Fortinet white logo
Fortinet white logo

Administration Guide

Explicit web proxy

Explicit web proxy

Explicit web proxy can be configured on FortiGate for proxying HTTP and HTTPS traffic.

To deploy explicit proxy, individual client browsers can be manually configured to send requests directly to the proxy, or they can be configured to download proxy configuration instructions from a Proxy Auto-Configuration (PAC) file.

When explicit proxy is configured on an interface, the interface IP address can be used by client browsers to forward requests directly to the FortiGate. FortiGate also supports PAC file configuration.

To configure explicit web proxy in the GUI:
  1. Enable and configure explicit web proxy:
    1. Go to Network > Explicit Proxy.
    2. Enable Explicit Web Proxy.
    3. Select port2 as the Listen on Interfaces and set the HTTP Port to 8080.
    4. Configure the remaining settings as needed.

    5. Click Apply.
  2. Create an explicit web proxy policy:
    1. Go to Policy & Objects > Proxy Policy.
    2. Click Create New.
    3. Set Proxy Type to Explicit Web and Outgoing Interface to port1.
    4. Also set Source and Destination to all, Schedule to always, Service to webproxy, and Action to ACCEPT.

    5. Click OK to create the policy.
  3. Note

    This example creates a basic policy. If required, security profiles can be enabled, and deep SSL inspection can be selected to inspect HTTPS traffic.

  4. Configure a client to use the FortiGate explicit proxy:

    Set the FortiGate IP address as the proxy IP address in the browser, or use an automatic configuration script for the PAC file.

To configure explicit web proxy in the CLI:
  1. Enable and configure explicit web proxy:
    config web-proxy explicit
        set status enable
        set ftp-over-http enable
        set socks enable
        set http-incoming-port 8080
        set ipv6-status enable
        set unknown-http-version best-effort
    end
    config system interface
        edit "port2"
            set vdom "vdom1"
            set ip 10.1.100.1 255.255.255.0
            set allowaccess ping https ssh snmp http telnet
            set type physical
            set explicit-web-proxy enable
            set snmp-index 12
            end
        next
    end
  2. Create an explicit web proxy policy:
    config firewall proxy-policy
        edit 1
            set proxy explicit-web
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set service "webproxy"
            set action accept
            set schedule "always"
            set logtraffic all
        next
    end
  3. Note

    This example creates a basic policy. If required, security profiles can be enabled, and deep SSL inspection can be selected to inspect HTTPS traffic.

  4. Configure a client to use the FortiGate explicit web proxy:

    Set the FortiGate IP address as the proxy IP address in the browser, or use an automatic configuration script for the PAC file.

Explicit web proxy

Explicit web proxy

Explicit web proxy can be configured on FortiGate for proxying HTTP and HTTPS traffic.

To deploy explicit proxy, individual client browsers can be manually configured to send requests directly to the proxy, or they can be configured to download proxy configuration instructions from a Proxy Auto-Configuration (PAC) file.

When explicit proxy is configured on an interface, the interface IP address can be used by client browsers to forward requests directly to the FortiGate. FortiGate also supports PAC file configuration.

To configure explicit web proxy in the GUI:
  1. Enable and configure explicit web proxy:
    1. Go to Network > Explicit Proxy.
    2. Enable Explicit Web Proxy.
    3. Select port2 as the Listen on Interfaces and set the HTTP Port to 8080.
    4. Configure the remaining settings as needed.

    5. Click Apply.
  2. Create an explicit web proxy policy:
    1. Go to Policy & Objects > Proxy Policy.
    2. Click Create New.
    3. Set Proxy Type to Explicit Web and Outgoing Interface to port1.
    4. Also set Source and Destination to all, Schedule to always, Service to webproxy, and Action to ACCEPT.

    5. Click OK to create the policy.
  3. Note

    This example creates a basic policy. If required, security profiles can be enabled, and deep SSL inspection can be selected to inspect HTTPS traffic.

  4. Configure a client to use the FortiGate explicit proxy:

    Set the FortiGate IP address as the proxy IP address in the browser, or use an automatic configuration script for the PAC file.

To configure explicit web proxy in the CLI:
  1. Enable and configure explicit web proxy:
    config web-proxy explicit
        set status enable
        set ftp-over-http enable
        set socks enable
        set http-incoming-port 8080
        set ipv6-status enable
        set unknown-http-version best-effort
    end
    config system interface
        edit "port2"
            set vdom "vdom1"
            set ip 10.1.100.1 255.255.255.0
            set allowaccess ping https ssh snmp http telnet
            set type physical
            set explicit-web-proxy enable
            set snmp-index 12
            end
        next
    end
  2. Create an explicit web proxy policy:
    config firewall proxy-policy
        edit 1
            set proxy explicit-web
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set service "webproxy"
            set action accept
            set schedule "always"
            set logtraffic all
        next
    end
  3. Note

    This example creates a basic policy. If required, security profiles can be enabled, and deep SSL inspection can be selected to inspect HTTPS traffic.

  4. Configure a client to use the FortiGate explicit web proxy:

    Set the FortiGate IP address as the proxy IP address in the browser, or use an automatic configuration script for the PAC file.