Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiProxy 7.6.2 Administration Guide
    7.6.2
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.0
    7.0.19
    7.0.17
    7.0.0
    2.0.0
    1.2.0
    1.1.0
    1.0.0

    Secure explicit proxy with client certificates

    Secure explicit proxy with client certificates

    The explicit web proxy policy can use client certificates for validation. In this example, a CA signs a client certificate. The client certificate is installed on an endpoint, and the root CA is imported to FortiGate. A web proxy policy is configured to require the client certificate.

    When the user accesses a web site, the explicit web proxy policy uses the client certificate from the endpoint device to authenticate the user and grant access to the web site.

    To configure client certificates with explicit proxies:

    1. Prepare the certificate:

      1. Use a CA to sign the client certificate.

      2. Import the root CA certificate that signed the client certificate to FortiProxy. In this scenario, the certificate is Fortinet_SSL.

      3. Install the client certificate on an endpoint.

    2. Configure the explicit web-proxy policy to request the client certificate from the endpoint.

      config web-proxy explicit-proxy
					       edit "web-proxy"
					set status enable
					set interface "any"
					set secure-web-proxy enable
					set http-incoming-port 8080
					set secure-web-proxy-cert "Fortinet_SSL"
					next
				end
      config firewall access-proxy
					edit "httpsvip"
					set vip "httpsvip"
					set client-cert enable 
					set empty-cert-action block
					config api-gateway
					edit 1
					config realservers
					edit 1
					set ip 10.100.1.78
					next
					end
					next
					end
					next
					end

    3. Configure verification of the client certificate with the Fortinet_SSL CA.

      config authentication setting
					    set user-cert-ca "Fortinet_CA_SSL"
				end

    When the user accesses a web site:

    1. FortiProxy requests client certificate authentication, and the web browser displays the available certificates. The user selects a client certificate and clicks OK.

    2. Once the client certificate is successfully verified against the root CA certificate imported on the FortiProxy, access to the web site is granted.

      When the endpoint device fails to present a client certificate, a message is displayed, and access to the web site is blocked.

    Previous
    Next

    Secure explicit proxy with client certificates

    Secure explicit proxy with client certificates

    The explicit web proxy policy can use client certificates for validation. In this example, a CA signs a client certificate. The client certificate is installed on an endpoint, and the root CA is imported to FortiGate. A web proxy policy is configured to require the client certificate.

    When the user accesses a web site, the explicit web proxy policy uses the client certificate from the endpoint device to authenticate the user and grant access to the web site.

    To configure client certificates with explicit proxies:

    1. Prepare the certificate:

      1. Use a CA to sign the client certificate.

      2. Import the root CA certificate that signed the client certificate to FortiProxy. In this scenario, the certificate is Fortinet_SSL.

      3. Install the client certificate on an endpoint.

    2. Configure the explicit web-proxy policy to request the client certificate from the endpoint.

      config web-proxy explicit-proxy
					       edit "web-proxy"
					set status enable
					set interface "any"
					set secure-web-proxy enable
					set http-incoming-port 8080
					set secure-web-proxy-cert "Fortinet_SSL"
					next
				end
      config firewall access-proxy
					edit "httpsvip"
					set vip "httpsvip"
					set client-cert enable 
					set empty-cert-action block
					config api-gateway
					edit 1
					config realservers
					edit 1
					set ip 10.100.1.78
					next
					end
					next
					end
					next
					end

    3. Configure verification of the client certificate with the Fortinet_SSL CA.

      config authentication setting
					    set user-cert-ca "Fortinet_CA_SSL"
				end

    When the user accesses a web site:

    1. FortiProxy requests client certificate authentication, and the web browser displays the available certificates. The user selects a client certificate and clicks OK.

    2. Once the client certificate is successfully verified against the root CA certificate imported on the FortiProxy, access to the web site is granted.

      When the endpoint device fails to present a client certificate, a message is displayed, and access to the web site is blocked.

    Previous
    Next