Forward proxy configuration
This example describes how to configure web caching of HTTP and HTTPS for users on a private network connecting to the Internet.
Network topology and assumptions
This example includes a client network with subnet address 10.31.101.0 connecting to web servers on the Internet. All of the users on the private network access the Internet though a single general security policy on the FortiGate unit that accepts all sessions connecting to the Internet. Web caching for HTTP and HTTPS traffic is added to this security policy.
Since users on the private network have unrestricted access to the Internet and can be accessing many web servers the webcache-https
is set to any
and users may see error messages on their web browsers when accessing HTTPS content.
The GUI is less versatile than the CLI so the example instructions for the GUI give settings for one port for each protocol, while the CLI example shows how to use multiple ports.
The example also describes how to configure the security policy to cache HTTP traffic on port 80 and 8080 in the CLI, by adding a proxy options profile that looks for HTTP traffic on TCP ports 80 and 8080. The example also describes how to configure the security policy to cache HTTPS traffic on port 443 and 8443 using the same proxy options profile.
Example web caching topology
General configuration steps
This section breaks down the configuration for this example into smaller procedures. For best results, follow the procedures in the order given:
- Add HTTP web caching to the security policy that all users on the private network use to connect to the Internet.
- Add HTTPS web caching.
- Add a protocol options profile to look for HTTP traffic on ports 80 and 8080 and HTTPS traffic on ports 443 and 8443 and add this protocol options profile to the security policy.
If you perform any additional actions between procedures, your configuration may have different results.
Configuration steps - GUI
Use the following steps to configure the example configuration from the FortiGate GUI.
To add HTTP web caching to a security policy
- Go to Policy & Objects > IPv4 Policyand add a security policy that allows all users on the internal network to access the Internet.
Incoming Interface Internal Outgoing Interface wan1 Source all Destination all Schedule always Service ALL Action ACCEPT - Toggle NAT to enabled, and select Use Outgoing Interface Address.
- Turn on Web cache.
- Select OK.
To add HTTPS web caching
From the CLI enter the following command to add HTTPS web caching to the policy. Assume the index number of the policy is 5.
config firewall policy
edit 5
set webcache-https any
end
To cache HTTP traffic on port 80 and HTTPS on 8443
- Go to Network > Explicit Proxy and edit the Explicit Proxy options profile.
-
Under Explicit Web Proxy ,
- For the HTTP port, enter 80.
- For HTTPS port, select Specify and enter 8443 in the field.
- Click on Apply.
You need to use the CLI to add the protocol options profile unless you also add a security profile that uses proxy-based inspection. |
Configuration steps - CLI
Use the following steps to configure the example configuration from the FortiGate CLI.
To add HTTP and HTTPS web caching to a security policy
- Enter the following command to add a security policy that allows all users on the internal network to access the Internet and that includes web caching of HTTP and HTTPS traffic.
config firewall policy
edit 0
set srcintf internal
set srcaddr all
set dstintf wan1
set distinf all
set schedule always
set service ALL
set action accept
set nat enable
set webcache enable
set webcache-https any
end
To cache HTTP traffic on port 80 and 8080 and HTTPS traffic on ports 443 and 8443
- Enter the following command to edit the default proxy options profile to configure it to look for HTTP traffic on ports 80 and 8080:
config firewall profile-protocol-options
edit default
config http
set status enable
set ports 80 8080
end
- Enter the following command to edit the certification-inspection SSL SSH options profile to configure it to look for HTTPS traffic on ports 443 and 8443:
config firewall ssl-ssh-profile
edit certificate-inspection
config https
set status certificate-inspection
set ports 443 8443
end
- Enter the following command to add the default proxy options profile and the certificate-inspection SSL SSH profile to the firewall policy.
config firewall policy
edit 5
set utm-status enable
set profile-protocol-options default
set ssl-ssh-profile certificate-inspection
end