Fortinet white logo
Fortinet white logo

Administration Guide

Transparent proxy

Transparent proxy

In a transparent proxy deployment, the user's client software, such as a browser, is unaware that it is communicating with a proxy.

Users request Internet content as usual, without any special client configuration, and the proxy serves their requests. FortiGate also allows user to configure in transparent proxy mode.

To configure transparent proxy in the GUI:
  1. Configure a regular firewall policy with HTTP redirect:
    1. Go to Policy & Objects > Firewall Policy.
    2. Click Create New.
    3. Name the policy appropriately, set the Incoming Interface to port2, and set the Outgoing Interface to port1.
    4. Also set Source and Destination to all, Schedule to always, Service to ALL, and Action to ACCEPT.
    5. Set Inspection Mode to Proxy-based and SSL Inspection to deep-inspection.

    6. Configure the remaining settings as needed.
    7. Click OK.
    8. Note

      HTTP redirect can only be configured in the CLI. To redirect HTTPS traffic, deep inspection is required.

  2. Configure a transparent proxy policy:
    1. Go to Policy & Objects > Proxy Policy.
    2. Click Create New.
    3. Set Proxy Type to Transparent Web, set the Incoming Interface to port2, and set the Outgoing Interface to port1.
    4. Also set Source and Destination to all, Scheduleto always, Service to webproxy, and Action to ACCEPT.

    5. Configure the remaining settings as needed.
    6. Click OK to create the policy.
  3. Note

    This example creates a basic policy. If required, security profiles can be enabled, and deep SSL inspection can be selected to inspect HTTPS traffic.

  4. No special configure is required on the client to use FortiGate transparent proxy. As the client is using the FortiGate as its default gateway, requests will first hit the regular firewall policy, and then be redirected to the transparent proxy policy.
To configure transparent proxy in the CLI:
  1. Configure a regular firewall policy with HTTP redirect:
    config firewall policy
        edit 1
            set name "1"
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set inspection-mode proxy
            set http-policy-redirect enable
            set fsso disable
            set ssl-ssh-profile "deep-inspection"
            set nat enable
        next
    end
  2. Configure a transparent proxy policy:
    config firewall proxy-policy
        edit 5
            set proxy transparent-web
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set service "webproxy"
            set action accept
            set schedule "always"
        next
    end
  3. Note

    This example creates a basic policy. If required, security profiles can be enabled, and deep SSL inspection can be selected to inspect HTTPS traffic.

  4. No special configure is required on the client to use FortiGate transparent proxy. As the client is using the FortiGate as its default gateway, requests will first hit the regular firewall policy, and then be redirected to the transparent proxy policy.

Transparent proxy

Transparent proxy

In a transparent proxy deployment, the user's client software, such as a browser, is unaware that it is communicating with a proxy.

Users request Internet content as usual, without any special client configuration, and the proxy serves their requests. FortiGate also allows user to configure in transparent proxy mode.

To configure transparent proxy in the GUI:
  1. Configure a regular firewall policy with HTTP redirect:
    1. Go to Policy & Objects > Firewall Policy.
    2. Click Create New.
    3. Name the policy appropriately, set the Incoming Interface to port2, and set the Outgoing Interface to port1.
    4. Also set Source and Destination to all, Schedule to always, Service to ALL, and Action to ACCEPT.
    5. Set Inspection Mode to Proxy-based and SSL Inspection to deep-inspection.

    6. Configure the remaining settings as needed.
    7. Click OK.
    8. Note

      HTTP redirect can only be configured in the CLI. To redirect HTTPS traffic, deep inspection is required.

  2. Configure a transparent proxy policy:
    1. Go to Policy & Objects > Proxy Policy.
    2. Click Create New.
    3. Set Proxy Type to Transparent Web, set the Incoming Interface to port2, and set the Outgoing Interface to port1.
    4. Also set Source and Destination to all, Scheduleto always, Service to webproxy, and Action to ACCEPT.

    5. Configure the remaining settings as needed.
    6. Click OK to create the policy.
  3. Note

    This example creates a basic policy. If required, security profiles can be enabled, and deep SSL inspection can be selected to inspect HTTPS traffic.

  4. No special configure is required on the client to use FortiGate transparent proxy. As the client is using the FortiGate as its default gateway, requests will first hit the regular firewall policy, and then be redirected to the transparent proxy policy.
To configure transparent proxy in the CLI:
  1. Configure a regular firewall policy with HTTP redirect:
    config firewall policy
        edit 1
            set name "1"
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set inspection-mode proxy
            set http-policy-redirect enable
            set fsso disable
            set ssl-ssh-profile "deep-inspection"
            set nat enable
        next
    end
  2. Configure a transparent proxy policy:
    config firewall proxy-policy
        edit 5
            set proxy transparent-web
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set service "webproxy"
            set action accept
            set schedule "always"
        next
    end
  3. Note

    This example creates a basic policy. If required, security profiles can be enabled, and deep SSL inspection can be selected to inspect HTTPS traffic.

  4. No special configure is required on the client to use FortiGate transparent proxy. As the client is using the FortiGate as its default gateway, requests will first hit the regular firewall policy, and then be redirected to the transparent proxy policy.