lately, in my day job I'm doing a lot of proxy diagnostics and work mainly with Bluecoat. I want to show you how we can set a ssh proxy within a FortiGate
1st
The generic cfg is required;
# it's important that you have an interface set for explicit proxy and ssh-client needs to be able to reach it and the proxy-server port
config system interface
edit "wan2"
set vdom "root"
set ip 209.xxxxx.2 255.255.255.0
set allowaccess ping https ssh snmp
set type physical
set explicit-web-proxy enable
set alias "internet uplink #2 XO "
set role wan
set snmp-index 4
next
end
Here's a basic proxy-cfg
config web-proxy explicit
set status enable
set ftp-over-http enable
set http-incoming-port 3128
set https-incoming-port 3128
set pac-file-server-status enable
set pac-file-server-port 7888
set pac-file-name "myorgproxy.pac"
end
Here's a simple proxy-cfg rule
# the proxy rule must say "ssh" in order to proxy ssh
config firewall proxy-policy
edit 1
set uuid 17517cfa-e15d-51ee-e807-fe331ad5ba2d
set name "ssh out demo socpuppets"
set proxy ssh
set dstintf "upg-zone-wan2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set logtraffic all
set utm-status enable
next
end
Now in unix/linux/macSOX you need to set your ssh client up to use the proxy and send a CONNECT. The simplest way is to define a .ssh/config file
e.g
.ssh/config
Host lg.homenoc.ad.jp
ProxyCommand nc -X connect -x 209.xxx.xxx.2:3128 %h %p
ServerAliveInterval 15
Host route-server.ip.att.net
ProxyCommand nc -X connect -x 209.xxx.xxx.2:3128 %h %p
ServerAliveInterval 15
Now let's look at some diagnostic output
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \