Fortinet white logo
Fortinet white logo

CLI Reference

config web-proxy explicit

config web-proxy explicit

Configure explicit Web proxy settings.

config web-proxy explicit
    Description: Configure explicit Web proxy settings.
    edit <name>
        set status [enable|disable]
        set interface {string}
        set ftp-over-http [enable|disable]
        set socks [enable|disable]
        set http-incoming-port {integer}
        set https-incoming-port {integer}
        set ftp-incoming-port {integer}
        set socks-incoming-port {integer}
        set incoming-ip {ipv4-address-any}
        set ipv6-status [enable|disable]
        set incoming-ip6 {ipv6-address}
        set pref-dns-result [ipv4|ipv6]
        set unknown-http-version [reject|tunnel|...]
        set realm {string}
        set sec-default-action [accept|deny]
        set pac-file-server-status [enable|disable]
        set pac-file-server-port {integer}
        set pac-file-name {string}
        set pac-file-data {user}
        set pac-file-url {user}
        set ssl-algorithm [high|medium|...]
        set return-to-sender [enable|disable]
    next
end

config web-proxy explicit

Parameter

Description

Type

Size

name

object name

string

Maximum length: 35

status

Enable/disable the explicit Web proxy for HTTP and HTTPS session.

option

-

Option

Description

enable

Enable the explicit web proxy.

disable

Disable the explicit web proxy.

interface

interface name

string

Maximum length: 15

ftp-over-http

Enable to proxy FTP-over-HTTP sessions sent from a web browser.

option

-

Option

Description

enable

Enable FTP-over-HTTP sessions.

disable

Disable FTP-over-HTTP sessions.

socks

Enable/disable the SOCKS proxy.

option

-

Option

Description

enable

Enable the SOCKS proxy.

disable

Disable the SOCKS proxy.

http-incoming-port

Accept incoming HTTP requests on one or more ports.

integer

Minimum value: 0 Maximum value: 65535

https-incoming-port

Accept incoming HTTPS requests on one or more ports.

integer

Minimum value: 0 Maximum value: 65535

ftp-incoming-port

Accept incoming FTP-over-HTTP requests on one or more ports.

integer

Minimum value: 0 Maximum value: 65535

socks-incoming-port

Accept incoming SOCKS proxy requests on one or more ports.

integer

Minimum value: 0 Maximum value: 65535

incoming-ip

Restrict the explicit HTTP proxy to only accept sessions from this IP address. An interface must have this IP address.

ipv4-address-any

Not Specified

ipv6-status

Enable/disable allowing an IPv6 web proxy destination in policies and all IPv6 related entries in this command.

option

-

Option

Description

enable

Enable allowing an IPv6 web proxy destination.

disable

Disable allowing an IPv6 web proxy destination.

incoming-ip6

Restrict the explicit web proxy to only accept sessions from this IPv6 address. An interface must have this IPv6 address.

ipv6-address

Not Specified

pref-dns-result

IPv4 or IPv6 DNS result preference.

option

-

Option

Description

ipv4

Prefer the IPv4 DNS server.

ipv6

Prefer the IPv6 DNS server.

unknown-http-version

How to handle HTTP sessions that do not comply with HTTP 0.9, 1.0, or 1.1.

option

-

Option

Description

reject

Reject or tear down HTTP sessions that do not use HTTP 0.9, 1.0, or 1.1.

tunnel

Pass HTTP traffic that does not use HTTP 0.9, 1.0, or 1.1 without applying HTTP protocol optimization, byte-caching, or web caching. TCP protocol optimization is applied.

best-effort

Assume all HTTP sessions comply with HTTP 0.9, 1.0, or 1.1. If a session uses a different HTTP version, it may not parse correctly and the connection may be lost.

realm

Authentication realm used to identify the explicit web proxy (maximum of 63 characters).

string

Maximum length: 63

sec-default-action

Accept or deny explicit web proxy sessions when no web proxy firewall policy exists.

option

-

Option

Description

accept

Accept requests. All explicit web proxy traffic is accepted whether there is an explicit web proxy policy or not.

deny

Deny requests unless there is a matching explicit web proxy policy.

pac-file-server-status

Enable/disable Proxy Auto-Configuration (PAC) for users of this explicit proxy profile.

option

-

Option

Description

enable

Enable Proxy Auto-Configuration (PAC).

disable

Disable Proxy Auto-Configuration (PAC).

pac-file-server-port

Port number that PAC traffic from client web browsers uses to connect to the explicit web proxy.

integer

Minimum value: 0 Maximum value: 65535

pac-file-name

Name of the PAC file.

string

Maximum length: 63

pac-file-data

PAC file contents enclosed in quotes (maximum of 8192 bytes).

user

Not Specified

pac-file-url

PAC file access URL.

user

Not Specified

ssl-algorithm

Relative strength of encryption algorithms accepted in HTTPS deep scan: high, medium, or low.

option

-

Option

Description

high

High encrption. Allow only AES and ChaCha.

medium

Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low

Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

return-to-sender

Enable/disable return-to-sender.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

config web-proxy explicit

config web-proxy explicit

Configure explicit Web proxy settings.

config web-proxy explicit
    Description: Configure explicit Web proxy settings.
    edit <name>
        set status [enable|disable]
        set interface {string}
        set ftp-over-http [enable|disable]
        set socks [enable|disable]
        set http-incoming-port {integer}
        set https-incoming-port {integer}
        set ftp-incoming-port {integer}
        set socks-incoming-port {integer}
        set incoming-ip {ipv4-address-any}
        set ipv6-status [enable|disable]
        set incoming-ip6 {ipv6-address}
        set pref-dns-result [ipv4|ipv6]
        set unknown-http-version [reject|tunnel|...]
        set realm {string}
        set sec-default-action [accept|deny]
        set pac-file-server-status [enable|disable]
        set pac-file-server-port {integer}
        set pac-file-name {string}
        set pac-file-data {user}
        set pac-file-url {user}
        set ssl-algorithm [high|medium|...]
        set return-to-sender [enable|disable]
    next
end

config web-proxy explicit

Parameter

Description

Type

Size

name

object name

string

Maximum length: 35

status

Enable/disable the explicit Web proxy for HTTP and HTTPS session.

option

-

Option

Description

enable

Enable the explicit web proxy.

disable

Disable the explicit web proxy.

interface

interface name

string

Maximum length: 15

ftp-over-http

Enable to proxy FTP-over-HTTP sessions sent from a web browser.

option

-

Option

Description

enable

Enable FTP-over-HTTP sessions.

disable

Disable FTP-over-HTTP sessions.

socks

Enable/disable the SOCKS proxy.

option

-

Option

Description

enable

Enable the SOCKS proxy.

disable

Disable the SOCKS proxy.

http-incoming-port

Accept incoming HTTP requests on one or more ports.

integer

Minimum value: 0 Maximum value: 65535

https-incoming-port

Accept incoming HTTPS requests on one or more ports.

integer

Minimum value: 0 Maximum value: 65535

ftp-incoming-port

Accept incoming FTP-over-HTTP requests on one or more ports.

integer

Minimum value: 0 Maximum value: 65535

socks-incoming-port

Accept incoming SOCKS proxy requests on one or more ports.

integer

Minimum value: 0 Maximum value: 65535

incoming-ip

Restrict the explicit HTTP proxy to only accept sessions from this IP address. An interface must have this IP address.

ipv4-address-any

Not Specified

ipv6-status

Enable/disable allowing an IPv6 web proxy destination in policies and all IPv6 related entries in this command.

option

-

Option

Description

enable

Enable allowing an IPv6 web proxy destination.

disable

Disable allowing an IPv6 web proxy destination.

incoming-ip6

Restrict the explicit web proxy to only accept sessions from this IPv6 address. An interface must have this IPv6 address.

ipv6-address

Not Specified

pref-dns-result

IPv4 or IPv6 DNS result preference.

option

-

Option

Description

ipv4

Prefer the IPv4 DNS server.

ipv6

Prefer the IPv6 DNS server.

unknown-http-version

How to handle HTTP sessions that do not comply with HTTP 0.9, 1.0, or 1.1.

option

-

Option

Description

reject

Reject or tear down HTTP sessions that do not use HTTP 0.9, 1.0, or 1.1.

tunnel

Pass HTTP traffic that does not use HTTP 0.9, 1.0, or 1.1 without applying HTTP protocol optimization, byte-caching, or web caching. TCP protocol optimization is applied.

best-effort

Assume all HTTP sessions comply with HTTP 0.9, 1.0, or 1.1. If a session uses a different HTTP version, it may not parse correctly and the connection may be lost.

realm

Authentication realm used to identify the explicit web proxy (maximum of 63 characters).

string

Maximum length: 63

sec-default-action

Accept or deny explicit web proxy sessions when no web proxy firewall policy exists.

option

-

Option

Description

accept

Accept requests. All explicit web proxy traffic is accepted whether there is an explicit web proxy policy or not.

deny

Deny requests unless there is a matching explicit web proxy policy.

pac-file-server-status

Enable/disable Proxy Auto-Configuration (PAC) for users of this explicit proxy profile.

option

-

Option

Description

enable

Enable Proxy Auto-Configuration (PAC).

disable

Disable Proxy Auto-Configuration (PAC).

pac-file-server-port

Port number that PAC traffic from client web browsers uses to connect to the explicit web proxy.

integer

Minimum value: 0 Maximum value: 65535

pac-file-name

Name of the PAC file.

string

Maximum length: 63

pac-file-data

PAC file contents enclosed in quotes (maximum of 8192 bytes).

user

Not Specified

pac-file-url

PAC file access URL.

user

Not Specified

ssl-algorithm

Relative strength of encryption algorithms accepted in HTTPS deep scan: high, medium, or low.

option

-

Option

Description

high

High encrption. Allow only AES and ChaCha.

medium

Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low

Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

return-to-sender

Enable/disable return-to-sender.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.