Fortinet white logo
Fortinet white logo

CLI Reference

config web-proxy global

config web-proxy global

Configure Web proxy global settings.

config web-proxy global
    Description: Configure Web proxy global settings.
    set fast-policy-match [enable|disable]
    set forward-proxy-auth [enable|disable]
    set forward-server-affinity-timeout {integer}
    set learn-client-ip [enable|disable]
    set learn-client-ip-from-header {option1}, {option2}, ...
    set learn-client-ip-srcaddr <name1>, <name2>, ...
    set learn-client-ip-srcaddr6 <name1>, <name2>, ...
    set max-message-length {integer}
    set max-request-length {integer}
    set max-waf-body-cache-length {integer}
    set proxy-fqdn {string}
    set ssl-ca-cert {string}
    set ssl-cert {string}
    set strict-web-check [enable|disable]
    set tunnel-non-http [enable|disable]
    set unknown-http-version [reject|tunnel|...]
    set webproxy-profile {string}
end

config web-proxy global

Parameter

Description

Type

Size

fast-policy-match

Enable/disable fast matching algorithm for explicit and transparent proxy policy.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

forward-proxy-auth

Enable/disable forwarding proxy authentication headers.

option

-

Option

Description

enable

Enable forwarding proxy authentication headers.

disable

Disable forwarding proxy authentication headers.

forward-server-affinity-timeout

Period of time before the source IP's traffic is no longer assigned to the forwarding server.

integer

Minimum value: 6 Maximum value: 60

learn-client-ip

Enable/disable learning the client's IP address from headers.

option

-

Option

Description

enable

Enable learning the client's IP address from headers.

disable

Disable learning the client's IP address from headers.

learn-client-ip-from-header

Learn client IP address from the specified headers.

option

-

Option

Description

true-client-ip

Learn the client IP address from the True-Client-IP header.

x-real-ip

Learn the client IP address from the X-Real-IP header.

x-forwarded-for

Learn the client IP address from the X-Forwarded-For header.

learn-client-ip-srcaddr <name>

Source address name (srcaddr or srcaddr6 must be set).

Address name.

string

Maximum length: 79

learn-client-ip-srcaddr6 <name>

IPv6 Source address name (srcaddr or srcaddr6 must be set).

Address name.

string

Maximum length: 79

max-message-length

Maximum length of HTTP message, not including body.

integer

Minimum value: 16 Maximum value: 256

max-request-length

Maximum length of HTTP request line.

integer

Minimum value: 2 Maximum value: 64

max-waf-body-cache-length

Maximum length of HTTP messages processed by Web Application Firewall.

integer

Minimum value: 10 Maximum value: 1024

proxy-fqdn

Fully Qualified Domain Name to connect to the explicit web proxy.

string

Maximum length: 255

ssl-ca-cert

SSL CA certificate for SSL interception.

string

Maximum length: 35

ssl-cert

SSL certificate for SSL interception.

string

Maximum length: 35

strict-web-check

Enable/disable strict web checking to block web sites that send incorrect headers that don't conform to HTTP 1.1.

option

-

Option

Description

enable

Enable strict web checking.

disable

Disable strict web checking.

tunnel-non-http

Enable/disable allowing non-HTTP traffic. Allowed non-HTTP traffic is tunneled.

option

-

Option

Description

enable

Allow non-HTTP traffic.

disable

Block non-HTTP traffic.

unknown-http-version

Action to take when an unknown version of HTTP is encountered: reject, allow (tunnel), or proceed with best-effort.

option

-

Option

Description

reject

Rejects requests with unknown HTTP version.

tunnel

Tunnels requests with unknown HTTP version.

best-effort

Allow unknown HTTP requests and process them using best efforts.

webproxy-profile

Name of the web proxy profile to apply when explicit proxy traffic is allowed by default and traffic is accepted that does not match an explicit proxy policy.

string

Maximum length: 63

config web-proxy global

config web-proxy global

Configure Web proxy global settings.

config web-proxy global
    Description: Configure Web proxy global settings.
    set fast-policy-match [enable|disable]
    set forward-proxy-auth [enable|disable]
    set forward-server-affinity-timeout {integer}
    set learn-client-ip [enable|disable]
    set learn-client-ip-from-header {option1}, {option2}, ...
    set learn-client-ip-srcaddr <name1>, <name2>, ...
    set learn-client-ip-srcaddr6 <name1>, <name2>, ...
    set max-message-length {integer}
    set max-request-length {integer}
    set max-waf-body-cache-length {integer}
    set proxy-fqdn {string}
    set ssl-ca-cert {string}
    set ssl-cert {string}
    set strict-web-check [enable|disable]
    set tunnel-non-http [enable|disable]
    set unknown-http-version [reject|tunnel|...]
    set webproxy-profile {string}
end

config web-proxy global

Parameter

Description

Type

Size

fast-policy-match

Enable/disable fast matching algorithm for explicit and transparent proxy policy.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

forward-proxy-auth

Enable/disable forwarding proxy authentication headers.

option

-

Option

Description

enable

Enable forwarding proxy authentication headers.

disable

Disable forwarding proxy authentication headers.

forward-server-affinity-timeout

Period of time before the source IP's traffic is no longer assigned to the forwarding server.

integer

Minimum value: 6 Maximum value: 60

learn-client-ip

Enable/disable learning the client's IP address from headers.

option

-

Option

Description

enable

Enable learning the client's IP address from headers.

disable

Disable learning the client's IP address from headers.

learn-client-ip-from-header

Learn client IP address from the specified headers.

option

-

Option

Description

true-client-ip

Learn the client IP address from the True-Client-IP header.

x-real-ip

Learn the client IP address from the X-Real-IP header.

x-forwarded-for

Learn the client IP address from the X-Forwarded-For header.

learn-client-ip-srcaddr <name>

Source address name (srcaddr or srcaddr6 must be set).

Address name.

string

Maximum length: 79

learn-client-ip-srcaddr6 <name>

IPv6 Source address name (srcaddr or srcaddr6 must be set).

Address name.

string

Maximum length: 79

max-message-length

Maximum length of HTTP message, not including body.

integer

Minimum value: 16 Maximum value: 256

max-request-length

Maximum length of HTTP request line.

integer

Minimum value: 2 Maximum value: 64

max-waf-body-cache-length

Maximum length of HTTP messages processed by Web Application Firewall.

integer

Minimum value: 10 Maximum value: 1024

proxy-fqdn

Fully Qualified Domain Name to connect to the explicit web proxy.

string

Maximum length: 255

ssl-ca-cert

SSL CA certificate for SSL interception.

string

Maximum length: 35

ssl-cert

SSL certificate for SSL interception.

string

Maximum length: 35

strict-web-check

Enable/disable strict web checking to block web sites that send incorrect headers that don't conform to HTTP 1.1.

option

-

Option

Description

enable

Enable strict web checking.

disable

Disable strict web checking.

tunnel-non-http

Enable/disable allowing non-HTTP traffic. Allowed non-HTTP traffic is tunneled.

option

-

Option

Description

enable

Allow non-HTTP traffic.

disable

Block non-HTTP traffic.

unknown-http-version

Action to take when an unknown version of HTTP is encountered: reject, allow (tunnel), or proceed with best-effort.

option

-

Option

Description

reject

Rejects requests with unknown HTTP version.

tunnel

Tunnels requests with unknown HTTP version.

best-effort

Allow unknown HTTP requests and process them using best efforts.

webproxy-profile

Name of the web proxy profile to apply when explicit proxy traffic is allowed by default and traffic is accepted that does not match an explicit proxy policy.

string

Maximum length: 63