Tuesday, July 16, 2024

Fortigate Explicit proxy for SSH

lately, in my day job I'm doing a lot of proxy diagnostics and work mainly with Bluecoat. I want to show you how we can set a ssh proxy within a FortiGate

1st

The generic cfg is required;

# it's important that you have an interface set for explicit proxy and ssh-client needs to be able to reach it and the proxy-server port

config system interface

    edit "wan2"

        set vdom "root"

        set ip 209.xxxxx.2 255.255.255.0

        set allowaccess ping https ssh snmp

        set type physical

        set explicit-web-proxy enable

        set alias "internet uplink #2 XO "

        set role wan

        set snmp-index 4

    next

end


Here's a basic proxy-cfg


config web-proxy explicit

    set status enable

    set ftp-over-http enable

    set http-incoming-port 3128

    set https-incoming-port 3128

    set pac-file-server-status enable

    set pac-file-server-port 7888

    set pac-file-name "myorgproxy.pac"

end



Here's a simple proxy-cfg rule


# the proxy rule must say "ssh" in order to proxy ssh


config firewall proxy-policy

    edit 1

        set uuid 17517cfa-e15d-51ee-e807-fe331ad5ba2d

        set name "ssh out demo socpuppets"

        set proxy ssh

        set dstintf "upg-zone-wan2"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set logtraffic all

        set utm-status enable

    next

end



Now in unix/linux/macSOX you need to set your ssh client up to use the proxy and send a CONNECT. The simplest way is to define a .ssh/config file



e.g

 

.ssh/config


Host lg.homenoc.ad.jp

    ProxyCommand          nc -X connect -x 209.xxx.xxx.2:3128 %h %p

    ServerAliveInterval   15


Host route-server.ip.att.net

    ProxyCommand          nc -X connect -x 209.xxx.xxx.2:3128 %h %p

    ServerAliveInterval   15


 

Now let's look at some diagnostic output 







NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \