Web Authentication
Step1 : Goto feature visibility Enable Explicit Proxy.
Step2: Select inspection mode:
Understanding about inspection modes:
Proxy
Proxy-based inspection involves buffering traffic and examining it as a whole before
determining an action. The process of having the whole of the data to analyze allows for
the examination of more points of data than the flow-based
Advantages:
The advantage of a proxy-based method is that the inspection can be more thorough than
the other methods
Deep inspection
Protocol : TCP
Flow-based
The flow-based inspection method examines the file as it passes through the FortiGate unit
without any buffering. As each packet of the traffic arrives it is processed and forwarded
without waiting for the complete file or web page.
OR
Proxy-based inspection, that reconstructs content passing through the FortiGate unit and
inspects the content for security threats
Advantages:
The advantage of the flow-based method is that the user sees a faster response time for
HTTP requests and there is less chance of a time-out error due to the server at the other
end responding slowly. OR
Flow-based inspection, that takes a snapshot of content packets and uses pattern matching
to identify security threats in the content.
Protocol : UDP
Which Mode is Better??
In most cases proxy mode is preferred because more security profile features are available and
more configuration options for these individual features are available. Yet, some
implementations may require all security profile scanning to only use flow mode. In this case,
you can set your FortiGate to flow mode knowing that proxy mode inspection will not be used.
While both modes offer significant security, proxybased provides more features and flow-based
is designed to optimize performance.
Note: For more understanding you can relate this two switching techniques
Store and forward : proxy
Cut-Through-Method : flow based
Comparative Analysis:
Step2: (Continue)
GotoGlobalSystemVDOMCreate Newinspection Mode
Note: If you want to use web authentication (transparent and explicit proxy) set inspection
mode to proxy.
Step2:
After enabling inspection mode to proxy you have two methods for web Authentication.
1) Explicit Proxy
2) Transparent Proxy
1) Explicit Proxy:
In an explicit proxy configuration, the client (e.g. browser, desktop application etc.) is
explicitly configured to use a proxy server, meaning the client knows that all requests
will go through a proxy. The client is given the hostname/IP address and port number of
the proxy service. When a user makes a request, the client connects to the proxy service
and sends the request. The disadvantage to explicit proxy is that each client must be
properly configured to use the proxy.
More Administrative work required
2) Transparent Proxy:
In a transparent proxy configuration, the proxy is typically deployed at the Internet
gateway and the proxy service is configured to intercept traffic for a specified port. The
client (e.g. browser, desktop application etc.) is unaware that traffic is being processed
by a proxy. For example, a transparent HTTP proxy is configured to intercept all traffic
on port 80/443. The typical benefits of a transparent proxy include a standard
enterprise configuration where all clients routed to the internet will always be filtered
and protected no matter what the end users do, or change, on their machines and the
added benefit of reduction in typical user’s client-proxy configuration troubleshooting
Less Administrative work required
Another benefit for this setup is the fact that WiFi is protected and filtered out of the
box, no matter what type of device it is coming through. The IT admin only needs to
further route the WiFi routers through the gateway, without needing to touch the
mobile devices in any way.
One limitation of the transparent proxy functionality is lack of authentication. Since the
clients are unaware that their requests are handled by a proxy server, the browsers and
web applications do not know that they need to authenticate, so they do not call the
authentication routines. This means that vendors of transparent proxy technology need
to provide support for web authentication in a different way.
Benefits of each type
Transparent
No need to configure on each client
Can be used by software that has no proxy settings
Explicit
More obvious that traffic is being monitored
Can work in places that a transparent proxy would break stuff
More likely to give useful error messages if the proxy fails
Step3:
Explicit proxy config:
Enable Explicit proxy first and set listen on interface.
Transparent proxy config:
What should you go for?
There are ups and downs with both types of web proxies and choosing one of them depends on
the particularities of the IT environments such as requirements, processes and policies already
in place.
But it is always better when there are options to choose from, so the new GFI WebMonitor 10
delivers, along with explicit proxy functionality, transparent proxy support. This includes
integrated and basic authentication functionality enabling IT admins to take advantage of all
the benefits of this technology without compromising on security features such as web
authentication.
Furthermore it depends on client choice and requirement .Explicit proxy is older / traditional
Proxy system and transparent proxy introduce in new fortios.
********************8
https://mikeyurick.com/fortinet-fortigate-transparent-web-proxy-on-v6-x-setup-walkthrough/
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-WAN-opt-
54/web_proxy.htm#Example_explicit_web_proxy_topology
To enable the explicit web proxy - web-based manager:
1. Go to Network > Explicit Proxy and enable Explicit Web Proxy. From here you can optionally
change the HTTP port that the proxy listens on (the default is 8080) and optionally specify different
ports for HTTPS, FTP, PAC, and other options.
3. Select Apply.
4. Go to Network > Interfaces and select one or more interfaces for which to enable the explicit web
proxy. Edit the interface and select Enable Explicit Web Proxy.
5.
Go to Policy & Objects > Explicit Proxy Policy and select Create New. Configure the policy as required to
accept the traffic that you want to be allowed to use the explicit web proxy.