Description
This article describes FortiOS 5.6.1 and higher that support a Redirected Transparent Web Proxy (RTWP).
While it does not have as many features as Explicit Web Proxy, this feature has the advantage that a user PAC file is not needed to support web traffic over to the proxy and one can use this feature (proxy) to apply Kerberos authentication to HTTP traffic.
General transparent proxy configuration:
https://docs.fortinet.com/document/fortigate/6.4.6/administration-guide/15908/transparent-proxy
Solution
See for example these FortiGate and Web proxy settings:
# config system global
set hostname "fgt_proxy"
end
# config system dns
set primary 208.91.112.53
set secondary 192.168.95.16
set domain "forti.lab"
end
#config web-proxy global
set proxy-fqdn "fgt_proxy.forti.lab"
end
# config firewall address
edit "fgt_proxy_portal"
set type fqdn
set fqdn "fgt_proxy.forti.lab"
next
end
Note.
Captive-portal + proxy-captive-portal must be set to support Kerberos auth.
# config system interface
edit "port2"
set vdom "root"
set ip 192.168.48.1 255.255.240.0
set allowaccess ping https ssh
set type physical
set explicit-web-proxy enable
set proxy-captive-portal enable
next
end
# config user ldap
edit "LDAP-server"
set server "192.168.95.16"
set cnid "cn"
set dn "cn=users,DC=forti,DC=lab"
set type regular
set username "CN=serge,CN=Users,DC=forti,DC=lab"
set password ENC BP8/LUK0WNuu2RHxj32zVF4ga1cKt7hwSefs5rTSkK37/
next
end
# config user krb-keytab
edit "http_service"
set principal "HTTP/fgt_proxy.forti.lab@FORTI.LAB"
set ldap-server "LDAP-server"
set keytab “QIAAABAVNlcmdlQ0FQRy5jbGZndHZtcveHkuU2” <----- In later versions this is prepended with ENC …
next
end
# config user group
edit "grp1"
set member "LDAP-server"
# config match
edit 1
set server-name "LDAP-server"
set group-name "CN=Domain Users,CN=Users,DC=forti,DC=lab"
next
end
# config firewall proxy-policy
edit 5
set proxy transparent-web
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set service "webproxy"
set action accept
set groups "grp1"
set utm-status enable
set profile-protocol-options "default"
set ssl-ssh-profile "certificate-inspection"
next
end
# config authentication scheme
edit "kerberos-scheme"
set method negotiate
set negotiate-ntlm disable
next
end
# config authentication rule
edit "test"
set srcaddr "lan"
set ip-based disable
set active-auth-method "kerberos-scheme"
set web-auth-cookie enable
next
end
Note.
Captive-portal + captive-portal-port must be set in Transparent Web-Proxy to support Kerberos auth.
# config authentication setting
set captive-portal "fgt_proxy_portal"
set captive-portal-port 9998
Note.
Captive portal FQDN should be resolved as FortiGate’s interface IP on both - the FortiGate and a Client.
So, referring to the above example, 'fgt_proxy.forti.lab' should resolve to port2’s IP address 192.168.48.1.
On FortiGate, it is possible to verify IP address for captive portal’s FQDN by using ping and/or the below debug commands:
# execute ping fgt_proxy.forti.lab
PING fgt_proxy.forti.lab (192.168.48.1): 56 data bytes
64 bytes from 192.168.48.1: icmp_seq=0 ttl=255 time=0.1 ms
64 bytes from 192.168.48.1: icmp_seq=1 ttl=255 time=0.0 ms
64 bytes from 192.168.48.1: icmp_seq=2 ttl=255 time=0.0 ms
64 bytes from 192.168.48.1: icmp_seq=3 ttl=255 time=0.0 ms
64 bytes from 192.168.48.1: icmp_seq=4 ttl=255 time=0.0 ms
--- fgt_proxy.forti.lab ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.0/0.0/0.1 ms
# diagnose debug enable
# diagnose test application wad 2200
Set diagnosis process: type=worker index=0 pid=183
# diagnose test application wad 106
vd 0 domain fgt_proxy.forti.lab resolved to 1 IP
192.168.48.1
Regular firewall policy configuration is different for different FortiOS versions:
5.6 – 6.0.
# config firewall policy
edit 1
set name "Internet Access"
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "Web Access"
set utm-status enable
set profile-protocol-options "WEB-PROXY"
set ssl-ssh-profile "certificate-inspection"
set nat enable
# config firewall profile-protocol-options
edit "WEB-PROXY"
# config http
set ports 80 8080
unset options
set http-policy enable
unset post-lang
next
end
6.2 and later.
# config firewall policy
edit 1
set name "Internet Access"
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "Web Access"
set inspection-mode proxy
set http-policy-redirect enable <----- Moved from the profile-protocol-options.
set ssl-ssh-profile "certificate-inspection"
set nat enable
next
end
The client PC should have a 'klist' CLI output that contains a few tickets - one should be there for HTTP/fgt_proxy.forti.lab @ FORTI.LAB, which is for the FortiGate in question.
