Fortinet black logo

Administration Guide

Create a new proxy policy

Create a new proxy policy

This section describes how to create web, FTP, and WAN optimization (WANOpt) proxy policies.

On the Policy & Objects pane, go to Tools > Display Options. In the Display Options pane, go to the Policy section, and select the Proxy Policy checkbox to display this option.

To create a new Proxy policy:
  1. Go to Policy & Objects > Policy Packages.
  2. In the tree menu for the policy package in which you will be creating the new policy, select Proxy Policy.
  3. Click Create New.
  4. Enter the following information:

    Option

    Description

    Name

    Enter a unique name for the policy. Each policy must have a unique name.

    Explicit Proxy Type

    Select the explicit proxy type: Explicit Web, Transparent Web, FTP, or WAN Optimize.

    Incoming Interface

    Click the field then select interfaces.

    Click the remove icon to remove interfaces.

    This option is only available when the proxy type is set to Transparent Web.

    Outgoing Interface

    Select outgoing interfaces in the same manner as Incoming Interface.

    Source

    Select source aaddresses, address groups, virtual IPs, and virtual IP groups.

    Destination

    Select destination addresses, address groups, virtual IPs, and virtual IP groups.

    Service

    Select services and service groups from the object selector pane.

    Schedule

    Select a one-time schedule, recurring schedule, or schedule group.

    Action

    Select an action for the policy to take: Deny, Accept, or Redirect.

    Redirect is only available when the proxy type is set to Explicit Web or Transparent Web.

    Log Allowed Traffic

    Select one of the following options:

    • No Log

    • Log Security Events

    • Log All Sessions

    If logging is set to Log All Sessions, select whether to generate logs when the session starts.

    This option is available when the Action is Accept.

    Log Violation Traffic

    Select to log violation traffic.

    This option is available when the Action is Deny.

    Display Disclaimer

    Set the Display Disclaimer: Disable, By Domain, By Policy, or By User.

    Optionally, if enabled, select a custom message in the Customize Messages field.

    This option is available when the Action is Accept.

    Security Profiles

    Select to add security profiles or profile groups.

    If Use Standard Security Profiles is selected the following profile types can be added:

    • Antivirus Profile
    • Web Filter Profile (not available when the proxy type is set to FTP)
    • Video Profile Filter
    • Application Control (not available when the proxy type is set to FTP)
    • IPS Profile (not available when the proxy type is set to FTP)
    • File Filter Profile
    • ICAP (not available when the proxy type is set to FTP)
    • Web Application Firewall (not available when the proxy type is set to FTP)

    In Protocol Options, select a protocol options group.

    If Use Security Profile Group is selected, select the Profile Group.

    This option is available when the Action is Accept.

    SSL/SSH Inspection

    Select one of the following options for SSL/SSH Inspection:certificate-inspectioncustom-deep-inspectiondeep-inspectionno-inspection

    This option is not available when the Security Profiles Profile Type is set to Use Security Profile Group.

    Redirect URL

    Enter the redirect URL.

    This option is only available when the Action is Redirect.

    When the Action is Redirect, this field is required.

    Web Proxy Forwarding Server

    Select a web proxy forwarding server.

    This option is not available when the proxy type is set to FTP.

    Comments

    Add a description of the policy, such as its purpose, or the changes that have been made to it.

    Advanced Options

    Configure advanced options, see Advanced options below.

    For more information on advanced options, see the FortiOS CLI Reference.

    Change Note

    Add a description of the changes being made to the policy. This field is required.

  5. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. By default, policies will be added to the bottom of the list, but above the implicit policy.
Advanced options

Option

Description

Default

access-proxy

Select an IPv4 access proxy.

none

access-proxy6

Select an IPv6 access proxy.

none

block-notification

Enable or disable block notification.

disable

device-ownership

Enable or disable ownership enforcement at the policy level.

disable

dlp-profile

Select an existing data leak prevention (DLP) profile.

none

dstaddr-negate

Enable or disable negation of the values set in Destination.

disable

global-label

Enter the label for the policy to be displayed when the GUI is in Global View mode.

none

http-tunnel-auth

Enable or disable HTTP tunnel authentication

disable

internet-service-negate

Enable or disable negation of the internet service.

disable

label

Set the label for the policy to be displayed in the VDOM.

none

sctp-filter-profile

Select an existing stream control transmission protocol (SCTP) filter profile.

none

service-negate

Enable or disable negation of the service specified in Service.

disable

session-ttl

Session TTL for sessions accepted by this policy (300 - 6040800 seconds, 0 = use system default).

0

srcaddr-negate

Enable or disable negation of the source address.

disable

ssh-filter-profile

Select an existing SSH filter profile.

none

ssh-policy-redirect

Enable or disable SSH policy redirect.

disable

transparent

Enable or disable using the IP address of the client to connect to the server.

disable

uuid

Enter the universally unique identifier (UUID). This value is automatically assigned but can be manually reset.

00000000-0000- 0000-0000- 000000000000

webcache

Enable or disable web cache.

disable

webcache-https

Enable or disable web cache for HTTPS.

disable

webproxy-profile

Select a webproxy profile.

none

ztna-ems-tag

Select ZTNA EMS tags.

none

ztna-tags-match-logic

Set the logic used for matching ZTNA tags. The available options are and and or.

or

Create a new proxy policy

This section describes how to create web, FTP, and WAN optimization (WANOpt) proxy policies.

On the Policy & Objects pane, go to Tools > Display Options. In the Display Options pane, go to the Policy section, and select the Proxy Policy checkbox to display this option.

To create a new Proxy policy:
  1. Go to Policy & Objects > Policy Packages.
  2. In the tree menu for the policy package in which you will be creating the new policy, select Proxy Policy.
  3. Click Create New.
  4. Enter the following information:

    Option

    Description

    Name

    Enter a unique name for the policy. Each policy must have a unique name.

    Explicit Proxy Type

    Select the explicit proxy type: Explicit Web, Transparent Web, FTP, or WAN Optimize.

    Incoming Interface

    Click the field then select interfaces.

    Click the remove icon to remove interfaces.

    This option is only available when the proxy type is set to Transparent Web.

    Outgoing Interface

    Select outgoing interfaces in the same manner as Incoming Interface.

    Source

    Select source aaddresses, address groups, virtual IPs, and virtual IP groups.

    Destination

    Select destination addresses, address groups, virtual IPs, and virtual IP groups.

    Service

    Select services and service groups from the object selector pane.

    Schedule

    Select a one-time schedule, recurring schedule, or schedule group.

    Action

    Select an action for the policy to take: Deny, Accept, or Redirect.

    Redirect is only available when the proxy type is set to Explicit Web or Transparent Web.

    Log Allowed Traffic

    Select one of the following options:

    • No Log

    • Log Security Events

    • Log All Sessions

    If logging is set to Log All Sessions, select whether to generate logs when the session starts.

    This option is available when the Action is Accept.

    Log Violation Traffic

    Select to log violation traffic.

    This option is available when the Action is Deny.

    Display Disclaimer

    Set the Display Disclaimer: Disable, By Domain, By Policy, or By User.

    Optionally, if enabled, select a custom message in the Customize Messages field.

    This option is available when the Action is Accept.

    Security Profiles

    Select to add security profiles or profile groups.

    If Use Standard Security Profiles is selected the following profile types can be added:

    • Antivirus Profile
    • Web Filter Profile (not available when the proxy type is set to FTP)
    • Video Profile Filter
    • Application Control (not available when the proxy type is set to FTP)
    • IPS Profile (not available when the proxy type is set to FTP)
    • File Filter Profile
    • ICAP (not available when the proxy type is set to FTP)
    • Web Application Firewall (not available when the proxy type is set to FTP)

    In Protocol Options, select a protocol options group.

    If Use Security Profile Group is selected, select the Profile Group.

    This option is available when the Action is Accept.

    SSL/SSH Inspection

    Select one of the following options for SSL/SSH Inspection:certificate-inspectioncustom-deep-inspectiondeep-inspectionno-inspection

    This option is not available when the Security Profiles Profile Type is set to Use Security Profile Group.

    Redirect URL

    Enter the redirect URL.

    This option is only available when the Action is Redirect.

    When the Action is Redirect, this field is required.

    Web Proxy Forwarding Server

    Select a web proxy forwarding server.

    This option is not available when the proxy type is set to FTP.

    Comments

    Add a description of the policy, such as its purpose, or the changes that have been made to it.

    Advanced Options

    Configure advanced options, see Advanced options below.

    For more information on advanced options, see the FortiOS CLI Reference.

    Change Note

    Add a description of the changes being made to the policy. This field is required.

  5. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. By default, policies will be added to the bottom of the list, but above the implicit policy.
Advanced options

Option

Description

Default

access-proxy

Select an IPv4 access proxy.

none

access-proxy6

Select an IPv6 access proxy.

none

block-notification

Enable or disable block notification.

disable

device-ownership

Enable or disable ownership enforcement at the policy level.

disable

dlp-profile

Select an existing data leak prevention (DLP) profile.

none

dstaddr-negate

Enable or disable negation of the values set in Destination.

disable

global-label

Enter the label for the policy to be displayed when the GUI is in Global View mode.

none

http-tunnel-auth

Enable or disable HTTP tunnel authentication

disable

internet-service-negate

Enable or disable negation of the internet service.

disable

label

Set the label for the policy to be displayed in the VDOM.

none

sctp-filter-profile

Select an existing stream control transmission protocol (SCTP) filter profile.

none

service-negate

Enable or disable negation of the service specified in Service.

disable

session-ttl

Session TTL for sessions accepted by this policy (300 - 6040800 seconds, 0 = use system default).

0

srcaddr-negate

Enable or disable negation of the source address.

disable

ssh-filter-profile

Select an existing SSH filter profile.

none

ssh-policy-redirect

Enable or disable SSH policy redirect.

disable

transparent

Enable or disable using the IP address of the client to connect to the server.

disable

uuid

Enter the universally unique identifier (UUID). This value is automatically assigned but can be manually reset.

00000000-0000- 0000-0000- 000000000000

webcache

Enable or disable web cache.

disable

webcache-https

Enable or disable web cache for HTTPS.

disable

webproxy-profile

Select a webproxy profile.

none

ztna-ems-tag

Select ZTNA EMS tags.

none

ztna-tags-match-logic

Set the logic used for matching ZTNA tags. The available options are and and or.

or