Proxy policy addresses
Proxy addresses are designed to be used only by proxy policies. The following address types are available:
- Host regex match
- URL pattern
- URL category
- HTTP method
- HTTP header
- User agent
- Advanced (source)
- Advanced (destination)
Fast policy match
The fast policy match function improves the performance of IPv4 explicit and transparent web proxies on FortiGate devices.
When enabled, after the proxy policies are configured, the FortiGate builds a fast searching table based on the different proxy policy matching criteria. When fast policy matching is disabled, web proxy traffic is compared to the policies one at a time from the beginning of the policy list.
Fast policy matching is enabled by default, and can be configured with the following CLI command:
config web-proxy global set fast-policy-match {enable | disable} end
Host regex match
In this address type, a user can create a hostname as a regular expression to match the Host field in the Layer 7 header of a packet. Once created, the hostname address can be selected as a destination of a proxy policy. This means that a policy will only allow or block requests that match the regular expression.
This example creates a host regex match address with the pattern qa.[a-z]*.com.
To create a host regex match address in the GUI:
-
Go to Policy & Objects > Addresses.
-
Click Create New > Address.
-
Set the following:
-
Category to Proxy Address,
-
Name to Host Regex,
-
Type to Host Regex Match, and
-
Host Regex Pattern to qa.[a‑z]*.com.
-
-
Click OK.
To create a host regex match address in the CLI:
config firewall proxy-address edit "Host Regex" set type host-regex set host-regex "qa.[a-z]*.com" next end
URL pattern
In this address type, a user can create a URL path as a regular expression. Once created, the path address can be selected as a destination of a proxy policy. This means that a policy will only allow or block requests that match the regular expression.
This example creates a URL pattern address with the pattern /filetypes/.
To create a URL pattern address in the GUI:
-
Go to Policy & Objects > Addresses.
-
Click Create New > Address.
-
Set the following:
-
Category to Proxy Address,
-
Name to URL Regex,
-
Type to URL Pattern,
-
Host to all, and
-
URL Path Regex to /filetypes/.
-
-
Click OK.
To create a URL pattern address in the CLI:
config firewall proxy-address edit "URL Regex" set type url set host "all" set path "/filetypes/" next end
URL category
In this address type, a user can create a URL category based on a FortiGuard URL ID. Once created, the address can be selected as a destination of a proxy policy. This means that a policy will only allow or block requests that match the URL category.
The example creates a URL category address for URLs in the Education category. For more information about categories, see https://fortiguard.com/webfilter/categories.
For information about creating and using custom local and remote categories, see Web rating override, Using local and remote categories , and Threat feeds.
To create a URL category address in the GUI:
- Go to Policy & Objects > Addresses.
- Click Create New > Address.
- Set the following:
- Category to Proxy Address,
- Name to url-category,
- Type to URL Category,
- Host to all, and
- URL Category to Education.
- Click OK.
To create a URL category address in the CLI:
config firewall proxy-address edit "url-category" set type category set host "all" set category 30 next end
To see a list of all the categories and their numbers, when editing the address, enter set category ?
.
HTTP method
In this address type, a user can create an address based on the HTTP request methods that are used. Multiple method options are supported, including: CONNECT, DELETE, GET, HEAD, OPTIONS, POST, PUT, and TRACE. Once created, the address can be selected as a source of a proxy policy. This means that a policy will only allow or block requests that match the selected HTTP method.
The example creates a HTTP method address that uses the GET method.
To create a HTTP method address in the GUI:
-
Go to Policy & Objects > Addresses.
-
Click Create New > Address.
-
Set the following:
-
Category to Proxy Address,
-
Name to method_get,
-
Type to HTTP Method,
-
Host to all, and
-
Request Method to GET.
-
-
Click OK.
To create a HTTP method address in the CLI:
config firewall proxy-address edit "method_get" set type method set host "all" set method get next end
HTTP header
In this address type, a user can create a HTTP header as a regular expression. Once created, the header address can be selected as a source of a proxy policy. This means that a policy will only allow or block requests where the HTTP header matches the regular expression.
This example creates a HTTP header address with the pattern Q[A-B].
To create a HTTP header address in the GUI:
-
Go to Policy & Objects > Addresses.
-
Click Create New > Address.
-
Set the following:
-
Category to Proxy Address,
-
Name to HTTP-header,
-
Type to HTTP Header,
-
Host to all,
-
Header Name to Header_Test, and
-
Header Regex to Q[A-B].
-
-
Click OK.
To create a HTTP header address in the CLI:
config firewall proxy-address edit "method_get" set type header set host "all" set header-name "Header_Test" set header "Q[A-B]" next end
User agent
In this address type, a user can create an address based on the names of the browsers that are used as user agents. Multiple browsers are supported, such as Chrome, Firefox, Internet Explorer, and others. Once created, the address can be selected as a source of a proxy policy. This means that a policy will only allow or block requests from the specified user agent.
This example creates a user agent address for Google Chrome.
To create a user agent address in the GUI:
-
Go to Policy & Objects > Addresses.
-
Click Create New > Address.
-
Set the following:
-
Category to Proxy Address,
-
Name to UA-Chrome,
-
Type to User Agent,
-
Host to all, and
-
User Agent to Google Chrome.
-
-
Click OK.
To create a user agent address in the CLI:
config firewall proxy-address edit "UA-Chrome" set type ua set host "all" set ua chrome next end
Browser version control
For security reasons, the user can restrict the browser version by specifying a range of the supported versions which can be set from the CLI using set ua-min-ver
and set ua-max-ver
. This option is available when the address Type is either User Agent or Advanced (Source).
To restrict the browser version:
config firewall proxy-address edit "ua-ver" set type ua set ua firefox set ua-min-ver "100.0.1" set ua-max-ver "160" next end
Advanced (source)
In this address type, a user can create an address based on multiple parameters, including HTTP method, User Agent, and HTTP header. Once created, the address can be selected as a source of a proxy policy. This means that a policy will only allow or block requests that match the selected address.
This example creates an address that uses the get method, a user agent for Google Chrome, and an HTTP header with the pattern Q[A-B].
To create an advanced (source) address in the GUI:
-
Go to Policy & Objects > Addresses.
-
Click Create New > Address.
-
Set the following:
-
Category to Proxy Address,
-
Name to advanced_src,
-
Type to Advanced (Source),
-
Host to all,
-
Request Method to GET,
-
User Agent to Google Chrome, and
-
HTTP header to Header_Test : Q[A-B].
-
-
Click OK.
To create an advanced (source) address in the CLI:
config firewall proxy-address edit "advance_src" set type src-advanced set host "all" set method get set ua chrome config header-group edit 1 set header-name "Header_Test" set header "Q[A-B]" next end next end
Advanced (destination)
In this address type, a user can create an address based on URL pattern and URL category parameters. Once created, the address can be selected as a destination of a proxy policy. This means that a policy will only allow or block requests that match the selected address.
This example creates an address with the URL pattern /about that are in the Education category. For more information about categories, see https://fortiguard.com/webfilter/categories.
To create an advanced (destination) address in the GUI:
-
Go to Policy & Objects > Addresses.
-
Click Create New > Address.
-
Set the following:
-
Category to Proxy Address,
-
Name to Advanced-dst,
-
Type to Advanced (Destination),
-
Host to all,
-
URL Path Regex to /about, and
-
URL Category to Education.
-
-
Click OK.
To create an advanced (destination) address in the CLI:
config firewall proxy-address edit "Advanced-dst" set type dst-advanced set host "ubc" set path "/about" set category 30 next end