IP address of all these sessions 10.200.1.1? Why don’t we see the IP address of Windows server (10.0.1.10)?
DO NOT REPRINT
© FORTINET
LAB 8–Explicit Web Proxy