Fortinet white logo
Fortinet white logo

CLI Reference

config web-proxy global

config web-proxy global

Configure Web proxy global settings.

config web-proxy global
    Description: Configure Web proxy global settings.
    set ssl-cert {string}
    set ssl-ca-cert {string}
    set fast-policy-match [enable|disable]
    set ldap-user-cache [enable|disable]
    set proxy-fqdn {string}
    set max-request-length {integer}
    set max-message-length {integer}
    set strict-web-check [enable|disable]
    set forward-proxy-auth [enable|disable]
    set forward-server-affinity-timeout {integer}
    set webproxy-profile {string}
    set learn-client-ip [disable|traffic-process|...]
    set always-learn-client-ip [enable|disable]
    set learn-client-ip-from-header {option1}, {option2}, ...
    set learn-client-ip-srcaddr <name1>, <name2>, ...
    set learn-client-ip-srcaddr6 <name1>, <name2>, ...
    set src-affinity-exempt-addr {ipv4-address-any}
    set src-affinity-exempt-addr6 {ipv6-address}
    set strict-guest [enable|disable]
    set https-replacement-message [enable|disable]
    set message-upon-server-error [enable|disable]
    set trace-auth-no-rsp [enable|disable]
    set policy-category-deep-inspect [enable|disable]
    set log-policy-pending [enable|disable]
    set log-forward-server [enable|disable]
    set extended-log [enable|disable]
    set log-http-transaction [disable|enable]
    set log-app-id [enable|disable]
    set proxy-transparent-cert-inspection [enable|disable]
    set request-obs-fold [replace-with-sp|block|...]
    set explicit-outgoing-ip {ipv4-address-any}
    set explicit-outgoing-ip6 {ipv6-address}
    set realm {string}
end

config web-proxy global

Parameter

Description

Type

Size

Default

ssl-cert

SSL certificate for SSL interception.

string

Maximum length: 35

default-server-cert

ssl-ca-cert

SSL CA certificate for SSL interception.

string

Maximum length: 35

default-ca

fast-policy-match

Enable/disable fast matching algorithm for explicit and transparent proxy policy.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

ldap-user-cache

Enable/disable ldap user cache for explicit and transparent proxy user.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

proxy-fqdn

Fully Qualified Domain Name to connect to the explicit web proxy.

string

Maximum length: 255

default.fqdn

max-request-length

Maximum length of HTTP request line.

integer

Minimum value: 2 Maximum value: 64

8

max-message-length

Maximum length of HTTP message, not including body.

integer

Minimum value: 16 Maximum value: 256

32

strict-web-check

Enable/disable strict web checking to block web sites that send incorrect headers that don't conform to HTTP 1.1.

option

-

disable

Option

Description

enable

Enable strict web checking.

disable

Disable strict web checking.

forward-proxy-auth

Enable/disable forwarding proxy authentication headers.

option

-

disable

Option

Description

enable

Enable forwarding proxy authentication headers.

disable

Disable forwarding proxy authentication headers.

forward-server-affinity-timeout

Period of time before the source IP's traffic is no longer assigned to the forwarding server.

integer

Minimum value: 6 Maximum value: 60

30

webproxy-profile

Name of the web proxy profile to apply when explicit proxy traffic is allowed by default and traffic is accepted that does not match an explicit proxy policy.

string

Maximum length: 63

learn-client-ip

Learn the client's IP address from headers.

option

-

disable

Option

Description

disable

Do not learn the client's IP address from headers.

traffic-process

Learn the client's IP address from headers and use it for both policy-matching and logging.

log-only

Learn the client's IP address from headers and use it only for logging.

always-learn-client-ip

Enable/disable learning the client's IP address from headers for every request.

option

-

disable

Option

Description

enable

Enable learning the client's IP address from headers for every request.

disable

Disable learning the client's IP address from headers for every request.

learn-client-ip-from-header

Learn client IP address from the specified headers.

option

-

Option

Description

true-client-ip

Learn the client IP address from the True-Client-IP header.

x-real-ip

Learn the client IP address from the X-Real-IP header.

x-forwarded-for

Learn the client IP address from the X-Forwarded-For header.

learn-client-ip-srcaddr <name>

Source address name (srcaddr or srcaddr6 must be set).

Address name.

string

Maximum length: 79

learn-client-ip-srcaddr6 <name>

IPv6 Source address name (srcaddr or srcaddr6 must be set).

Address name.

string

Maximum length: 79

src-affinity-exempt-addr

IPv4 source addresses to exempt proxy affinity.

ipv4-address-any

Not Specified

src-affinity-exempt-addr6

IPv6 source addresses to exempt proxy affinity.

ipv6-address

Not Specified

strict-guest

Enable/disable strict guest user checking by the explicit web proxy.

option

-

disable

Option

Description

enable

Enable strict guest user checking.

disable

Disable strict guest user checking.

https-replacement-message

Default action to enable or disable return replacement message for HTTPS requests.

option

-

enable

Option

Description

enable

Display a replacement message for HTTPS requests.

disable

Do not display a replacement message for HTTPS requests.

message-upon-server-error

Enable/disable return of replacement message upon server error detection.

option

-

enable

Option

Description

enable

Display a replacement message when a server error is detected.

disable

Do not display a replacement message when a server error is detected.

trace-auth-no-rsp

Enable/disable logging timed-out authentication requests.

option

-

disable

Option

Description

enable

Enable logging timed-out authentication requests.

disable

Disable logging timed-out authentication requests.

policy-category-deep-inspect

Enable/disable deep inspection for application level category policy matching.

option

-

enable

Option

Description

enable

Enable deep inspection for application level category policy matching.

disable

Disable deep inspection for application level category policy matching.

log-policy-pending

Enable/disable logging sessions that are pending on policy matching.

option

-

disable

Option

Description

enable

Enable logging sessions that are pending on policy matching.

disable

Disable logging sessions that are pending on policy matching.

log-forward-server

Enable/disable forward server name logging in forward traffic log.

option

-

disable

Option

Description

enable

Enable logging forward server name in forward traffic log.

disable

Disable logging forward server name in forward traffic log.

extended-log

Enable/disable extended log of http transaction for implicit policy.

option

-

disable

Option

Description

enable

Enable logging extended http information for implicit policy.

disable

Disable logging extended http information for implicit policy.

log-http-transaction

Enable/disable http transaction log for implicit policy.

option

-

disable

Option

Description

disable

Disable HTTP transaction log.

enable

Enable HTTP transaction log

log-app-id

Enable/disable always log application type in traffic log.

option

-

disable

Option

Description

enable

Enable logging application type in traffic log.

disable

Disable logging application type in traffic log.

proxy-transparent-cert-inspection

Enable/disable transparent proxy certificate inspection.

option

-

disable

Option

Description

enable

Enable proxying certificate inspection in transparent mode.

disable

Disable proxying certificate inspection in transparent mode.

request-obs-fold

Action when HTTP/1.x request header contains obs-fold.

option

-

keep

Option

Description

replace-with-sp

Replace CRLF in obs-fold with SP in the request header for HTTP/1.x.

block

Block HTTP/1.x request with obs-fold.

keep

Keep obs-fold in the request header for HTTP/1.x. There are known security risks.

explicit-outgoing-ip

Outgoing HTTP requests by explicit webproxy will have this IP address as their source address. An interface must have this IP address.

ipv4-address-any

Not Specified

explicit-outgoing-ip6

Outgoing HTTP requests by explicit webproxy will leave this IP. An interface must have this IP address.

ipv6-address

Not Specified

realm

Authentication realm.

string

Maximum length: 63

default

config web-proxy global

config web-proxy global

Configure Web proxy global settings.

config web-proxy global
    Description: Configure Web proxy global settings.
    set ssl-cert {string}
    set ssl-ca-cert {string}
    set fast-policy-match [enable|disable]
    set ldap-user-cache [enable|disable]
    set proxy-fqdn {string}
    set max-request-length {integer}
    set max-message-length {integer}
    set strict-web-check [enable|disable]
    set forward-proxy-auth [enable|disable]
    set forward-server-affinity-timeout {integer}
    set webproxy-profile {string}
    set learn-client-ip [disable|traffic-process|...]
    set always-learn-client-ip [enable|disable]
    set learn-client-ip-from-header {option1}, {option2}, ...
    set learn-client-ip-srcaddr <name1>, <name2>, ...
    set learn-client-ip-srcaddr6 <name1>, <name2>, ...
    set src-affinity-exempt-addr {ipv4-address-any}
    set src-affinity-exempt-addr6 {ipv6-address}
    set strict-guest [enable|disable]
    set https-replacement-message [enable|disable]
    set message-upon-server-error [enable|disable]
    set trace-auth-no-rsp [enable|disable]
    set policy-category-deep-inspect [enable|disable]
    set log-policy-pending [enable|disable]
    set log-forward-server [enable|disable]
    set extended-log [enable|disable]
    set log-http-transaction [disable|enable]
    set log-app-id [enable|disable]
    set proxy-transparent-cert-inspection [enable|disable]
    set request-obs-fold [replace-with-sp|block|...]
    set explicit-outgoing-ip {ipv4-address-any}
    set explicit-outgoing-ip6 {ipv6-address}
    set realm {string}
end

config web-proxy global

Parameter

Description

Type

Size

Default

ssl-cert

SSL certificate for SSL interception.

string

Maximum length: 35

default-server-cert

ssl-ca-cert

SSL CA certificate for SSL interception.

string

Maximum length: 35

default-ca

fast-policy-match

Enable/disable fast matching algorithm for explicit and transparent proxy policy.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

ldap-user-cache

Enable/disable ldap user cache for explicit and transparent proxy user.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

proxy-fqdn

Fully Qualified Domain Name to connect to the explicit web proxy.

string

Maximum length: 255

default.fqdn

max-request-length

Maximum length of HTTP request line.

integer

Minimum value: 2 Maximum value: 64

8

max-message-length

Maximum length of HTTP message, not including body.

integer

Minimum value: 16 Maximum value: 256

32

strict-web-check

Enable/disable strict web checking to block web sites that send incorrect headers that don't conform to HTTP 1.1.

option

-

disable

Option

Description

enable

Enable strict web checking.

disable

Disable strict web checking.

forward-proxy-auth

Enable/disable forwarding proxy authentication headers.

option

-

disable

Option

Description

enable

Enable forwarding proxy authentication headers.

disable

Disable forwarding proxy authentication headers.

forward-server-affinity-timeout

Period of time before the source IP's traffic is no longer assigned to the forwarding server.

integer

Minimum value: 6 Maximum value: 60

30

webproxy-profile

Name of the web proxy profile to apply when explicit proxy traffic is allowed by default and traffic is accepted that does not match an explicit proxy policy.

string

Maximum length: 63

learn-client-ip

Learn the client's IP address from headers.

option

-

disable

Option

Description

disable

Do not learn the client's IP address from headers.

traffic-process

Learn the client's IP address from headers and use it for both policy-matching and logging.

log-only

Learn the client's IP address from headers and use it only for logging.

always-learn-client-ip

Enable/disable learning the client's IP address from headers for every request.

option

-

disable

Option

Description

enable

Enable learning the client's IP address from headers for every request.

disable

Disable learning the client's IP address from headers for every request.

learn-client-ip-from-header

Learn client IP address from the specified headers.

option

-

Option

Description

true-client-ip

Learn the client IP address from the True-Client-IP header.

x-real-ip

Learn the client IP address from the X-Real-IP header.

x-forwarded-for

Learn the client IP address from the X-Forwarded-For header.

learn-client-ip-srcaddr <name>

Source address name (srcaddr or srcaddr6 must be set).

Address name.

string

Maximum length: 79

learn-client-ip-srcaddr6 <name>

IPv6 Source address name (srcaddr or srcaddr6 must be set).

Address name.

string

Maximum length: 79

src-affinity-exempt-addr

IPv4 source addresses to exempt proxy affinity.

ipv4-address-any

Not Specified

src-affinity-exempt-addr6

IPv6 source addresses to exempt proxy affinity.

ipv6-address

Not Specified

strict-guest

Enable/disable strict guest user checking by the explicit web proxy.

option

-

disable

Option

Description

enable

Enable strict guest user checking.

disable

Disable strict guest user checking.

https-replacement-message

Default action to enable or disable return replacement message for HTTPS requests.

option

-

enable

Option

Description

enable

Display a replacement message for HTTPS requests.

disable

Do not display a replacement message for HTTPS requests.

message-upon-server-error

Enable/disable return of replacement message upon server error detection.

option

-

enable

Option

Description

enable

Display a replacement message when a server error is detected.

disable

Do not display a replacement message when a server error is detected.

trace-auth-no-rsp

Enable/disable logging timed-out authentication requests.

option

-

disable

Option

Description

enable

Enable logging timed-out authentication requests.

disable

Disable logging timed-out authentication requests.

policy-category-deep-inspect

Enable/disable deep inspection for application level category policy matching.

option

-

enable

Option

Description

enable

Enable deep inspection for application level category policy matching.

disable

Disable deep inspection for application level category policy matching.

log-policy-pending

Enable/disable logging sessions that are pending on policy matching.

option

-

disable

Option

Description

enable

Enable logging sessions that are pending on policy matching.

disable

Disable logging sessions that are pending on policy matching.

log-forward-server

Enable/disable forward server name logging in forward traffic log.

option

-

disable

Option

Description

enable

Enable logging forward server name in forward traffic log.

disable

Disable logging forward server name in forward traffic log.

extended-log

Enable/disable extended log of http transaction for implicit policy.

option

-

disable

Option

Description

enable

Enable logging extended http information for implicit policy.

disable

Disable logging extended http information for implicit policy.

log-http-transaction

Enable/disable http transaction log for implicit policy.

option

-

disable

Option

Description

disable

Disable HTTP transaction log.

enable

Enable HTTP transaction log

log-app-id

Enable/disable always log application type in traffic log.

option

-

disable

Option

Description

enable

Enable logging application type in traffic log.

disable

Disable logging application type in traffic log.

proxy-transparent-cert-inspection

Enable/disable transparent proxy certificate inspection.

option

-

disable

Option

Description

enable

Enable proxying certificate inspection in transparent mode.

disable

Disable proxying certificate inspection in transparent mode.

request-obs-fold

Action when HTTP/1.x request header contains obs-fold.

option

-

keep

Option

Description

replace-with-sp

Replace CRLF in obs-fold with SP in the request header for HTTP/1.x.

block

Block HTTP/1.x request with obs-fold.

keep

Keep obs-fold in the request header for HTTP/1.x. There are known security risks.

explicit-outgoing-ip

Outgoing HTTP requests by explicit webproxy will have this IP address as their source address. An interface must have this IP address.

ipv4-address-any

Not Specified

explicit-outgoing-ip6

Outgoing HTTP requests by explicit webproxy will leave this IP. An interface must have this IP address.

ipv6-address

Not Specified

realm

Authentication realm.

string

Maximum length: 63

default