Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiManager 7.4.1 Administration Guide
    7.4.1
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.7
    5.2.6
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.12
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.8
    4.3.7
    4.3.6
    4.3.5
    4.3.4
    4.3.3
    4.3.2
    4.3.1
    4.3.0
    4.2.9
    4.2.8
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.1.0
    4.0.3
    4.0.2
    4.0.1
    4.0.0

    Create a new proxy policy

    Create a new proxy policy

    This section describes how to create web, FTP, WAN optimization (WANOpt), and ZTNA proxy policies.

    Note

    You must enable the visibility of this feature in Policy & Objects before it can be configured. To toggle feature visibility, go to Policy & Objects > Tools > Feature Visibility, and add or remove a checkmark for the corresponding feature.
    Note

    In earlier versions, ZTNA rules were special proxy policies that controlled access to the ZTNA servers, and they could be configured from the Policy & Objects > Policy Packages > ZTNA Rules. However, on this version and above, ZTNA rules are now configured as a proxy policy by selecting the ZTNA proxy type in Policy & Objects > Policy Pagackages > Proxy Policy.
    To create a new Proxy policy:
    1. Go to Policy & Objects > Policy Packages.
    2. In the tree menu for the policy package in which you will be creating the new policy, select Proxy Policy.
    3. Click Create New.
    4. Enter the following information:

      Option

      Description

      Name

      Enter a unique name for the policy. Each policy must have a unique name.

      Explicit Proxy Type

      Select the explicit proxy type: Explicit Web, Transparent Web, FTP, or WAN Optimize.

      Incoming Interface

      Click the field then select interfaces.

      Click the remove icon to remove interfaces.

      This option is only available when the proxy type is set to Transparent Web.

      Outgoing Interface

      Select outgoing interfaces in the same manner as Incoming Interface.

      Source

      Select source aaddresses, address groups, virtual IPs, and virtual IP groups.

      ZTNA Tag

      For ZTNA proxy policies, select the ZTNA tags and tag groups. See Zero Trust Network Access (ZTNA) objects.

      This option is only available when the proxy type is set to ZTNA.

      Destination

      Select destination addresses, address groups, virtual IPs, and virtual IP groups.

      ZTNA Server

      For ZTNA proxy policies, select a ZTNA server. See Configuring a ZTNA server.

      This option is only available when the proxy type is set to ZTNA.

      Service

      Select services and service groups from the object selector pane.

      Schedule

      Select a one-time schedule, recurring schedule, or schedule group.

      Action

      Select an action for the policy to take: Deny, Accept, or Redirect.

      Redirect is only available when the proxy type is set to Explicit Web or Transparent Web.

      Log Allowed Traffic

      Select one of the following options:

      • No Log

      • Log Security Events

      • Log All Sessions

      If logging is set to Log All Sessions, select whether to generate logs when the session starts.

      This option is available when the Action is Accept.

      Log Violation Traffic

      Select to log violation traffic.

      This option is available when the Action is Deny.

      Display Disclaimer

      Set the Display Disclaimer: Disable, By Domain, By Policy, or By User.

      Optionally, if enabled, select a custom message in the Customize Messages field.

      This option is available when the Action is Accept.

      Security Profiles

      Select to add security profiles or profile groups.

      If Use Standard Security Profiles is selected the following profile types can be added:

      • Antivirus Profile
      • Web Filter Profile (not available when the proxy type is set to FTP)
      • Video Profile Filter
      • Application Control (not available when the proxy type is set to FTP)
      • IPS Profile (not available when the proxy type is set to FTP)
      • File Filter Profile
      • ICAP (not available when the proxy type is set to FTP)
      • Web Application Firewall (not available when the proxy type is set to FTP)

      In Protocol Options, select a protocol options group.

      If Use Security Profile Group is selected, select the Profile Group.

      This option is available when the Action is Accept.

      SSL/SSH Inspection

      Select one of the following options for SSL/SSH Inspection:certificate-inspectioncustom-deep-inspectiondeep-inspectionno-inspection

      This option is not available when the Security Profiles Profile Type is set to Use Security Profile Group.

      Redirect URL

      Enter the redirect URL.

      This option is only available when the Action is Redirect.

      When the Action is Redirect, this field is required.

      Web Proxy Forwarding Server

      Select a web proxy forwarding server.

      This option is not available when the proxy type is set to FTP.

      Comments

      Add a description of the policy, such as its purpose, or the changes that have been made to it.

      Advanced Options

      Configure advanced options, see Advanced options below.

      For more information on advanced option, see the FortiOS CLI Reference.

      Change Note

      Add a description of the changes being made to the policy. This field is required.

    5. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. By default, policies will be added to the bottom of the list, but above the implicit policy.
    Advanced options

    Option

    Description

    Default

    access-proxy

    Select an IPv4 access proxy.

    none

    access-proxy6

    Select an IPv6 access proxy.

    none

    block-notification

    Enable or disable block notification.

    disable

    device-ownership

    Enable or disable ownership enforcement at the policy level.

    disable

    dlp-profile

    Select an existing data leak prevention (DLP) profile.

    none

    dstaddr-negate

    Enable or disable negation of the values set in Destination.

    disable

    global-label

    Enter the label for the policy to be displayed when the GUI is in Global View mode.

    none

    http-tunnel-auth

    Enable or disable HTTP tunnel authentication

    disable

    internet-service-negate

    Enable or disable negation of the internet service.

    disable

    label

    Set the label for the policy to be displayed in the VDOM.

    none

    sctp-filter-profile

    Select an existing stream control transmission protocol (SCTP) filter profile.

    none

    service-negate

    Enable or disable negation of the service specified in Service.

    disable

    session-ttl

    Session TTL for sessions accepted by this policy (300 - 6040800 seconds, 0 = use system default).

    0

    srcaddr-negate

    Enable or disable negation of the source address.

    disable

    ssh-filter-profile

    Select an existing SSH filter profile.

    none

    ssh-policy-redirect

    Enable or disable SSH policy redirect.

    disable

    transparent

    Enable or disable using the IP address of the client to connect to the server.

    disable

    uuid

    Enter the universally unique identifier (UUID). This value is automatically assigned but can be manually reset.

    00000000-0000- 0000-0000- 000000000000

    webcache

    Enable or disable web cache.

    disable

    webcache-https

    Enable or disable web cache for HTTPS.

    disable

    webproxy-profile

    Select a webproxy profile.

    none

    ztna-ems-tag

    Select ZTNA EMS tags.

    none

    ztna-tags-match-logic

    Set the logic used for matching ZTNA tags. The available options are and and or.

    or
    Previous
    Next

    Create a new proxy policy

    Create a new proxy policy

    This section describes how to create web, FTP, WAN optimization (WANOpt), and ZTNA proxy policies.

    Note

    You must enable the visibility of this feature in Policy & Objects before it can be configured. To toggle feature visibility, go to Policy & Objects > Tools > Feature Visibility, and add or remove a checkmark for the corresponding feature.
    Note

    In earlier versions, ZTNA rules were special proxy policies that controlled access to the ZTNA servers, and they could be configured from the Policy & Objects > Policy Packages > ZTNA Rules. However, on this version and above, ZTNA rules are now configured as a proxy policy by selecting the ZTNA proxy type in Policy & Objects > Policy Pagackages > Proxy Policy.
    To create a new Proxy policy:
    1. Go to Policy & Objects > Policy Packages.
    2. In the tree menu for the policy package in which you will be creating the new policy, select Proxy Policy.
    3. Click Create New.
    4. Enter the following information:

      Option

      Description

      Name

      Enter a unique name for the policy. Each policy must have a unique name.

      Explicit Proxy Type

      Select the explicit proxy type: Explicit Web, Transparent Web, FTP, or WAN Optimize.

      Incoming Interface

      Click the field then select interfaces.

      Click the remove icon to remove interfaces.

      This option is only available when the proxy type is set to Transparent Web.

      Outgoing Interface

      Select outgoing interfaces in the same manner as Incoming Interface.

      Source

      Select source aaddresses, address groups, virtual IPs, and virtual IP groups.

      ZTNA Tag

      For ZTNA proxy policies, select the ZTNA tags and tag groups. See Zero Trust Network Access (ZTNA) objects.

      This option is only available when the proxy type is set to ZTNA.

      Destination

      Select destination addresses, address groups, virtual IPs, and virtual IP groups.

      ZTNA Server

      For ZTNA proxy policies, select a ZTNA server. See Configuring a ZTNA server.

      This option is only available when the proxy type is set to ZTNA.

      Service

      Select services and service groups from the object selector pane.

      Schedule

      Select a one-time schedule, recurring schedule, or schedule group.

      Action

      Select an action for the policy to take: Deny, Accept, or Redirect.

      Redirect is only available when the proxy type is set to Explicit Web or Transparent Web.

      Log Allowed Traffic

      Select one of the following options:

      • No Log

      • Log Security Events

      • Log All Sessions

      If logging is set to Log All Sessions, select whether to generate logs when the session starts.

      This option is available when the Action is Accept.

      Log Violation Traffic

      Select to log violation traffic.

      This option is available when the Action is Deny.

      Display Disclaimer

      Set the Display Disclaimer: Disable, By Domain, By Policy, or By User.

      Optionally, if enabled, select a custom message in the Customize Messages field.

      This option is available when the Action is Accept.

      Security Profiles

      Select to add security profiles or profile groups.

      If Use Standard Security Profiles is selected the following profile types can be added:

      • Antivirus Profile
      • Web Filter Profile (not available when the proxy type is set to FTP)
      • Video Profile Filter
      • Application Control (not available when the proxy type is set to FTP)
      • IPS Profile (not available when the proxy type is set to FTP)
      • File Filter Profile
      • ICAP (not available when the proxy type is set to FTP)
      • Web Application Firewall (not available when the proxy type is set to FTP)

      In Protocol Options, select a protocol options group.

      If Use Security Profile Group is selected, select the Profile Group.

      This option is available when the Action is Accept.

      SSL/SSH Inspection

      Select one of the following options for SSL/SSH Inspection:certificate-inspectioncustom-deep-inspectiondeep-inspectionno-inspection

      This option is not available when the Security Profiles Profile Type is set to Use Security Profile Group.

      Redirect URL

      Enter the redirect URL.

      This option is only available when the Action is Redirect.

      When the Action is Redirect, this field is required.

      Web Proxy Forwarding Server

      Select a web proxy forwarding server.

      This option is not available when the proxy type is set to FTP.

      Comments

      Add a description of the policy, such as its purpose, or the changes that have been made to it.

      Advanced Options

      Configure advanced options, see Advanced options below.

      For more information on advanced option, see the FortiOS CLI Reference.

      Change Note

      Add a description of the changes being made to the policy. This field is required.

    5. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. By default, policies will be added to the bottom of the list, but above the implicit policy.
    Advanced options

    Option

    Description

    Default

    access-proxy

    Select an IPv4 access proxy.

    none

    access-proxy6

    Select an IPv6 access proxy.

    none

    block-notification

    Enable or disable block notification.

    disable

    device-ownership

    Enable or disable ownership enforcement at the policy level.

    disable

    dlp-profile

    Select an existing data leak prevention (DLP) profile.

    none

    dstaddr-negate

    Enable or disable negation of the values set in Destination.

    disable

    global-label

    Enter the label for the policy to be displayed when the GUI is in Global View mode.

    none

    http-tunnel-auth

    Enable or disable HTTP tunnel authentication

    disable

    internet-service-negate

    Enable or disable negation of the internet service.

    disable

    label

    Set the label for the policy to be displayed in the VDOM.

    none

    sctp-filter-profile

    Select an existing stream control transmission protocol (SCTP) filter profile.

    none

    service-negate

    Enable or disable negation of the service specified in Service.

    disable

    session-ttl

    Session TTL for sessions accepted by this policy (300 - 6040800 seconds, 0 = use system default).

    0

    srcaddr-negate

    Enable or disable negation of the source address.

    disable

    ssh-filter-profile

    Select an existing SSH filter profile.

    none

    ssh-policy-redirect

    Enable or disable SSH policy redirect.

    disable

    transparent

    Enable or disable using the IP address of the client to connect to the server.

    disable

    uuid

    Enter the universally unique identifier (UUID). This value is automatically assigned but can be manually reset.

    00000000-0000- 0000-0000- 000000000000

    webcache

    Enable or disable web cache.

    disable

    webcache-https

    Enable or disable web cache for HTTPS.

    disable

    webproxy-profile

    Select a webproxy profile.

    none

    ztna-ems-tag

    Select ZTNA EMS tags.

    none

    ztna-tags-match-logic

    Set the logic used for matching ZTNA tags. The available options are and and or.

    or
    Previous
    Next