Proxy policy
The section describes how to create web, FTP, and WAN Opt proxy policies.
On the Policy & Objects pane, go to Tools > Display Options, and then select the Explicit Proxy Policy checkbox in the Policy section to display this option. |
To create a new proxy policy:
- Go to Policy & Objects > Policy Packages.
- In the tree menu for the policy package in which you will be creating the new policy, select Explicit Proxy Policy.
- Click Create New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be added to the bottom of the list. The Create New Policy pane opens.
- Enter the following information, then click OK to create the policy:
Explicit Proxy Type
Select the explicit proxy type: Explicit Web, Transparent Web, FTP, or WAN Optimize.
Incoming Interface
Select incoming interfaces from the Object Selector frame, or drag and drop the address from the object pane.
This option is only available when the proxy type is set to Transparent Web.
Outgoing Interface
Select outgoing interfaces.
Source
Select source addresses.
Destination
Select destination addresses, address groups, virtual IPs, and virtual IP groups.
Service
Select services and service groups from the object selector pane.
Schedule
Select schedules, one time or recurring, and schedule groups.
Action
Select an action for the policy to take: Deny, Accept, or Redirect.
Redirect is only available when the proxy type is set to Explicit Web, or Transparent Web.
Log Traffic
Select one of the following options:
- No Log
- Log Security Events
- Log All Sessions
When Log All Sessions is selected, you can select to generate logs when the session starts.
This option is available when the Action is Accept.
Log Violation Traffic
Select to log violation traffic.
This option is available when the Action is Deny.
Disclaimer Options
Set the Display Disclaimer: Disable, By Domain, By Policy, or By User.
Optionally, select a custom message in the Customize Messages field if not disabled.
These options are available when the Action is Accept.
Security Profiles
Select to add security profiles or profile groups.
The following profile types can be added:
- Antivirus Profile
- Web Filter Profile - not available when the proxy type is set to FTP
- Application Control - not available when the proxy type is set to FTP
- IPS Profile - not available when the proxy type is set to FTP
- DLP Sensor
- ICAP - not available when the proxy type is set to FTP
- Web Application Firewall - not available when the proxy type is set to FTP
- Proxy Options
- SSL/SSH Inspection
- Profile Group (available when Use Security Profile Group is selected)
This option is available when the Action is Accept.
Redirect URL
Enter the redirect URL.
This option is only available when the Action is Redirect.
Web Proxy Forwarding Server
Select a web proxy forwarding server from the dropdown list.
This option is not available when the proxy type is set to FTP.
Comments
Add a description of the policy, such as its purpose, or the changes that have been made to it.
Advanced Options
Configure advanced options, see Advanced options below.
For more information on advanced option, see the FortiOS CLI Reference.
Advanced options
Option |
Description |
Default |
---|---|---|
dstaddr-negate |
Enable or disable negated destination address match. |
disable |
global-label |
Enter a global label. |
- |
http-tunnel-auth |
Enableor disable HTTP tunnel authentication |
disable |
internet-service-negate |
Enable or disable negated internet service. |
disable |
label |
Enter a label |
- |
poolname |
Select a firewall IP pool from the dropdown list. |
None |
scan-botnet-connections |
Enable or disable scanning of connections to Botnet servers. |
disable |
service-negate |
Enable or disable negated service match. |
disable |
session-ttl |
Session TTL for sessions accepted by this policy (300 - 6040800 seconds, 0 = use system default). |
0 |
srcaddr-negate |
Enable or disable negated source address match. |
disable |
ssh-filter-profile |
Name of an existing SSH filter profile. |
None |
transparent |
Use IP address of client to connect to server. |
disable |
webcache |
Enable or disable web cache. |
disable |
webcache-https |
Enable or disable web cache for HTTPS. |
disable |
webproxy-profile |
Select a webproxy profile from the dropdown list. |
None |