Lately, I've been exposed to the rather excellent Fortinet Secure Web Gateway appliance; FortiProxy. I know, I know you could do some of what FPX does with your FortiGate, yes sure; you could. Now, should you?
Honestly, the more I think about it, the clearer my view on the above question actually is; you shouldn't. Period.
In my view and since I've implemented the FortiProxy SWG in my labs, everything appears much more logical. The architecture as well as the breakout path is now sharp and clear. Let me summarize what I've found as really neat add-ons from running the FPX SWG solution:
- FortiProxy is now my only explicit local break out.
- FortiProxy is now my only recursive DNS break out.
- FortiProxy is now my only Deep Packet Interception bridge.
- All my FortiGates rules, policies and traffic path are now much clearer --> FPX as a my local breakout ONLY.
- FortiProxy is able to handle all my Web Filtering, Application Control, Anti-Virus, IPS sensors, easy to setup DLP filters etc.
- FortiProxy offers a Content Analysis module, intercepting and replacing configurable undesirable contents in flight.
- You can implement your SWG in either Transparent or Explicit Proxy mode.
- SSL Interception deciphered traffic can be SPAN'ed towards your IDS/IPS/ATP solution of choice (a FortiSandbox port in sniffer mode, a Security Onion box...)
- AV uses pre and stream-based scanning on Web Traffic, allowing scans of oversized files etc.
- All the usual Authentication protocols are supported, FSSO, RADIUS, Kerberos, SAML etc.
- FortiProxy has been designed for Web Security, Threat Protection, Visibility, Compliance and last but really not least, Speed !
- FortiProxy sport's the DNS Filtering possibilities, I really like 'em alot.
- If browser isolation is needed, FortiProxy integrates natively with FortiIsolator, providing browser isolation at the FPX Policy level.
- Anti-DNS Poisoning available on Transparent Proxy Policies.
- External Threat Lists are supported.
- Multiple PAC files management through the use of PAC policies.
- etc etc...
To me, one of the massive advantage of implementing a SWG was that suddenly, depending on the complexity of your environment of course, your endpoints traffic, which host goes where and for what reason is crystal clear. Follow the path to the SWG and there you have all the needed answers.
Also, endpoints odd behaviors are spotted in no time, anything that deviate from the FPX target fqdn:proxyport shall be subject to scrutinity.
Implementation took literally 10 mintues, I haven't yet discovered all the corners of the solution although really, it couldn't be easier to setup and deploy. Instant FSSO integration, so if you've got your FortiGates/FortiAuthenticator combo ready you should be up and running in no time.
I've decided to dedicate a port for management purposes and configured another available port (10 ports available on my VM based setup) seating in a dedicated internal FPX Zone serving as my main proxy service port and finally a WAN uplink port.
Basically, I've now concentrated all the spread appart on different FortiGates NGFW DPI enabled Explicit Proxy policies (with some DPI exemptions, Windows Updates specials etc) on the FortiProxy SWG, rerouted all my web traffic towards the FPX box, setup my Content Analysis Security Profiles, Web Filtering, IPS, AV, SandBox integration etc, added my FAC generated & endpoints trusted certificates and really, that was it. I've also setup a very simple yet effective towards my use cases proxy.pac file (for me served on a dedicated FPX-PAC port, off the usual proxying port).
The last item needed was to implement the Explicit Proxy Services on the endpoints, which I did at the OS level on Windows boxes and conducted testing's on Linux based hosts.
A good resource for helping you on generating your PAC file content is this one: https://web.archive.org/web/20201210040800/https://findproxyforurl.com/
At the time of writting of this article, the aforementioned website appeared down, hence the archive.org link.
And here is the FortiProxy datasheet: https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiProxy.pdf
In the hope that you've found this article useful.
Cheers,
Obuno
Image Credits: Saqib Hussain - https://huzzain.artstation.com/