• Kiếm tiền với Hostinger

    Kiếm Tiền Cùng Hostinger

    Bạn đang tìm kiếm cách kiếm thêm thu nhập online? Hãy tham gia ngay chương trình Affiliate của Hostinger! Với mỗi khách hàng đăng ký thông qua liên kết của bạn, bạn sẽ nhận được khoản hoa hồng hấp dẫn.

    Hostinger cung cấp các dịch vụ lưu trữ web (hosting) chất lượng cao với mức giá cạnh tranh, giúp bạn dễ dàng giới thiệu và thu hút người dùng.

    Đừng bỏ lỡ cơ hội tuyệt vời này để tăng thêm thu nhập thụ động.

    Tham Gia Ngay

Increase Web-Filter filtering capabilities with Transparent Proxy on FortiGate Firewall

TigerDao

Administrator
Thành viên BQT
The Web filtering feature based on page content is commonly used on Firewall FortiGate as a web proxy for corporate environments. The default behavior of web-filters is to inspect traffic on Layer 4 packets and then apply mandatory web-filter profiles to firewall policies based on the configuration. Comparing packet contents that match FortiGuard categories is performed in the web-filter container, not in the firewall policy.

Default match in Firewall

By default, FortiGate’s policy performs comparisons based on the following criteria: Incoming/Outgoing Interface, Source (Address, User, Device), Destination (Address), Scheldule, Service.


(IMG)

This behavior serves well for dividing web filtering content and applying it to appropriate single user groups. User groups are determined by IP address, domain group, or device type.

(IMG)

As seen in the image above, the matching rule specifies a web filter that matches two different user groups. In the example above, the users belong to the security group “fsso_admins” is specified in the web-filter-profile named “wf-admin-profile”. Then, users belonging to group “fsso_domain_users” is assigned to the web-filter-profile name “wf-domain-users”. If there is a user in both of the above groups, the user will be assigned to the admin group’s profile because the policy rule matches the previous admin’s profile.

To use this filtering policy effectively, administrators must have a thorough plan for Active Directory (AD) management to ensure each AD group has certain permissions in the system. This is a suitable solution when there are not a large number of exceptions in the web-filtering policy.


Default matching challenges
There are certain obstacles when it comes to management Firewall FortiGate that admins may encounter when using the default match behavior. For example, at any time there are a large number of exceptions to a specific group policy, a new web-filter must be created to apply more of these exceptions. To illustrate diversity, we have the following subgroups:

User — Group —- Allowed List —– Denied List
user1 — social-media —- social-media general —– file-sharing social-media
user2 — streaming —- streaming general —– social-media file-sharing
user3 — file-sharing —- file-sharing general —– social-media streaming
user4 — file-sharing streamingfile-sharing streaming general — social-media




Based on the above column, the admin must create 4 profiles in the web-filter to suit each FortiGuard category. In addition, in Microsoft AD it is also necessary to create 4 groups with different security permissions to assign users to the correct IPv4 Policy on FortiGate. It can be seen that once exceptions appear, this method of admin cannot be expanded further. However, this can be handled through use Transparent Proxy.

Increase the filtering capabilities of Web Filtering with Transparent Proxy
Historically, FortiGate has included an “Explicit Proxy” function to enhance FortiGate’s default web filtering action. However, it requires additional configuration on the host’s browser to point to FortiGate as a proxy, or additional configuration of the “PAC” file to automatically configure the user’s browser to point to FortiGate. This often prevents admins from using this feature clearly and transparently from users. Therefore, from FortiOS 5.6, the “Transparent Proxy” feature was introduced.

“In addition to Explicit Web Proxy, FortiOS now supports Transparent web proxy. Although it does not have as many features as Explicit Web Proxy, Transparent proxy has the advantage of not needing to do anything on the host to pass traffic to the proxy. server. Everything is now transparent to the end user, which makes incorporating new users into the proxy structure easier than before.

You can use Transparent proxy to apply authentication for websites using HTTP using firewall policy. In previous versions, web authentication required using an Explicit proxy.

Normally FortiOS determines based on IP address. Users are identified by IP address and access is allowed or blocked by IP address. IP authentication networks do not work, you can use Transparent Web proxy to apply authentication using the user’s web browser and without knowing their IP address. This authentication method allows you to identify multiple individual users even if the connection comes from the same IP address.”


With the introduction of this feature, the admin of Fortigate There is now additional functionality to simplify implementation regarding web-filtering policies related to exceptions. Feature adds the ability to select multiple FortiGuard categories into the filter conditions in Proxy policy:


(IMG)

(IMG)

Now that “FortiGuard Category” is part of the filtering criteria, most exception issues become less of a concern. AD admins only need to assign users to the correct permission group to apply the corresponding Web-filter policy. on FortiGate. With this new configuration, because of the way policies are evaluated from top to bottom in order of Policy ID, if the user is not in the group corresponding to the FortiGuard category, they will be moved to the next evaluated policy. Until If the policy list is exhausted, if it does not belong to the appropriate group, the default policy will be applied.

Below is an example for configuring a proxy policy based on filtering conditions in FortiGuard:


(IMG)

Because assessment against FortiGuard is part of the proxy policy, profile application activity can be “monitored” so you will be able to log profile activities.

!! If the admin wants the default rule at the end to block everything according to the FortiGuard list but still wants to keep logs with those blocked actions. You can define rules and set policies into this web filter as shown:


(IMG)




Configure Transparent Proxy
To configure FortiGate to use the Transparent Proxy feature, follow these steps:
I./ Fortinet Single-Sign On (FSSO) configuration:


In this article, it is assumed that the FSSO source is available (for example: FSSO Collector, FortiAuthenticator) and ready to connect to FortiGate. Add FSSO configuration to forward appropriate user groups from AD into FortiGate.
1. On the FortiGate management page, go to the link “User & Device > Single Sign-On
(IMG)
2. Click “Create New
(IMG)
3 part Type select “Fortinet Single-Sign-On Agentge“. Name this FSSO in “Name” ; Enter the IP address/domain name along with the password into the box “Primary FSSO Agent”. Click “Apply & Refresh
(IMG)


4. Confirm the groups received from the FSSO source by clicking “View
(IMG)

(IMG)
5. Confirm in column “Status” with a green tick is as shown in the picture
(IMG)


II./ Create FSSO User Groups:


1. Click on “User & Device > User Groups

(IMG)


2. Click “Create New
(IMG)



3. Enter a descriptive name for the group in the box “Name”.
Select Type To be “Fortinet Single Sign-On (FSSO)
Click on the “+” to add the appropriate AD Group in the “Members”.
Click “OK” to save.
(IMG)


4. Create the remaining groups as required by the policies as shown below;
(IMG)

Configure Validation Rules

Authentication rules are used to configure two features: Explicit or Transparent proxy. This step is required to ensure proper operation according to the appropriate proxy rules for each FSSO group.


1. Connect to FortiGate using CLI and execute the following commands:

config authentication scheme
edit “authscheme
set method fsso

next
end
config authentication settings
set sso-auth-scheme “authscheme
end
config authentication rule
edit “fsso
set srcaddr “all
set sso-auth-method “authscheme
next
end
Click to expand…
(IMG)

Enable Proxy feature

To configure Transparent Proxy via GUI, follow these steps

:

1. Click “System > Feature Visibility > open feature Explicit Proxy
(IMG)
2. Return following the link “Network > Explicit Proxy
3. Configure the settings as shown below. Finally, click “OK
(IMG)

Configure the FortiGuard Category Address Object

Object Proxy Address Provides the facility to use the FortiGuard directory in Proxy Policy as a reference. It allows FortiGate Use the conditions considered in the Proxy rule set. To configure Address Object, see the following steps:


1. Click on “Policy & Objects > Addresses”. Click “Create New
2. In Category select “Proxy Address
Name this address in the box “Name
Type: select “URL Category
Choose content that is suitable for you URL Category for object
(IMG)

Configure HTTP Redirect to Transparent Proxy

To enable the Transparent proxy feature, you must perform “HTTP Redirect” through the configuration in “Proxy Options” and apply it in a policy. This policy should be configured to affect HTTP and HTTPS traffic as seen in the image below.


1. Click “Security Profiles > Proxy Options > Create New
2. Place the file in box “Name” | In the section “Protocol Port Mapping” HTTP enabled | In the section “Web Options“tick to activate more”HTTP Policy Redirect
(IMG)


3. Click on “Policy & Objects > IPv4 Policy > Create New
4. Create an additional IPv4 Policy and set the settings as shown:
(IMG)




The policy should be evaluated for web-related traffic before other rules are allowed to be used for that type of connection.

(IMG)

Configure Transparent Proxy Policy
Once FortiGate is configured to redirect traffic to the Transparent proxy, policies can be created using the “Proxy Policy” of GUI. This allows administrators to use objects and services flexibly as defined above. To test this method, you can create a policy to support the following settings:

1. Click “Policy & Objects > Proxy Policy > Create New
2. Install Policy components as shown below:
(IMG)



Policy can be configured similarly, just change information such as Source Destinaton and Web Filter for other groups of objects depending on the FortiGuard category
(IMG)

Validate Web-filter behavior
When configuration is complete, check that the users have correctly configured the steps according to different groups. Below, users accessing YouTube are classified into the category “Streaming” according to FortiGuard:

(IMG)




Locate in FortiGate the path “Monitor > Firewall User Monitor“, the user section is divided into groups accessing the website.

(IMG)

We can also take a look at the CLI:

diagnose wad user list
(IMG)

Network information will be displayed visually such as: IP, user name, access time, applied policy (pol_id)…

When a user accesses a website of a different classification, we will have a different log.


(IMG)




Come back “Monitor > Firewall User” on FortiGate is currently below User Group Another group name has appeared:

(IMG)




Use CLI to check, now pol_id is currently 3 for this session.

(IMG)

As you can see, the amazing filtering increases with the flexibility of web-filtering for Firewall FortiGate. This will similarly allow you to transfer policies from another provider directly FortiGate without any additional conversions.

Xem tiếp...
 

Similar threads

Top