Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bmeta
Staff
Staff

Created on ‎03-25-2015 03:20 AM Edited on ‎01-30-2024 03:17 AM By Community Manager

Article Id 193039

Technical Tip: Configuring explicit web proxy with FSSO

Description
This article describes how to configure FortiGate to act as an explicit web proxy.
FSSO, as passive authentication, is used to collect user logon event from active directory.

Related link:
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/826729/explicit-proxy-authentication.

Solution

The FortiGate acting as Explicit Web Proxy granting Internet Access for FSSO users.
Settings displayed here are an example.
Fortinet Single Sign On settings:
 
 

 
 
 
1) Enable Explicit Proxy.

From GUI:
Go to System -> Feature Visibility.

From CLI:
# config system settings
    set sip-helper enable
    set gui-explicit-proxy enable
end
2) Enable Explicit Web Proxy.

From GUI:
Go to Network -> Explicit Proxy -> Enable Web Proxy.
Select Interface in which listen on.

From CLI:
# config web-proxy explicit
    set status enable
    set http-incoming-port 8080
end
3) Create an Authentication Scheme.
 
 
 
# config authentication scheme
    edit "NewFSSO"
        set method fsso
    next
end
4) Create an Authentication RULE.
 
 

 
# config authentication rule
    edit "AuthRule"
        set srcaddr "WindowsAD" "WindowsCLIENT"          <-----(which source addresses this rule match to?)
        set sso-auth-method "NewFSSO"
    next
end
Related link.
 
5) Create a Proxy Policy.
 
 

 
# config firewall proxy-policy
    edit 1
        set proxy explicit-web
        set dstintf "port1"
        set srcaddr "WindowsAD" "WindowsCLIENT"
        set dstaddr "all"
        set service "webproxy"
        set action accept
        set schedule "always"
        set groups "FSSO_Group1" (created in step 1)
    next
end

6) Configure the Browser/System for Explicit web proxy.
 
 

 
 
7) Monitoring.
 
 
 
 
Whereas as g_id, pol_id are dynamic in this view and can change if other policies with different address objects are hit.
# diag firewall auth list
Gives a good result, but also show the combination in the GUI under the Monitoring widget (starting 6.4) or the Monitoring section (6.2 and lower).
 
 

Related Articles

Technical Tip: FSSO advanced mode with explicit proxy

29808
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.