Fortinet black logo

Handbook

Forward proxy configuration

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:365482
Download PDF

Forward proxy configuration

This example describes how to configure web caching of HTTP and HTTPS for users on a private network connecting to the Internet.

Network topology and assumptions

This example includes a client network with subnet address 10.31.101.0 connecting to web servers on the Internet. All of the users on the private network access the Internet though a single general security policy on the FortiGate unit that accepts all sessions connecting to the Internet. Web caching for HTTP and HTTPS traffic is added to this security policy.

Since users on the private network have unrestricted access to the Internet and can be accessing many web servers the webcache-https is set to any and users may see error messages on their web browsers when accessing HTTPS content.

The GUI is less versatile than the CLI so the example instructions for the GUI give settings for one port for each protocol, while the CLI example shows how to use multiple ports.

The example also describes how to configure the security policy to cache HTTP traffic on port 80 and 8080 in the CLI, by adding a proxy options profile that looks for HTTP traffic on TCP ports 80 and 8080. The example also describes how to configure the security policy to cache HTTPS traffic on port 443 and 8443 using the same proxy options profile.

Example web caching topology

General configuration steps

This section breaks down the configuration for this example into smaller procedures. For best results, follow the procedures in the order given:

  1. Add HTTP web caching to the security policy that all users on the private network use to connect to the Internet.
  2. Add HTTPS web caching.
  3. Add a protocol options profile to look for HTTP traffic on ports 80 and 8080 and HTTPS traffic on ports 443 and 8443 and add this protocol options profile to the security policy.

If you perform any additional actions between procedures, your configuration may have different results.

Configuration steps - GUI

Use the following steps to configure the example configuration from the FortiGate GUI.

To add HTTP web caching to a security policy
  1. Go to Policy & Objects > IPv4 Policyand add a security policy that allows all users on the internal network to access the Internet.
    Incoming InterfaceInternal
    Outgoing Interfacewan1
    Sourceall
    Destinationall
    Schedulealways
    ServiceALL
    ActionACCEPT
  2. Toggle NAT to enabled, and select Use Outgoing Interface Address.
  3. Turn on Web cache.
  4. Select OK.
To add HTTPS web caching

From the CLI enter the following command to add HTTPS web caching to the policy. Assume the index number of the policy is 5.

config firewall policy

edit 5

set webcache-https any

end

To cache HTTP traffic on port 80 and HTTPS on 8443
  1. Go to Network > Explicit Proxy and edit the Explicit Proxy options profile.
  2. Under Explicit Web Proxy ,

    • For the HTTP port, enter 80.
    • For HTTPS port, select Specify and enter 8443 in the field.
  3. Click on Apply.
note icon You need to use the CLI to add the protocol options profile unless you also add a security profile that uses proxy-based inspection.

Configuration steps - CLI

Use the following steps to configure the example configuration from the FortiGate CLI.

To add HTTP and HTTPS web caching to a security policy
  1. Enter the following command to add a security policy that allows all users on the internal network to access the Internet and that includes web caching of HTTP and HTTPS traffic.

    config firewall policy

    edit 0

    set srcintf internal

    set srcaddr all

    set dstintf wan1

    set distinf all

    set schedule always

    set service ALL

    set action accept

    set nat enable

    set webcache enable

    set webcache-https any

    end

To cache HTTP traffic on port 80 and 8080 and HTTPS traffic on ports 443 and 8443
  1. Enter the following command to edit the default proxy options profile to configure it to look for HTTP traffic on ports 80 and 8080:

    config firewall profile-protocol-options

    edit default

    config http

    set status enable

    set ports 80 8080

    end

  2. Enter the following command to edit the certification-inspection SSL SSH options profile to configure it to look for HTTPS traffic on ports 443 and 8443:

    config firewall ssl-ssh-profile

    edit certificate-inspection

    config https

    set status certificate-inspection

    set ports 443 8443

    end

  3. Enter the following command to add the default proxy options profile and the certificate-inspection SSL SSH profile to the firewall policy.

    config firewall policy

    edit 5

    set utm-status enable

    set profile-protocol-options default

    set ssl-ssh-profile certificate-inspection

    end

Forward proxy configuration

This example describes how to configure web caching of HTTP and HTTPS for users on a private network connecting to the Internet.

Network topology and assumptions

This example includes a client network with subnet address 10.31.101.0 connecting to web servers on the Internet. All of the users on the private network access the Internet though a single general security policy on the FortiGate unit that accepts all sessions connecting to the Internet. Web caching for HTTP and HTTPS traffic is added to this security policy.

Since users on the private network have unrestricted access to the Internet and can be accessing many web servers the webcache-https is set to any and users may see error messages on their web browsers when accessing HTTPS content.

The GUI is less versatile than the CLI so the example instructions for the GUI give settings for one port for each protocol, while the CLI example shows how to use multiple ports.

The example also describes how to configure the security policy to cache HTTP traffic on port 80 and 8080 in the CLI, by adding a proxy options profile that looks for HTTP traffic on TCP ports 80 and 8080. The example also describes how to configure the security policy to cache HTTPS traffic on port 443 and 8443 using the same proxy options profile.

Example web caching topology

General configuration steps

This section breaks down the configuration for this example into smaller procedures. For best results, follow the procedures in the order given:

  1. Add HTTP web caching to the security policy that all users on the private network use to connect to the Internet.
  2. Add HTTPS web caching.
  3. Add a protocol options profile to look for HTTP traffic on ports 80 and 8080 and HTTPS traffic on ports 443 and 8443 and add this protocol options profile to the security policy.

If you perform any additional actions between procedures, your configuration may have different results.

Configuration steps - GUI

Use the following steps to configure the example configuration from the FortiGate GUI.

To add HTTP web caching to a security policy
  1. Go to Policy & Objects > IPv4 Policyand add a security policy that allows all users on the internal network to access the Internet.
    Incoming InterfaceInternal
    Outgoing Interfacewan1
    Sourceall
    Destinationall
    Schedulealways
    ServiceALL
    ActionACCEPT
  2. Toggle NAT to enabled, and select Use Outgoing Interface Address.
  3. Turn on Web cache.
  4. Select OK.
To add HTTPS web caching

From the CLI enter the following command to add HTTPS web caching to the policy. Assume the index number of the policy is 5.

config firewall policy

edit 5

set webcache-https any

end

To cache HTTP traffic on port 80 and HTTPS on 8443
  1. Go to Network > Explicit Proxy and edit the Explicit Proxy options profile.
  2. Under Explicit Web Proxy ,

    • For the HTTP port, enter 80.
    • For HTTPS port, select Specify and enter 8443 in the field.
  3. Click on Apply.
note icon You need to use the CLI to add the protocol options profile unless you also add a security profile that uses proxy-based inspection.

Configuration steps - CLI

Use the following steps to configure the example configuration from the FortiGate CLI.

To add HTTP and HTTPS web caching to a security policy
  1. Enter the following command to add a security policy that allows all users on the internal network to access the Internet and that includes web caching of HTTP and HTTPS traffic.

    config firewall policy

    edit 0

    set srcintf internal

    set srcaddr all

    set dstintf wan1

    set distinf all

    set schedule always

    set service ALL

    set action accept

    set nat enable

    set webcache enable

    set webcache-https any

    end

To cache HTTP traffic on port 80 and 8080 and HTTPS traffic on ports 443 and 8443
  1. Enter the following command to edit the default proxy options profile to configure it to look for HTTP traffic on ports 80 and 8080:

    config firewall profile-protocol-options

    edit default

    config http

    set status enable

    set ports 80 8080

    end

  2. Enter the following command to edit the certification-inspection SSL SSH options profile to configure it to look for HTTPS traffic on ports 443 and 8443:

    config firewall ssl-ssh-profile

    edit certificate-inspection

    config https

    set status certificate-inspection

    set ports 443 8443

    end

  3. Enter the following command to add the default proxy options profile and the certificate-inspection SSL SSH profile to the firewall policy.

    config firewall policy

    edit 5

    set utm-status enable

    set profile-protocol-options default

    set ssl-ssh-profile certificate-inspection

    end