Fortinet white logo
Fortinet white logo

CLI Reference

config web-proxy explicit

config web-proxy explicit

Configure explicit Web proxy settings.

config web-proxy explicit
    Description: Configure explicit Web proxy settings.
    set ftp-incoming-port {user}
    set ftp-over-http [enable|disable]
    set http-incoming-port {user}
    set https-incoming-port {user}
    set https-replacement-message [enable|disable]
    set incoming-ip {ipv4-address-any}
    set incoming-ip6 {ipv6-address}
    set ipv6-status [enable|disable]
    set message-upon-server-error [enable|disable]
    set outgoing-ip {ipv4-address-any}
    set outgoing-ip6 {ipv6-address}
    set pac-file-data {user}
    set pac-file-name {string}
    set pac-file-server-port {user}
    set pac-file-server-status [enable|disable]
    set pac-file-url {user}
    config pac-policy
        Description: PAC policies.
        edit <policyid>
            set status [enable|disable]
            set srcaddr <name1>, <name2>, ...
            set srcaddr6 <name1>, <name2>, ...
            set dstaddr <name1>, <name2>, ...
            set pac-file-name {string}
            set pac-file-data {user}
            set comments {var-string}
        next
    end
    set pref-dns-result [ipv4|ipv6]
    set realm {string}
    set sec-default-action [accept|deny]
    set socks [enable|disable]
    set socks-incoming-port {user}
    set ssl-algorithm [high|medium|...]
    set status [enable|disable]
    set strict-guest [enable|disable]
    set trace-auth-no-rsp [enable|disable]
    set unknown-http-version [reject|tunnel|...]
end

config web-proxy explicit

Parameter

Description

Type

Size

Default

ftp-incoming-port

Accept incoming FTP-over-HTTP requests on one or more ports.

user

Not Specified

ftp-over-http

Enable to proxy FTP-over-HTTP sessions sent from a web browser.

option

-

disable

Option

Description

enable

Enable FTP-over-HTTP sessions.

disable

Disable FTP-over-HTTP sessions.

http-incoming-port

Accept incoming HTTP requests on one or more ports.

user

Not Specified

https-incoming-port

Accept incoming HTTPS requests on one or more ports.

user

Not Specified

https-replacement-message

Enable/disable sending the client a replacement message for HTTPS requests.

option

-

enable

Option

Description

enable

Display a replacement message for HTTPS requests.

disable

Do not display a replacement message for HTTPS requests.

incoming-ip

Restrict the explicit HTTP proxy to only accept sessions from this IP address. An interface must have this IP address.

ipv4-address-any

Not Specified

0.0.0.0

incoming-ip6

Restrict the explicit web proxy to only accept sessions from this IPv6 address. An interface must have this IPv6 address.

ipv6-address

Not Specified

::

ipv6-status

Enable/disable allowing an IPv6 web proxy destination in policies and all IPv6 related entries in this command.

option

-

disable

Option

Description

enable

Enable allowing an IPv6 web proxy destination.

disable

Disable allowing an IPv6 web proxy destination.

message-upon-server-error

Enable/disable displaying a replacement message when a server error is detected.

option

-

enable

Option

Description

enable

Display a replacement message when a server error is detected.

disable

Do not display a replacement message when a server error is detected.

outgoing-ip

Outgoing HTTP requests will have this IP address as their source address. An interface must have this IP address.

ipv4-address-any

Not Specified

outgoing-ip6

Outgoing HTTP requests will leave this IPv6. Multiple interfaces can be specified. Interfaces must have these IPv6 addresses.

ipv6-address

Not Specified

pac-file-data

PAC file contents enclosed in quotes (maximum of 256K bytes).

user

Not Specified

pac-file-name

Pac file name.

string

Maximum length: 63

proxy.pac

pac-file-server-port

Port number that PAC traffic from client web browsers uses to connect to the explicit web proxy.

user

Not Specified

pac-file-server-status

Enable/disable Proxy Auto-Configuration (PAC) for users of this explicit proxy profile.

option

-

disable

Option

Description

enable

Enable Proxy Auto-Configuration (PAC).

disable

Disable Proxy Auto-Configuration (PAC).

pac-file-url

PAC file access URL.

user

Not Specified

pref-dns-result

Prefer resolving addresses using the configured IPv4 or IPv6 DNS server.

option

-

ipv4

Option

Description

ipv4

Prefer the IPv4 DNS server.

ipv6

Prefer the IPv6 DNS server.

realm

Authentication realm used to identify the explicit web proxy (maximum of 63 characters).

string

Maximum length: 63

default

sec-default-action

Accept or deny explicit web proxy sessions when no web proxy firewall policy exists.

option

-

deny

Option

Description

accept

Accept requests. All explicit web proxy traffic is accepted whether there is an explicit web proxy policy or not.

deny

Deny requests unless there is a matching explicit web proxy policy.

socks

Enable/disable the SOCKS proxy.

option

-

disable

Option

Description

enable

Enable the SOCKS proxy.

disable

Disable the SOCKS proxy.

socks-incoming-port

Accept incoming SOCKS proxy requests on one or more ports.

user

Not Specified

ssl-algorithm

Relative strength of encryption algorithms accepted in HTTPS deep scan: high, medium, or low.

option

-

low

Option

Description

high

High encrption. Allow only AES and ChaCha.

medium

Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low

Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

status

Enable/disable the explicit Web proxy for HTTP and HTTPS session.

option

-

disable

Option

Description

enable

Enable the explicit web proxy.

disable

Disable the explicit web proxy.

strict-guest

Enable/disable strict guest user checking by the explicit web proxy.

option

-

disable

Option

Description

enable

Enable strict guest user checking.

disable

Disable strict guest user checking.

trace-auth-no-rsp

Enable/disable logging timed-out authentication requests.

option

-

disable

Option

Description

enable

Enable logging timed-out authentication requests.

disable

Disable logging timed-out authentication requests.

unknown-http-version

How to handle HTTP sessions that do not comply with HTTP 0.9, 1.0, or 1.1.

option

-

reject

Option

Description

reject

Reject or tear down HTTP sessions that do not use HTTP 0.9, 1.0, or 1.1.

tunnel

Pass HTTP traffic that does not use HTTP 0.9, 1.0, or 1.1 without applying HTTP protocol optimization, byte-caching, or web caching. TCP protocol optimization is applied.

best-effort

Assume all HTTP sessions comply with HTTP 0.9, 1.0, or 1.1. If a session uses a different HTTP version, it may not parse correctly and the connection may be lost.

config pac-policy

Parameter

Description

Type

Size

Default

policyid

Policy ID.

integer

Minimum value: 1 Maximum value: 100

0

status

Enable/disable policy.

option

-

enable

Option

Description

enable

Enable policy.

disable

Disable policy.

srcaddr <name>

Source address objects.

Address name.

string

Maximum length: 79

srcaddr6 <name>

Source address6 objects.

Address name.

string

Maximum length: 79

dstaddr <name>

Destination address objects.

Address name.

string

Maximum length: 79

pac-file-name

Pac file name.

string

Maximum length: 63

proxy.pac

pac-file-data

PAC file contents enclosed in quotes (maximum of 256K bytes).

user

Not Specified

comments

Optional comments.

var-string

Maximum length: 1023

config web-proxy explicit

config web-proxy explicit

Configure explicit Web proxy settings.

config web-proxy explicit
    Description: Configure explicit Web proxy settings.
    set ftp-incoming-port {user}
    set ftp-over-http [enable|disable]
    set http-incoming-port {user}
    set https-incoming-port {user}
    set https-replacement-message [enable|disable]
    set incoming-ip {ipv4-address-any}
    set incoming-ip6 {ipv6-address}
    set ipv6-status [enable|disable]
    set message-upon-server-error [enable|disable]
    set outgoing-ip {ipv4-address-any}
    set outgoing-ip6 {ipv6-address}
    set pac-file-data {user}
    set pac-file-name {string}
    set pac-file-server-port {user}
    set pac-file-server-status [enable|disable]
    set pac-file-url {user}
    config pac-policy
        Description: PAC policies.
        edit <policyid>
            set status [enable|disable]
            set srcaddr <name1>, <name2>, ...
            set srcaddr6 <name1>, <name2>, ...
            set dstaddr <name1>, <name2>, ...
            set pac-file-name {string}
            set pac-file-data {user}
            set comments {var-string}
        next
    end
    set pref-dns-result [ipv4|ipv6]
    set realm {string}
    set sec-default-action [accept|deny]
    set socks [enable|disable]
    set socks-incoming-port {user}
    set ssl-algorithm [high|medium|...]
    set status [enable|disable]
    set strict-guest [enable|disable]
    set trace-auth-no-rsp [enable|disable]
    set unknown-http-version [reject|tunnel|...]
end

config web-proxy explicit

Parameter

Description

Type

Size

Default

ftp-incoming-port

Accept incoming FTP-over-HTTP requests on one or more ports.

user

Not Specified

ftp-over-http

Enable to proxy FTP-over-HTTP sessions sent from a web browser.

option

-

disable

Option

Description

enable

Enable FTP-over-HTTP sessions.

disable

Disable FTP-over-HTTP sessions.

http-incoming-port

Accept incoming HTTP requests on one or more ports.

user

Not Specified

https-incoming-port

Accept incoming HTTPS requests on one or more ports.

user

Not Specified

https-replacement-message

Enable/disable sending the client a replacement message for HTTPS requests.

option

-

enable

Option

Description

enable

Display a replacement message for HTTPS requests.

disable

Do not display a replacement message for HTTPS requests.

incoming-ip

Restrict the explicit HTTP proxy to only accept sessions from this IP address. An interface must have this IP address.

ipv4-address-any

Not Specified

0.0.0.0

incoming-ip6

Restrict the explicit web proxy to only accept sessions from this IPv6 address. An interface must have this IPv6 address.

ipv6-address

Not Specified

::

ipv6-status

Enable/disable allowing an IPv6 web proxy destination in policies and all IPv6 related entries in this command.

option

-

disable

Option

Description

enable

Enable allowing an IPv6 web proxy destination.

disable

Disable allowing an IPv6 web proxy destination.

message-upon-server-error

Enable/disable displaying a replacement message when a server error is detected.

option

-

enable

Option

Description

enable

Display a replacement message when a server error is detected.

disable

Do not display a replacement message when a server error is detected.

outgoing-ip

Outgoing HTTP requests will have this IP address as their source address. An interface must have this IP address.

ipv4-address-any

Not Specified

outgoing-ip6

Outgoing HTTP requests will leave this IPv6. Multiple interfaces can be specified. Interfaces must have these IPv6 addresses.

ipv6-address

Not Specified

pac-file-data

PAC file contents enclosed in quotes (maximum of 256K bytes).

user

Not Specified

pac-file-name

Pac file name.

string

Maximum length: 63

proxy.pac

pac-file-server-port

Port number that PAC traffic from client web browsers uses to connect to the explicit web proxy.

user

Not Specified

pac-file-server-status

Enable/disable Proxy Auto-Configuration (PAC) for users of this explicit proxy profile.

option

-

disable

Option

Description

enable

Enable Proxy Auto-Configuration (PAC).

disable

Disable Proxy Auto-Configuration (PAC).

pac-file-url

PAC file access URL.

user

Not Specified

pref-dns-result

Prefer resolving addresses using the configured IPv4 or IPv6 DNS server.

option

-

ipv4

Option

Description

ipv4

Prefer the IPv4 DNS server.

ipv6

Prefer the IPv6 DNS server.

realm

Authentication realm used to identify the explicit web proxy (maximum of 63 characters).

string

Maximum length: 63

default

sec-default-action

Accept or deny explicit web proxy sessions when no web proxy firewall policy exists.

option

-

deny

Option

Description

accept

Accept requests. All explicit web proxy traffic is accepted whether there is an explicit web proxy policy or not.

deny

Deny requests unless there is a matching explicit web proxy policy.

socks

Enable/disable the SOCKS proxy.

option

-

disable

Option

Description

enable

Enable the SOCKS proxy.

disable

Disable the SOCKS proxy.

socks-incoming-port

Accept incoming SOCKS proxy requests on one or more ports.

user

Not Specified

ssl-algorithm

Relative strength of encryption algorithms accepted in HTTPS deep scan: high, medium, or low.

option

-

low

Option

Description

high

High encrption. Allow only AES and ChaCha.

medium

Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low

Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

status

Enable/disable the explicit Web proxy for HTTP and HTTPS session.

option

-

disable

Option

Description

enable

Enable the explicit web proxy.

disable

Disable the explicit web proxy.

strict-guest

Enable/disable strict guest user checking by the explicit web proxy.

option

-

disable

Option

Description

enable

Enable strict guest user checking.

disable

Disable strict guest user checking.

trace-auth-no-rsp

Enable/disable logging timed-out authentication requests.

option

-

disable

Option

Description

enable

Enable logging timed-out authentication requests.

disable

Disable logging timed-out authentication requests.

unknown-http-version

How to handle HTTP sessions that do not comply with HTTP 0.9, 1.0, or 1.1.

option

-

reject

Option

Description

reject

Reject or tear down HTTP sessions that do not use HTTP 0.9, 1.0, or 1.1.

tunnel

Pass HTTP traffic that does not use HTTP 0.9, 1.0, or 1.1 without applying HTTP protocol optimization, byte-caching, or web caching. TCP protocol optimization is applied.

best-effort

Assume all HTTP sessions comply with HTTP 0.9, 1.0, or 1.1. If a session uses a different HTTP version, it may not parse correctly and the connection may be lost.

config pac-policy

Parameter

Description

Type

Size

Default

policyid

Policy ID.

integer

Minimum value: 1 Maximum value: 100

0

status

Enable/disable policy.

option

-

enable

Option

Description

enable

Enable policy.

disable

Disable policy.

srcaddr <name>

Source address objects.

Address name.

string

Maximum length: 79

srcaddr6 <name>

Source address6 objects.

Address name.

string

Maximum length: 79

dstaddr <name>

Destination address objects.

Address name.

string

Maximum length: 79

pac-file-name

Pac file name.

string

Maximum length: 63

proxy.pac

pac-file-data

PAC file contents enclosed in quotes (maximum of 256K bytes).

user

Not Specified

comments

Optional comments.

var-string

Maximum length: 1023