Transparent Web Proxy

In this recipe, you’ll learn how to create a basic transparent web proxy setup. You can use the transparent proxy to apply web authentication to HTTP traffic accepted by a firewall policy.

In previous versions of FortiOS, web authentication required using the Explicit Proxy. Now in addition to the Explicit Web Proxy, FortiOS now supports a Transparent Web Proxy. With the transparent web proxy, you can forward your user’s web traffic to the proxy without requiring your users to reconfigure their browsers or without needing to publish a proxy auto-configuration (PAC) file.

Note: This is just a basic setup, and authentication will be covered in a future recipe.

1. Configuring System and Network settings

Go to System > Settings, scroll to Operations Settings and set the inspection mode to Proxy.  
Go to System > Feature Select and enable Explicit Proxy.  
Go to Network > Explicit Proxy and enable Explicit Web Proxy. You can also change the HTTP port that the proxy listens on (default is 8080) or specify different ports for HTTPS, FTP, PAC, and other options.

2. Adding Proxy Options to your policy

Go to Security Profiles > Proxy Options. Create or edit a proxy options profile. Under Web Options, enable HTTP Policy Redirect.
Go to Policy & Objects > IPv4 Policy and create or edit a policy controlling the traffic that you want to apply authentication to. Select a security profile (in the example, AntiVirus) and then enable the Proxy Options edited in the previous step and enable SSL/SSH inspection.  

3. Creating a Proxy Policy

Go to Policy & Objects > Proxy Policy and create a transparent policy to accept the traffic that you want to apply authentication to. Set the Proxy Type to Transparent Web.

The Incoming Interface, Outgoing Interface, Destination Address, and Schedule should either match or be a subset of the source addresses defined in the IPv4 policy. Addresses added to the Source must match or be a subset of the source addresses added to the IPv4 policy. You can also add the users to be authenticated by the transparent policy to the Source Field.


 4. Results

Open a browser and generate traffic for a few minutes. Then go to FortiView > Policies.

Right-click on a row in the table to drill down for details.  You will see that traffic is flowing through the proxy policy.
Traffic is flowing through the IPv4 policy configured with the proxy security profile.  

For more information, read about Transparent Web Proxy in What’s New for FortiOS 5.6.