Scribd
Upload
9 views

Fortigate -Transparent proxy vpavlov

The document outlines the configuration steps for setting up an LDAP server connection, creating a user group for firewall access, and establishing a proxy with captive portal authentication. It includes detailed commands for configuring firewall profiles, user authentication schemes, and browser settings for users. Additionally, it emphasizes the importance of importing necessary certificates and configuring browser settings for seamless integration with the proxy service.

Uploaded by

El Thierry
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
9 views

Fortigate -Transparent proxy vpavlov

The document outlines the configuration steps for setting up an LDAP server connection, creating a user group for firewall access, and establishing a proxy with captive portal authentication. It includes detailed commands for configuring firewall profiles, user authentication schemes, and browser settings for users. Additionally, it emphasizes the importance of importing necessary certificates and configuring browser settings for seamless integration with the proxy service.

Uploaded by

El Thierry
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

1.

Настроить подключение к LDAP серверу


fg60e (ldap) # show
config user ldap
edit "lab.test"
set server "172.16.1.202"
set cnid "userPrincipalName"
set dn "DC=lab,DC=test"
set type regular
set username "CN=Fortigate read account,CN=Users,DC=lab,DC=test"
set password ENC
NtjDybSGMTqYS52W1riyrPfmuTpwVgSMkIXwKzbH0Olp96GUdAG97b3tH59iJS+rumLcoA4eb4G0ZjrgLwBEg5U+
dLjQqJCniaSWjvKsP8RbaMcgbY/
snGb+CIqgyYvu7sX2oiUCumsOllaq2wuOD6jAugnFDxa2jHp4Rcf7GOYCQLz27Z16usQZnQK123J62V7hOg==
next
end

2. Создать группу пользователей типа Firewall


fg60e (domain_users_FW_~oup) # show
config user group
edit "domain_users_FW_group"
set member "lab.test"
config match
edit 1
set server-name "lab.test"
set group-name "CN=Domain Users,CN=Users,DC=lab,DC=test"
next
end
next
end

3. Создать профиль config firewall profile-protocol-options для перенаправления запросов на Proxy


Применить профиль в IPv4 политике.
Создать политику Transparent proxy.
В обоих правилах должен быть использовать профиль SSL deep inspection.
В прокси политике указать группу пользователей.
4. Включить прокси captive-portal интерфейсе, где активирован proxy
(не путать с обычным captive portal: «set security-mode captive-portal»)
fg60e (internal7) # show
config system interface
edit "internal7"
set explicit-web-proxy enable
set proxy-captive-portal enable
next
end

5. Создать запись для captive-portal


fg60e (fg60e.lab.test) # show
config firewall address
edit "fg60e.lab.test"
set type fqdn
set fqdn "fg60e.lab.test" <<- Также должна быть запись в локальном DNS указывающая на IP proxy на FG
(в моем случае IP на интерфейсе internal7 192.168.203.1)
next
end

6. Импортировать Kerberos keyrab, полученный из AD


fg60e (krb-keytab) # show
config user krb-keytab
edit "http_service"
set principal "HTTP/FG60E.LAB.TEST@LAB.TEST" <<- Заглавные буквы. При создании SPN записи в AD так
же использовать заглавные буквы. Пример: setspn -A HTTP/FG60E.LAB.TEST LAB\http-delegator
set ldap-server "lab.test"
set keytab
"BQIAAAA3AAIACExBQi5URVNUAARIVFRQAA5GRzYwRS5MQUIuVEVTVAAAAAEAAAAAAwABAAgQSauR2Sx6Y
QAAADcAAgAITEFCLlRFU1QABEhUVFAADkZHNjBFLkxBQi5URVNUAAAAAQAAAAADAAMACBBJq5HZLHphAAAA
PwACAAhMQUIuVEVTVAAESFRUUAAORkc2MEUuTEFCLlRFU1QAAAABAAAAAAMAFwAQPm4SXWq2jTsCbp6M
vMiX7QAAAE8AAgAITEFCLlRFU1QABEhUVFAADkZHNjBFLkxBQi5URVNUAAAAAQAAAAADABIAIBjGh7lMsS8i28
dbJmwRk0jIWR6kDTuso65UbdgiOXdGAAAAPwACAAhMQUIuVEVTVAAESFRUUAAORkc2MEUuTEFCLlRFU1QAA
AABAAAAAAMAEQAQXxWl8ClJVvlcNB9lyvs7rA=="
next
end

7. Создать схему аутентификации


fg60e (kerb-auth) # show
config authentication scheme
edit "kerb-auth"
set method negotiate
set negotiate-ntlm disable
set kerberos-keytab "http_service"
next
end

8. Создать правило аутентификации


fg60e (krb_auth_rule) # show
config authentication rule
edit "krb_auth_rule"
set srcaddr "subnet_203.0"
set ip-based disable
set active-auth-method "kerb-auth"
set web-auth-cookie enable
next
end

9. Указать использование captive-portal и номер порта для аутентификации


fg60e # show authentication setting
config authentication setting
set active-auth-scheme "kerb-auth"
set captive-portal "fg60e.lab.test"
set captive-portal-port 9998

10. Настроить браузер пользователя


Client browser configuration required (even for transparent web proxy)
- Import FGT root CA to the web browser for SSL (downloaded from FGT SSL profile)
- IE/Chrome/Edge:
» Internet Options -> Security -> Local Intranet -> Advanced -> add http://fg60e.lab.test
- Firefox:
» about:config -> network.negotiate-auth.trusted-uris -> fg60e.lab.test (Kerberos)
» about:config -> network.automatic-ntlm-auth.trusted-uris -> fg60e.lab.test (NTML)

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy