Create a new proxy policy
This section describes how to create web, FTP, and WAN optimization (WANOpt) proxy policies.
You must enable the visibility of this feature in Policy & Objects before it can be configured. To toggle feature visibility, go to Policy & Objects > Tools > Feature Visibility, and add or remove a checkmark for the corresponding feature. |
To create a new Proxy policy:
- Go to Policy & Objects > Policy Packages.
- In the tree menu for the policy package in which you will be creating the new policy, select Proxy Policy.
- Click Create New.
- Enter the following information:
Option
Description
Name
Enter a unique name for the policy. Each policy must have a unique name.
Explicit Proxy Type
Select the explicit proxy type: Explicit Web, Transparent Web, FTP, or WAN Optimize.
Incoming Interface
Click the field then select interfaces.
Click the remove icon to remove interfaces.
This option is only available when the proxy type is set to Transparent Web.
Outgoing Interface
Select outgoing interfaces in the same manner as Incoming Interface.
Source
Select source aaddresses, address groups, virtual IPs, and virtual IP groups.
Destination
Select destination addresses, address groups, virtual IPs, and virtual IP groups.
Service
Select services and service groups from the object selector pane.
Schedule
Select a one-time schedule, recurring schedule, or schedule group.
Action
Select an action for the policy to take: Deny, Accept, or Redirect.
Redirect is only available when the proxy type is set to Explicit Web or Transparent Web.
Log Allowed Traffic
Select one of the following options:
No Log
Log Security Events
Log All Sessions
If logging is set to Log All Sessions, select whether to generate logs when the session starts.
This option is available when the Action is Accept.
Log Violation Traffic
Select to log violation traffic.
This option is available when the Action is Deny.
Display Disclaimer
Set the Display Disclaimer: Disable, By Domain, By Policy, or By User.
Optionally, if enabled, select a custom message in the Customize Messages field.
This option is available when the Action is Accept.
Security Profiles
Select to add security profiles or profile groups.
If Use Standard Security Profiles is selected the following profile types can be added:
- Antivirus Profile
- Web Filter Profile (not available when the proxy type is set to FTP)
- Video Profile Filter
- Application Control (not available when the proxy type is set to FTP)
- IPS Profile (not available when the proxy type is set to FTP)
- File Filter Profile
- ICAP (not available when the proxy type is set to FTP)
- Web Application Firewall (not available when the proxy type is set to FTP)
In Protocol Options, select a protocol options group.
If Use Security Profile Group is selected, select the Profile Group.
This option is available when the Action is Accept.
SSL/SSH Inspection
Select one of the following options for SSL/SSH Inspection:certificate-inspectioncustom-deep-inspectiondeep-inspectionno-inspection
This option is not available when the Security Profiles Profile Type is set to Use Security Profile Group.
Redirect URL
Enter the redirect URL.
This option is only available when the Action is Redirect.
When the Action is Redirect, this field is required.
Web Proxy Forwarding Server
Select a web proxy forwarding server.
This option is not available when the proxy type is set to FTP.
Comments
Add a description of the policy, such as its purpose, or the changes that have been made to it.
Advanced Options
Configure advanced options, see Advanced options below.
For more information on advanced option, see the FortiOS CLI Reference.
Change Note
Add a description of the changes being made to the policy. This field is required.
- Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. By default, policies will be added to the bottom of the list, but above the implicit policy.
Advanced options
Option |
Description |
Default |
---|---|---|
access-proxy |
Select an IPv4 access proxy. |
none |
access-proxy6 |
Select an IPv6 access proxy. |
none |
block-notification |
Enable or disable block notification. |
disable |
device-ownership |
Enable or disable ownership enforcement at the policy level. |
disable |
dlp-profile |
Select an existing data leak prevention (DLP) profile. |
none |
dstaddr-negate |
Enable or disable negation of the values set in Destination. |
disable |
global-label |
Enter the label for the policy to be displayed when the GUI is in Global View mode. |
none |
http-tunnel-auth |
Enable or disable HTTP tunnel authentication |
disable |
internet-service-negate |
Enable or disable negation of the internet service. |
disable |
label |
Set the label for the policy to be displayed in the VDOM. |
none |
sctp-filter-profile |
Select an existing stream control transmission protocol (SCTP) filter profile. |
none |
service-negate |
Enable or disable negation of the service specified in Service. |
disable |
session-ttl |
Session TTL for sessions accepted by this policy (300 - 6040800 seconds, 0 = use system default). |
0 |
srcaddr-negate |
Enable or disable negation of the source address. |
disable |
ssh-filter-profile |
Select an existing SSH filter profile. |
none |
ssh-policy-redirect |
Enable or disable SSH policy redirect. |
disable |
transparent |
Enable or disable using the IP address of the client to connect to the server. |
disable |
uuid |
Enter the universally unique identifier (UUID). This value is automatically assigned but can be manually reset. |
00000000-0000- 0000-0000- 000000000000 |
webcache |
Enable or disable web cache. |
disable |
webcache-https |
Enable or disable web cache for HTTPS. |
disable |
webproxy-profile |
Select a webproxy profile. |
none |
ztna-ems-tag |
Select ZTNA EMS tags. |
none |
ztna-tags-match-logic |
Set the logic used for matching ZTNA tags. The available options are and and |
or |