Fortigate Explicit proxy PAC file

The Pac file can be used with the Explicit proxy of the Fortigate. The PAC file uses Java Script to modify the Explicit proxy to be able to do certain things. For example, if you do not want to use the proxy when going to certain websites/networks, or return different proxies. By returning different proxies you could theoretically load balance requests. I am using this pac file at a school where we proxy all Students Ipad traffic back to the fortigate for web filtering/logging.

The PAC function is FindProxyForURL(url, host). There are a number of functions available –  A few are:

dnsDomainis() – Returns the domain name of the requested server

isNET() – This function will return true if the host is in the subnet you are specifying.

For example – (isInNet(host, “192.168.0.0”, “255.240.0.0”)) return “DIRECT”; – This would not proxy traffic for anything on the 192.168.0.0/16 subnet.

shExpmatch() – This will evaluate the URL you enter, and compare with the request. So for example

if (shExpMatch(host, “*.google.com”)) {return “DIRECT”;} – This would not proxy traffic goig to google.com

 

There are about 10 functions – including Days of the week, time ranges etc. A quick google search will show all – but here is a link from our friends at Websense: http://www.websense.com/content/support/library/web/v76/pac_file_best_practices/PAC_best_pract.aspx

Below is an example of a Fortinet PAC file to bypass the proxy to many websites (return Direct) otherwise return the proxy.

—————

function FindProxyForURL(url, host) {

if (shExpMatch(host, “*.akadns.net”)) {return “DIRECT”;}
if (shExpMatch(host, “*.akamai.net”)) {return “DIRECT”;}
if (shExpMatch(host, “*.akamaiedge.net”)) {return “DIRECT”;}
if (shExpMatch(host, “*.akamaihd.net”)) {return “DIRECT”;}
if (shExpMatch(host, “*.amazon.com”)) {return “DIRECT”;}
if (shExpMatch(host, “*.amazonaws.com”)) {return “DIRECT”;}
if (shExpMatch(host, “*.apple.com”)) {return “DIRECT”;}
if (shExpMatch(host, “*.dropbox.com”)) {return “DIRECT”;}
if (shExpMatch(host, “*.edim.co”)) {return “DIRECT”;}
if (shExpMatch(host, “*.edmodo.com”)) {return “DIRECT”;}
if (shExpMatch(host, “*.icloud.com”)) {return “DIRECT”;}
if (shExpMatch(host, “*.ket.org”)) {return “DIRECT”;}

if (isInNet(dnsResolve(host), “10.11.0.0”, “255.255.0.0”)) {
    return “DIRECT”; — if the server is in my local subnet
}
if (isInNet(dnsResolve(host), “10.44.0.0”, “255.255.0.0”)) {
    return “DIRECT”; — or this subnet
}
else{
return “PROXY example:8888; PROXY example2:8888”;
}
}

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: