Fortigate Explicit proxy PAC file

Leave a comment Posted by on August 4, 2014

The Pac file can be used with the Explicit proxy of the Fortigate. The PAC file uses Java Script to modify the Explicit proxy to be able to do certain things. For example, if you do not want to use the proxy when going to certain websites/networks, or return different proxies. By returning different proxies you could theoretically load balance requests. I am using this pac file at a school where we proxy all Students Ipad traffic back to the fortigate for web filtering/logging.

The PAC function is FindProxyForURL(url, host). There are a number of functions available –  A few are:

dnsDomainis() – Returns the domain name of the requested server

isNET() – This function will return true if the host is in the subnet you are specifying.

For example – (isInNet(host, “192.168.0.0”, “255.240.0.0”)) return “DIRECT”; – This would not proxy traffic for anything on the 192.168.0.0/16 subnet.

shExpmatch() – This will evaluate the URL you enter, and compare with the request. So for example

if (shExpMatch(host, “*.google.com”)) {return “DIRECT”;} – This would not proxy traffic goig to google.com

 

There are about 10 functions – including Days of the week, time ranges etc. A quick google search will show all – but here is a link from our friends at Websense: http://www.websense.com/content/support/library/web/v76/pac_file_best_practices/PAC_best_pract.aspx

Below is an example of a Fortinet PAC file to bypass the proxy to many websites (return Direct) otherwise return the proxy.

—————

function FindProxyForURL(url, host) {

if (shExpMatch(host, “*.akadns.net”)) {return “DIRECT”;}
if (shExpMatch(host, “*.akamai.net”)) {return “DIRECT”;}
if (shExpMatch(host, “*.akamaiedge.net”)) {return “DIRECT”;}
if (shExpMatch(host, “*.akamaihd.net”)) {return “DIRECT”;}
if (shExpMatch(host, “*.amazon.com”)) {return “DIRECT”;}
if (shExpMatch(host, “*.amazonaws.com”)) {return “DIRECT”;}
if (shExpMatch(host, “*.apple.com”)) {return “DIRECT”;}
if (shExpMatch(host, “*.dropbox.com”)) {return “DIRECT”;}
if (shExpMatch(host, “*.edim.co”)) {return “DIRECT”;}
if (shExpMatch(host, “*.edmodo.com”)) {return “DIRECT”;}
if (shExpMatch(host, “*.icloud.com”)) {return “DIRECT”;}
if (shExpMatch(host, “*.ket.org”)) {return “DIRECT”;}

if (isInNet(dnsResolve(host), “10.11.0.0”, “255.255.0.0”)) {
    return “DIRECT”; — if the server is in my local subnet
}
if (isInNet(dnsResolve(host), “10.44.0.0”, “255.255.0.0”)) {
    return “DIRECT”; — or this subnet
}
else{
return “PROXY example:8888; PROXY example2:8888”;
}
}

Fortigate

Leave a Reply

Discover more from TravelingPacket - A blog of network musings

Subscribe now to keep reading and get access to the full archive.

Continue reading