Fortinet white logo
Fortinet white logo

Administration Guide

Proxy policy

Proxy policy

The section describes how to create web, FTP, and WAN Opt proxy policies.

On the Policy & Objects pane, go to Tools > Display Options, and then select the Explicit Proxy Policy checkbox in the Policy section to display this option.

To create a new proxy policy:
  1. Go to Policy & Objects > Policy Packages.
  2. In the tree menu for the policy package in which you will be creating the new policy, select Explicit Proxy Policy.
  3. Click Create New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be added to the bottom of the list. The Create New Policy pane opens.

  4. Enter the following information, then click OK to create the policy:

    Explicit Proxy Type

    Select the explicit proxy type: Explicit Web, Transparent Web, FTP, or WAN Optimize.

    Incoming Interface

    Select incoming interfaces from the Object Selector frame, or drag and drop the address from the object pane.

    This option is only available when the proxy type is set to Transparent Web.

    Outgoing Interface

    Select outgoing interfaces.

    Source

    Select source addresses.

    Destination

    Select destination addresses, address groups, virtual IPs, and virtual IP groups.

    Service

    Select services and service groups from the object selector pane.

    Schedule

    Select schedules, one time or recurring, and schedule groups.

    Action

    Select an action for the policy to take: Deny, Accept, or Redirect.

    Redirect is only available when the proxy type is set to Explicit Web, or Transparent Web.

    Log Traffic

    Select one of the following options:

    • No Log
    • Log Security Events
    • Log All Sessions

    When Log All Sessions is selected, you can select to generate logs when the session starts.

    This option is available when the Action is Accept.

    Log Violation Traffic

    Select to log violation traffic.

    This option is available when the Action is Deny.

    Disclaimer Options

    Set the Display Disclaimer: Disable, By Domain, By Policy, or By User.

    Optionally, select a custom message in the Customize Messages field if not disabled.

    These options are available when the Action is Accept.

    Security Profiles

    Select to add security profiles or profile groups.

    The following profile types can be added:

    • Antivirus Profile
    • Web Filter Profile - not available when the proxy type is set to FTP
    • Application Control - not available when the proxy type is set to FTP
    • IPS Profile - not available when the proxy type is set to FTP
    • DLP Sensor
    • ICAP - not available when the proxy type is set to FTP
    • Web Application Firewall - not available when the proxy type is set to FTP
    • Proxy Options
    • SSL/SSH Inspection
    • Profile Group (available when Use Security Profile Group is selected)

    This option is available when the Action is Accept.

    Redirect URL

    Enter the redirect URL.

    This option is only available when the Action is Redirect.

    Web Proxy Forwarding Server

    Select a web proxy forwarding server from the dropdown list.

    This option is not available when the proxy type is set to FTP.

    Comments

    Add a description of the policy, such as its purpose, or the changes that have been made to it.

    Advanced Options

    Configure advanced options, see Advanced options below.

    For more information on advanced option, see the FortiOS CLI Reference.

Advanced options

Option

Description

Default

dstaddr-negate

Enable or disable negated destination address match.

disable

global-label

Enter a global label.

-

http-tunnel-auth

Enableor disable HTTP tunnel authentication

disable

internet-service-negate

Enable or disable negated internet service.

disable

label

Enter a label

-

poolname

Select a firewall IP pool from the dropdown list.

None

scan-botnet-connections

Enable or disable scanning of connections to Botnet servers.

disable

service-negate

Enable or disable negated service match.

disable

session-ttl

Session TTL for sessions accepted by this policy (300 - 6040800 seconds, 0 = use system default).

0

srcaddr-negate

Enable or disable negated source address match.

disable

ssh-filter-profile

Name of an existing SSH filter profile.

None

transparent

Use IP address of client to connect to server.

disable

webcache

Enable or disable web cache.

disable

webcache-https

Enable or disable web cache for HTTPS.

disable

webproxy-profile

Select a webproxy profile from the dropdown list.

None

Proxy policy

Proxy policy

The section describes how to create web, FTP, and WAN Opt proxy policies.

On the Policy & Objects pane, go to Tools > Display Options, and then select the Explicit Proxy Policy checkbox in the Policy section to display this option.

To create a new proxy policy:
  1. Go to Policy & Objects > Policy Packages.
  2. In the tree menu for the policy package in which you will be creating the new policy, select Explicit Proxy Policy.
  3. Click Create New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be added to the bottom of the list. The Create New Policy pane opens.

  4. Enter the following information, then click OK to create the policy:

    Explicit Proxy Type

    Select the explicit proxy type: Explicit Web, Transparent Web, FTP, or WAN Optimize.

    Incoming Interface

    Select incoming interfaces from the Object Selector frame, or drag and drop the address from the object pane.

    This option is only available when the proxy type is set to Transparent Web.

    Outgoing Interface

    Select outgoing interfaces.

    Source

    Select source addresses.

    Destination

    Select destination addresses, address groups, virtual IPs, and virtual IP groups.

    Service

    Select services and service groups from the object selector pane.

    Schedule

    Select schedules, one time or recurring, and schedule groups.

    Action

    Select an action for the policy to take: Deny, Accept, or Redirect.

    Redirect is only available when the proxy type is set to Explicit Web, or Transparent Web.

    Log Traffic

    Select one of the following options:

    • No Log
    • Log Security Events
    • Log All Sessions

    When Log All Sessions is selected, you can select to generate logs when the session starts.

    This option is available when the Action is Accept.

    Log Violation Traffic

    Select to log violation traffic.

    This option is available when the Action is Deny.

    Disclaimer Options

    Set the Display Disclaimer: Disable, By Domain, By Policy, or By User.

    Optionally, select a custom message in the Customize Messages field if not disabled.

    These options are available when the Action is Accept.

    Security Profiles

    Select to add security profiles or profile groups.

    The following profile types can be added:

    • Antivirus Profile
    • Web Filter Profile - not available when the proxy type is set to FTP
    • Application Control - not available when the proxy type is set to FTP
    • IPS Profile - not available when the proxy type is set to FTP
    • DLP Sensor
    • ICAP - not available when the proxy type is set to FTP
    • Web Application Firewall - not available when the proxy type is set to FTP
    • Proxy Options
    • SSL/SSH Inspection
    • Profile Group (available when Use Security Profile Group is selected)

    This option is available when the Action is Accept.

    Redirect URL

    Enter the redirect URL.

    This option is only available when the Action is Redirect.

    Web Proxy Forwarding Server

    Select a web proxy forwarding server from the dropdown list.

    This option is not available when the proxy type is set to FTP.

    Comments

    Add a description of the policy, such as its purpose, or the changes that have been made to it.

    Advanced Options

    Configure advanced options, see Advanced options below.

    For more information on advanced option, see the FortiOS CLI Reference.

Advanced options

Option

Description

Default

dstaddr-negate

Enable or disable negated destination address match.

disable

global-label

Enter a global label.

-

http-tunnel-auth

Enableor disable HTTP tunnel authentication

disable

internet-service-negate

Enable or disable negated internet service.

disable

label

Enter a label

-

poolname

Select a firewall IP pool from the dropdown list.

None

scan-botnet-connections

Enable or disable scanning of connections to Botnet servers.

disable

service-negate

Enable or disable negated service match.

disable

session-ttl

Session TTL for sessions accepted by this policy (300 - 6040800 seconds, 0 = use system default).

0

srcaddr-negate

Enable or disable negated source address match.

disable

ssh-filter-profile

Name of an existing SSH filter profile.

None

transparent

Use IP address of client to connect to server.

disable

webcache

Enable or disable web cache.

disable

webcache-https

Enable or disable web cache for HTTPS.

disable

webproxy-profile

Select a webproxy profile from the dropdown list.

None