Monday, August 7, 2017

Fortigate Explicit Proxy with webfiltering

In the school for both public/private sector  the Web-Proxy and URL filtering is a must. This is ensure pupils are restricted to what content they can access.

Here  will show a top-view of a multiple explicit-proxy setup where user groups are defined to  grant users access based on the web_profile that's applied.












































You could have multiple   web_profiles define for various groups .


In the above , we will allow the  grade_levels network ranges to the explicit proxies address which happens to be  loopbacks.

A firewall policy(s) will be required to allow the networks to the proxy address.

This policy will allow the  web_client to use the proxy, all outbound traffic to the internet will be be_blocked, in fact you will NOT need a policy from the loopback address, the fortigate allows this proxy_initiated traffic automatically

1st ( example of a web_client allowances to the web_proxy )


config firewall policy
    edit 0
        set dstintf "loop1"
        set srcintf "LAN1" "LAN2"
        set srcaddr "LANNET01" "LANNET02"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "WEB_PROXY" "PING"
        set comments " !!!!!ALLOW  EXPLICIT  PROXY TO THE CLIENTS school!!!!"
    next

    edit 0
        set dstintf "loop0"
        set srcintf  "LAN3"
        set srcaddr "LANNET03" 
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "WEB_PROXY" "PING"
        set comments " !!!!!ALLOW  EXPLICIT  PROXY TO THE CLIENTS school!!!!"
    next

 end


The above will allow the   src_networks to the respective  proxy_address. You can assign these  address via a GPO for windows clients or statically for others.


Now, that on the loopback interfaces we only need to turn n web_proxy servers


config sys int 
    edit loop0 
           set explicit-web-proxy  enable
    next 
    edit loop1 
           set explicit-web-proxy  enable
    end



The above will  allow the web_clients to reach  the web_proxy services at the 2 loop-backs.


Now, since we have the policies in place and web_proxy enabled, you can optional configure web_proxy profiles and  global  settings.

We will now a web_filter profiles, it might be a combination of categories and static_filters.



In order to use a url-filter for explicit proxy , it MUST BE SET as proxy-mode








Now with all of the above you can define  explict_firewall policies similar to the following;


config firewall explicit-proxy-policy
    edit 1
        set proxy web
        set dstintf "wan1"
        set srcaddr "SCHOOL EDU_NET_RANGE"
        set dstaddr "all"
        set service "WEB_PROXY"
        set action accept
        set identity-based enable
            config identity-based-policy
                edit 1
                    set schedule "always"
                    set utm-status enable
                    set group  "proxy_user0"
                    set webfilter-profile "SCHOOL"
                    set profile-protocol-options "default2"
                    set ssl-ssh-profile "certificate-inspection"
                next
                edit 2
                    set schedule "always"
                    set users "proxy_user1"
                next
                edit 3
                    set schedule "always"
                    set  group  "School_Resource_Group"
                next      
                edit 4
                    set schedule "always"
                    set group  "K-12students"
                    set utm-status enable
                    set webfilter-profile "SCHOOLK12"
                    set profile-protocol-options "default2"
                    set ssl-ssh-profile "certificate-inspection"
                next
            end
    next
end





Each Id_Policy rule could be  a different authentication type or a method  ( local user, RADIUS,LDAP, etc...). Using a RADIUS or LDAP-aaS  solution could also be deployed.



For example, you might use a RADIUS-aaS for one group of users, a static user  for diagnostics, and the student and faculty body authenticated via  MS-AD credentials.


Be aware of the id_rule ordering and what and how a user can authenticate.







The explicit proxy allows for  great means for controlling and inspecting user requests. The Fortigate is a simple  firewall to  execute web_filter from   domain and *wildcard syntax matches, plus category  based filtering.


Each  identity rule could have it's own  web_profile  to match the web_clients authorizations.


Examples

  •   police/resource officer  has allowance to all site to include social media to investigate threats
  •   where K-5 has  a restrict  profile that allows   sites that are educational approved or static entries
  •   8-12 are allow the same plus any SAT or assessment  systems in a static url list
  •    The Information Team has  access to  IT sites for upload/downloads, securiy related matter
  •    Guess uses have basic   access for sites deem approved.

To test the proxy I've found chrome launched manually is a great method. You  could use a static pac.file or just call up the proxy-server

( launching chrome )


( sample pac.file )




Based on your webfilter  category or static URLs and the action you can test for allow or block.  based on that user_group and the action allowed for the URL , you will either be allowed or deny. If denied, you will have a response page similar to below.


If you failed AUTHENTICATION, the proxy will provide a login_failure message.



 


If you do you Chrome, alway check for the proxy settings that the "SYSTEM"  has enabled



Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \


No comments:

Post a Comment