Transparent web proxy with FSSO

In this recipe, you use a transparent web proxy as an intermediary between your users and the Internet. You also use Fortinet Single Sign-On (FSSO) for user authentication.

If you don’t already have FSSO configured, see the Authentication Handbook.


1. Configuring an explicit proxy

In order to use a transparent proxy, your FortiGate must use proxy-based inspection.

To set the inspection mode of your FortiGate, go to System > Settings. Under System Operation Settings, set Inspection Mode to Proxy.

To view proxy settings in the GUI, go to System > Feature Visibility. Under Security Features, enable Explicit Proxy.
To create a proxy options profile, go to Security Profiles > Proxy Options and create a new profile. Under Web Options, enable HTTP Policy Redirect.

To apply the proxy options profile to a policy, go to Policy & Objects > IPv4 Policy and create a new policy.

Under Security Profiles, enable Proxy Options and select the new profile.

2. Configuring the transparent proxy for FSSO

This example has two FSSO groups: Students (including user JSMITH) and Teachers (including user PADAMS).

This example also has two different web filter profiles  that allow different access for the two groups, including blocking access to social network sites for members of the Students group.

To create a transparent proxy policy for the Teachers group, go to Policy & Objects > Proxy Policy and create a new policy.

Set Proxy Type to Transparent Web. Select Source and set User Group to the Teachers group.

Under Security Profiles, enable Web Filter and select the filter for the teachers.

Create a second policy for the Students group.

Under Security Profiles, enable Web Filter and select the filter for the students.

To configure FSSO authentication rules, use the following CLI commands:

config authentication scheme
  edit "authscheme"
    set method fsso
  next
end

config authentication setting
  set sso-auth-scheme "authscheme"
end

config authentication rule
  edit "fsso"
    set srcaddr "all"
    set sso-auth-method "authscheme"
  next
end

3. Results

Log in using the JSMITH account and attempt to browse to facebook.com.

You are blocked from accessing a site in the Social Networking category.

To verify that the transparent proxy policy accepts the correct traffic, go to FortiView > Policies and filter for that policy.

4. Troubleshooting

Use the following command to verify that the proxy policy accepts user traffic after authentication with FSSO.

Example output:

FGT # diagnose wad user list

ID: 6, IP: 192.168.1.11, VDOM: root
  user name   : JSMITH
  duration    : 195
  auth_type   : 1
  auth_method : 9
  pol_id      : 1
  g_id        : 2
  user_based  : 0
  expire      : no
  LAN:
    bytes_in=0 bytes_out=0
  WAN:
    bytes_in=0 bytes_out=0

session info: proto=6 proto_state=11 duration=102 expire=3497 timeout=3600 flags=00000000 sockflag=00000000 sockport=80 av_idx=1 use=6
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
user=JSMITH state=redir local may_dirty f00 url_cat_valid acct-ext
statistic(bytes/packets/allow_err): org=454/4/1 reply=920/3/1 tuples=3
tx speed(Bps/kbps): 4/0 rx speed(Bps/kbps): 8/0
orgin->sink: org pre->post, reply pre->post dev=32->5/5->32 gwy=172.25.185.1/0.0.0.0
hook=post dir=org act=snat 192.168.1.11:57034->72.21.91.29:80(172.25.185.215:57034)
hook=pre dir=reply act=dnat 72.21.91.29:80->172.25.185.215:57034(192.168.1.11:57034)
hook=post dir=reply act=noop 72.21.91.29:80->192.168.1.11:57034(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=3 auth_info=0 chk_client_info=0 vd=0
serial=0004d38c tos=40/40 app_list=0 app=0 url_cat=52

dd_type=0 dd_mode=0

For further reading, check out Transparent Proxy Concepts in the FortiOS 5.6 Online Help.