Transparent Web Proxy

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, you’ll learn how to create a basic transparent web proxy setup. You can use the transparent proxy to apply web authentication to HTTP traffic accepted by a firewall policy.

In previous versions of FortiOS, web authentication required using the Explicit Proxy. Now in addition to the Explicit Web Proxy, FortiOS now supports a Transparent Web Proxy. With the transparent web proxy, you can forward your user’s web traffic to the proxy without requiring your users to reconfigure their browsers or without needing to publish a proxy auto-configuration (PAC) file.

Note: This is just a basic setup, and authentication will be covered in a future recipe.

1. Configuring System and Network settings

Go to System > Settings, scroll to Operations Settings and set the inspection mode to Proxy.  
Go to System > Feature Select and enable Explicit Proxy.  
Go to Network > Explicit Proxy and enable Explicit Web Proxy. You can also change the HTTP port that the proxy listens on (default is 8080) or specify different ports for HTTPS, FTP, PAC, and other options.

2. Adding Proxy Options to your policy

Go to Security Profiles > Proxy Options. Create or edit a proxy options profile. Under Web Options, enable HTTP Policy Redirect.
Go to Policy & Objects > IPv4 Policy and create or edit a policy controlling the traffic that you want to apply authentication to. Select a security profile (in the example, AntiVirus) and then enable the Proxy Options edited in the previous step and enable SSL/SSH inspection.  

3. Creating a Proxy Policy

Go to Policy & Objects > Proxy Policy and create a transparent policy to accept the traffic that you want to apply authentication to. Set the Proxy Type to Transparent Web.

The Incoming Interface, Outgoing Interface, Destination Address, and Schedule should either match or be a subset of the source addresses defined in the IPv4 policy. Addresses added to the Source must match or be a subset of the source addresses added to the IPv4 policy. You can also add the users to be authenticated by the transparent policy to the Source Field.

 

 4. Results

Open a browser and generate traffic for a few minutes. Then go to FortiView > Policies.

Right-click on a row in the table to drill down for details.  You will see that traffic is flowing through the proxy policy.
Traffic is flowing through the IPv4 policy configured with the proxy security profile.  

For more information, read about Transparent Web Proxy in What’s New for FortiOS 5.6.

Judith Haney

Judith Haney

Technical Writer at Fortinet
Judith Haney is a Technical Writer on the FortiOS technical documentation team. She graduated with honours from Algonquin College's Technical Writer program in September 2014. In a previous lifetime, Judith earned degrees in Mathematics (B.S.) and French literature (M.A.).
Judith Haney

Latest posts by Judith Haney (see all)

  • Was this helpful?
  • Yes   No
  • FG-100D

    Can I Apply User Authetication over Transparent Proxy Policy for Web Access?

    • Francesco Rispoli

      Did you get any answer?

      • bdickie

        We are currently working on a recipe to show some of the authentication features of the transparent web proxy. It should be available soon. However, I am not sure what is meant by “Web Access” could you be more specific. Also as far as we know, the new transparent web proxy supports the same authentication features as the explicit web proxy.