Adding Web Isolation Profile from FortiIsolator to FortiProxy

FortiIsolator supports adding a web isolation profile from FortiIsolator to FortiProxy.

FortiIsolator setup

To download FortiIsolator CA certificate:

1. Connect to FortiIsolator.
2. Go to Dashboard > System Information > Isolator CA Certificate > Backup/Restore.
3. Backup the CA Certificates by pressing Click here. Save the ca.tgz file to your local system.
4. Unzip ca.tgz, you get 3 files under a new folder; these files will be use later when configuring FortiProxy.

To configure default policy:

1. Set the Guest Type to guest only.
2. Set Default Isolator Profile Name to system_default.
3. Click OK.

FortiProxy Header content must be named consistently with the FortiIsolator Profile name that is selected in FortiIsolator Default Policy setting. Currently the profile name "system_default" is being used in the example below. All settings, as in FortiProxy header content, FortiIsolator Isolator Profile Name, and FortiIsolator Default Isolator Profile, are using the same profile name "system_default."

Example

FortiProxy setup

To enable explicit web proxy on FortiProxy:

1. Connect to FortiProxy portal GUI: Network > Interfaces > Port2.
2. Enable Explicit Web Proxy: Enable.
3. Click OK.

To import FortiIsolator CA certificate and create a new SSL/SSH inspection profile:

1. Import FortiIsolator CA Certificate:
   1. Connect to FortiProxy portal GUI by going to System > Certificates > Import > CA Certificate.
   2. Set Type as File.
   3. Upload: ca.crt browser to where you save the FortiIsolator CA certificate.
   4. Click OK

      Doing do ensures that FortiProxy will trust FortiIsolator when dealing with HTTPS traffic.

   5. Go to System > Certificates > Import > Local Certificate.
   6. Type: Certificate
   7. Certificate file: ca.crt
   8. Key file: ca.key
   9. Certificate name: FIS_CA_Cert
   10. Leave eveything else as it is.
   11. Click OK

       Doing so ensures that FortiProxy can use SSL Deep Inspection.

2. Create Web Proxy Profile:
   1. Go to Policy & Objects > Web Proxy Profile > Create New.

      Name: FIS-read-only

      Header Client IP: pass

      Header Via Request: pass

      Header Via Response: pass

      Header X Forwarded For: add

      Header Front End Https: pass

      Header X Authenticated User: pass

      Header X Authenticated Groups: pass

      Strip Encoding: Disable

      Log Header Change: Disable

   2. Go to Header > Create New.

      ID: 1

      Name: fis-isolator-profile

      Action: add-to-request

      Header Content: system_default

      Base64 Encoding: Disable

      Add Option: new

      Protocol: HTTP HTTPS

3. Create SSL/SSH Inspection Profile:
   1. Go to Security Profiles > SSL/SSH Inspection > Create New.

      Name: deep_inspection2

      CA Certificate: FIS_CA_Cert

      Leave everything else as is.

   2. Click OK.

Create Isolator Server

1. Go to Policy & Objects > Isolator Server > Create New.

   Name: FIS

   Comments: FortiIsolator

   Address Type: IP

   IP: 192.168.1.18

   Port: 8888

2. Click OK.

Create Explicit Web Proxy Policy

To create a policy to isolate Unrated/Malicious websites:

1. Go to Policy & Objects > Policy > Create New.

   Type: Explicit

   Name: FortiProxy_FIS

   Explicit Web Proxy: web-proxy

   Outgoing Interface: Internet(port1)

   Source: all

   Destination: all

   Schedule: always

   Application/Service: webproxy1

   Action: ISOLATE

   Isolator Server: FIS

   Webproxy Profile: FIS-read-only

   SSL/SSH Inspection: deep_inspection2

   Log Allow Traffic: All Sessions

   Log HTTP Transaction: Enable

   Enable this policy: Enable

   Leave the rest as it is.

2. Click OK.

For more information about FortiProxy setup, see the following topics in the FortiProxy Administration Guide:

• Create or edit an isolator server

• Create or edit a policy