Fortinet black logo

CLI Reference

web-proxy explicit

web-proxy explicit

Note: This command is only available when the FortiGate is in Proxy-based inspection mode.

Use this command to enable the explicit web proxy and the TCP port used by the explicit proxy.

To avoid repetition, only the following entries are available to begin with until status is set to enable:

  • status
  • ipv6-status
  • strict-guest
  • https-replacement-message
  • ssl-algorithm

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

config pac-policy

edit <id>

set srcaddr <src-addr>

set srcaddr6 <src-addr6>

set dstaddr <dst-addr>

set pac-file-name <pac-file-name>

set pac-file-data "<pac-file>"

set comments [comment]

next

...

Configure proxy auto-config (PAC) policies. PAC files are used to automatically choose the appropriate proxy server for browsers and other user agents, but not every user in an organization is going to have the same criteria for what is appropriate. Supporting multiple PAC files means more granular control. To support the use of multiple PAC files, a PAC policy is used.

Note that config pac-policy is only available when status is set to enable, and pac-file-server-status is set to enable.

config web-proxy explicit
    set status {enable | disable}   Enable/disable the explicit Web proxy for HTTP and HTTPS session.
    set ftp-over-http {enable | disable}   Enable to proxy FTP-over-HTTP sessions sent from a web browser.
    set socks {enable | disable}   Enable/disable the SOCKS proxy.
    set http-incoming-port {string}   Accept incoming HTTP requests on one or more ports (0 - 65535, default = 8080).
    set https-incoming-port {string}   Accept incoming HTTPS requests on one or more ports (0 - 65535, default = 0, use the same as HTTP).
    set ftp-incoming-port {string}   Accept incoming FTP-over-HTTP requests on one or more ports (0 - 65535, default = 0; use the same as HTTP).
    set socks-incoming-port {string}   Accept incoming SOCKS proxy requests on one or more ports (0 - 65535, default = 0; use the same as HTTP).
    set incoming-ip {ipv4 address any}   Restrict the explicit HTTP proxy to only accept sessions from this IP address. An interface must have this IP address.
    set outgoing-ip {ipv4 address any}   Outgoing HTTP requests will have this IP address as their source address. An interface must have this IP address.
    set ipv6-status {enable | disable}   Enable/disable allowing an IPv6 web proxy destination in policies and all IPv6 related entries in this command.
    set incoming-ip6 {ipv6 address}   Restrict the explicit web proxy to only accept sessions from this IPv6 address. An interface must have this IPv6 address.
    set outgoing-ip6 {ipv6 address}   Outgoing HTTP requests will leave this IPv6. Multiple interfaces can be specified. Interfaces must have these IPv6 addresses.
    set strict-guest {enable | disable}   Enable/disable strict guest user checking by the explicit web proxy.
    set pref-dns-result {ipv4 | ipv6}   Prefer resolving addresses using the configured IPv4 or IPv6 DNS server (default = ipv4).
            ipv4  Prefer the IPv4 DNS server.
            ipv6  Prefer the IPv6 DNS server.
    set unknown-http-version {reject | best-effort}   Either reject unknown HTTP traffic as malformed or handle unknown HTTP traffic as best as the proxy server can.
            reject       Reject requests with an unknown HTTP version.
            best-effort  Accept requests with an unknown HTTP version and use best efforts to handle the session.
    set realm {string}   Authentication realm used to identify the explicit web proxy (maximum of 63 characters). size[63]
    set sec-default-action {accept | deny}   Accept or deny explicit web proxy sessions when no web proxy firewall policy exists.
            accept  Accept requests. All explicit web proxy traffic is accepted whether there is an explicit web proxy policy or not.
            deny    Deny requests unless there is a matching explicit web proxy policy.
    set https-replacement-message {enable | disable}   Enable/disable sending the client a replacement message for HTTPS requests.
    set message-upon-server-error {enable | disable}   Enable/disable displaying a replacement message when a server error is detected.
    set pac-file-server-status {enable | disable}   Enable/disable Proxy Auto-Configuration (PAC) for users of this explicit proxy profile.
    set pac-file-url {string}   PAC file access URL.
    set pac-file-server-port {string}   Port number that PAC traffic from client web browsers uses to connect to the explicit web proxy (0 - 65535, default = 0; use the same as HTTP).
    set pac-file-name {string}   Pac file name. size[63]
    set pac-file-data {string}   PAC file contents enclosed in quotes (maximum of 256K bytes).
    config pac-policy
        edit {policyid}
        # PAC policies.
            set policyid {integer}   Policy ID. range[1-100]
            set status {enable | disable}   Enable/disable policy.
            config srcaddr
                edit {name}
                # Source address objects.
                    set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name,firewall.proxy-address.name,firewall.proxy-addrgrp.name
                next
            config srcaddr6
                edit {name}
                # Source address6 objects.
                    set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
                next
            config dstaddr
                edit {name}
                # Destination address objects.
                    set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
                next
            set pac-file-name {string}   Pac file name. size[63]
            set pac-file-data {string}   PAC file contents enclosed in quotes (maximum of 256K bytes).
            set comments {string}   Optional comments. size[1023]
        next
    set ssl-algorithm {high | medium | low}   Relative strength of encryption algorithms accepted in HTTPS deep scan: high, medium, or low.
            high    High encrption. Allow only AES and ChaCha.
            medium  Medium encryption. Allow AES, ChaCha, 3DES, and RC4.
            low     Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.
    set trace-auth-no-rsp {enable | disable}   Enable/disable logging timed-out authentication requests.
end

Additional information

The following section is for those options that require additional explanation.

append {outgoing-ip | outgoing-ip6} <ip-addresses>

Note: This entry is not available in Transparent mode.

Append IP addresses (IPv4 or IPv6) that outgoing HTTP requests will leave through. Note that an interface must have this IP address to be configured here.

status {enable | disable}

Enable or disable (by default) the explicit web proxy for HTTP and HTTPS sessions.

ftp-over-http {enable | disable}

Enable or disable (by default) ability to proxy FTP sessions sent from a web browser. Once enabled, use the ftp-incoming-port entry to set the port that FTP-over-HTTP requests will be accepted on. Note that the explicit proxy only supports FTP with a web browser, not with a standalone FTP client.

socks {enable | disable}

Enable or disable (by default) the Socket Secure (SOCKS) proxy. Once enabled, use the socks-incoming-port entry to set the port number that SOCKS traffic from client web browsers will use to connect to the explicit proxy.

http-incoming-port <port>

Port number that HTTP traffic from client web browsers will use to connect to the explicit proxy. Set the value between 0-65535. The default is set to 8080. Note that explicit proxy users must configure their web browser's HTTP proxy settings to use this port.

https-incoming-port <port>

Port number that HTTPS traffic from client web browsers will use to connect to the explicit proxy. Set the value between 0-65535. The default is set to 0, meaning it will use the same port as HTTP. Note that explicit proxy users must configure their web browser's HTTPS proxy settings to use this port.

ftp-incoming-port <port>

Note: This entry is only available when ftp-over-http is set to enable.

Port number that FTP-over-HTTP traffic from client web browsers will use to connect to the explicit proxy. Set the value between 0-65535. The default is set to . Port number that FTP-over-HTTP traffic from client web browsers will use to connect to the explicit proxy. Set the value between 0-65535. The default is set to 0, meaning it will use the same port as HTTP. Note that explicit proxy users must configure their web browser’s FTP proxy settings to use this port.

socks-incoming-port <port>

Note: This entry is only available when socks is set to enable.

Port number that SOCKS traffic from client web browsers will use to connect to the explicit proxy. Set the value between 0-65535. The default is set to 0, meaning it will use the same port as HTTP.

{incoming-ip | incoming-ip6} <ip-addresses>

Note: This entry is not available in Transparent mode.

IP address (IPv4 or IPv6) of a FortiGate interface that should accept sessions for the explicit web proxy. Use this command to restrict the explicit web proxy to only accepting sessions from one FortiGate interface The destination IP address of explicit web proxy sessions should match this IP address.

{outgoing-ip | outgoing-ip6} <ip-addresses>

Note: This entry is not available in Transparent mode. IP addresses (IPv4 or IPv6) that outgoing HTTP requests will leave through. Note that an interface must have this IP address to be configured here. Multiple interfaces can be specified. This IP address becomes the source address of web proxy sessions exiting the FortiGate.

ipv6-status {enable | disable}

Enable or disable (by default) IPv6 web proxy functionality. Note that all entries in this command involving IPv6 are only available when ipv6-status is set to enable.

strict-guest {enable | disable}

Enable or disable (by default) strict guest user check in explicit proxy.

unknown-http-version {reject | best-effort}

Action to take when the proxy server handles an unknown HTTP version request or message:

  • reject: Treats the HTTP traffic as malformed and drops it (set by default; more secure option).
  • best-effort: Attempts to handle the HTTP traffic as best as it can.

realm <name>

Name of the authentication realm used to identify the explicit web proxy. Text string can be up to a maximum of 63 characters. If the realm's name includes spaces, enclose it in quotes. No special characters are permitted; only use alphanumeric characters. When a user authenticates with the explicit proxy the HTTP authentication dialog includes the realm so users can use the realm to identify the explicit web proxy.

sec-default-action {accept | deny}

Determines whether the explicit web proxy accepts or denies (by default) sessions if firewall policies have not been added for the explicit web proxy.

https-replacement-message {enable | disable}

Enable (by default) or disable the return of a replacement message for HTTPS requests.

message-upon-server-error {enable | disable}

Enable (by default) or disable the return of a replacement message upon server error detection.

pac-file-server-status {enable | disable}

Enable or disable (by default) Proxy Auto-Configuration (PAC) file server settings.

pac-file-server-port <port>

Note: This entry is only available when pac-file-server-status is set to enable.

Port number that PAC traffic from client web browsers will use to connect to the explicit proxy. Set the value between 0-65535. The default is set to 0, meaning it will use the same port as HTTP. Note that explicit proxy users must configure their web browser’s PAC proxy settings to use this port.

pac-file-name <name>

Note: This entry is only available when pac-file-server-status is set to enable.

Name of the PAC file. The default is set to proxy.pac.

pac-file-data <file>

Note: This entry is only available when pac-file-server-status is set to enable.

Contents of the PAC file made available from the explicit proxy server for PAC support. Enclose the PAC file text in quotes. The maximum PAC file size is 8192 bytes. You can also copy the contents of a PAC text file and paste the contents into the CLI, so long as the pasted content is between two quotation marks. You can use any PAC file syntax that is supported by your users’s browsers. The FortiGate does not parse the PAC file.

pac-file-url <url>

Note: This entry is only available to read when you enter get; you cannot use this entry to edit the PAC file URL. The PAC file URL is made up of the values entered in both pac-file-server-port and pac-file-name entries.

Displays the PAC file URL in the following format:

http://<interface-ip>:<pac-port>/<pac-name>

By default, <pac-port> references the value entered in the http-incoming-port entry (see above). However, it will instead reference the value entered in pac-file-server-port if it is changed from its default value. The <interface-ip> component of the URL is the interface of the explicit web proxy.

If the explicit web proxy is enabled on multiple interfaces there will be multiple PAC URLs. If you have configured an incoming-ip (see entry above) then only one PAC file URL is listed. This URL is to be distributed to PAC users.

ssl-algorithm {high | medium | low}

Relative strength of encryption accepted for deep scan:

  • high: Encryption allows AES and 3DES.
  • medium: Encryption allows AES, 3DES, and RC4.
  • low: Encryption allows AES, 3DES, RC4, and DES (set by default).

trace-auth-rsp {enable | disable}

Enable or disable (by default) tracing (or logging) of timed-out authentication requests.

web-proxy explicit

Note: This command is only available when the FortiGate is in Proxy-based inspection mode.

Use this command to enable the explicit web proxy and the TCP port used by the explicit proxy.

To avoid repetition, only the following entries are available to begin with until status is set to enable:

  • status
  • ipv6-status
  • strict-guest
  • https-replacement-message
  • ssl-algorithm

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

config pac-policy

edit <id>

set srcaddr <src-addr>

set srcaddr6 <src-addr6>

set dstaddr <dst-addr>

set pac-file-name <pac-file-name>

set pac-file-data "<pac-file>"

set comments [comment]

next

...

Configure proxy auto-config (PAC) policies. PAC files are used to automatically choose the appropriate proxy server for browsers and other user agents, but not every user in an organization is going to have the same criteria for what is appropriate. Supporting multiple PAC files means more granular control. To support the use of multiple PAC files, a PAC policy is used.

Note that config pac-policy is only available when status is set to enable, and pac-file-server-status is set to enable.

config web-proxy explicit
    set status {enable | disable}   Enable/disable the explicit Web proxy for HTTP and HTTPS session.
    set ftp-over-http {enable | disable}   Enable to proxy FTP-over-HTTP sessions sent from a web browser.
    set socks {enable | disable}   Enable/disable the SOCKS proxy.
    set http-incoming-port {string}   Accept incoming HTTP requests on one or more ports (0 - 65535, default = 8080).
    set https-incoming-port {string}   Accept incoming HTTPS requests on one or more ports (0 - 65535, default = 0, use the same as HTTP).
    set ftp-incoming-port {string}   Accept incoming FTP-over-HTTP requests on one or more ports (0 - 65535, default = 0; use the same as HTTP).
    set socks-incoming-port {string}   Accept incoming SOCKS proxy requests on one or more ports (0 - 65535, default = 0; use the same as HTTP).
    set incoming-ip {ipv4 address any}   Restrict the explicit HTTP proxy to only accept sessions from this IP address. An interface must have this IP address.
    set outgoing-ip {ipv4 address any}   Outgoing HTTP requests will have this IP address as their source address. An interface must have this IP address.
    set ipv6-status {enable | disable}   Enable/disable allowing an IPv6 web proxy destination in policies and all IPv6 related entries in this command.
    set incoming-ip6 {ipv6 address}   Restrict the explicit web proxy to only accept sessions from this IPv6 address. An interface must have this IPv6 address.
    set outgoing-ip6 {ipv6 address}   Outgoing HTTP requests will leave this IPv6. Multiple interfaces can be specified. Interfaces must have these IPv6 addresses.
    set strict-guest {enable | disable}   Enable/disable strict guest user checking by the explicit web proxy.
    set pref-dns-result {ipv4 | ipv6}   Prefer resolving addresses using the configured IPv4 or IPv6 DNS server (default = ipv4).
            ipv4  Prefer the IPv4 DNS server.
            ipv6  Prefer the IPv6 DNS server.
    set unknown-http-version {reject | best-effort}   Either reject unknown HTTP traffic as malformed or handle unknown HTTP traffic as best as the proxy server can.
            reject       Reject requests with an unknown HTTP version.
            best-effort  Accept requests with an unknown HTTP version and use best efforts to handle the session.
    set realm {string}   Authentication realm used to identify the explicit web proxy (maximum of 63 characters). size[63]
    set sec-default-action {accept | deny}   Accept or deny explicit web proxy sessions when no web proxy firewall policy exists.
            accept  Accept requests. All explicit web proxy traffic is accepted whether there is an explicit web proxy policy or not.
            deny    Deny requests unless there is a matching explicit web proxy policy.
    set https-replacement-message {enable | disable}   Enable/disable sending the client a replacement message for HTTPS requests.
    set message-upon-server-error {enable | disable}   Enable/disable displaying a replacement message when a server error is detected.
    set pac-file-server-status {enable | disable}   Enable/disable Proxy Auto-Configuration (PAC) for users of this explicit proxy profile.
    set pac-file-url {string}   PAC file access URL.
    set pac-file-server-port {string}   Port number that PAC traffic from client web browsers uses to connect to the explicit web proxy (0 - 65535, default = 0; use the same as HTTP).
    set pac-file-name {string}   Pac file name. size[63]
    set pac-file-data {string}   PAC file contents enclosed in quotes (maximum of 256K bytes).
    config pac-policy
        edit {policyid}
        # PAC policies.
            set policyid {integer}   Policy ID. range[1-100]
            set status {enable | disable}   Enable/disable policy.
            config srcaddr
                edit {name}
                # Source address objects.
                    set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name,firewall.proxy-address.name,firewall.proxy-addrgrp.name
                next
            config srcaddr6
                edit {name}
                # Source address6 objects.
                    set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
                next
            config dstaddr
                edit {name}
                # Destination address objects.
                    set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
                next
            set pac-file-name {string}   Pac file name. size[63]
            set pac-file-data {string}   PAC file contents enclosed in quotes (maximum of 256K bytes).
            set comments {string}   Optional comments. size[1023]
        next
    set ssl-algorithm {high | medium | low}   Relative strength of encryption algorithms accepted in HTTPS deep scan: high, medium, or low.
            high    High encrption. Allow only AES and ChaCha.
            medium  Medium encryption. Allow AES, ChaCha, 3DES, and RC4.
            low     Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.
    set trace-auth-no-rsp {enable | disable}   Enable/disable logging timed-out authentication requests.
end

Additional information

The following section is for those options that require additional explanation.

append {outgoing-ip | outgoing-ip6} <ip-addresses>

Note: This entry is not available in Transparent mode.

Append IP addresses (IPv4 or IPv6) that outgoing HTTP requests will leave through. Note that an interface must have this IP address to be configured here.

status {enable | disable}

Enable or disable (by default) the explicit web proxy for HTTP and HTTPS sessions.

ftp-over-http {enable | disable}

Enable or disable (by default) ability to proxy FTP sessions sent from a web browser. Once enabled, use the ftp-incoming-port entry to set the port that FTP-over-HTTP requests will be accepted on. Note that the explicit proxy only supports FTP with a web browser, not with a standalone FTP client.

socks {enable | disable}

Enable or disable (by default) the Socket Secure (SOCKS) proxy. Once enabled, use the socks-incoming-port entry to set the port number that SOCKS traffic from client web browsers will use to connect to the explicit proxy.

http-incoming-port <port>

Port number that HTTP traffic from client web browsers will use to connect to the explicit proxy. Set the value between 0-65535. The default is set to 8080. Note that explicit proxy users must configure their web browser's HTTP proxy settings to use this port.

https-incoming-port <port>

Port number that HTTPS traffic from client web browsers will use to connect to the explicit proxy. Set the value between 0-65535. The default is set to 0, meaning it will use the same port as HTTP. Note that explicit proxy users must configure their web browser's HTTPS proxy settings to use this port.

ftp-incoming-port <port>

Note: This entry is only available when ftp-over-http is set to enable.

Port number that FTP-over-HTTP traffic from client web browsers will use to connect to the explicit proxy. Set the value between 0-65535. The default is set to . Port number that FTP-over-HTTP traffic from client web browsers will use to connect to the explicit proxy. Set the value between 0-65535. The default is set to 0, meaning it will use the same port as HTTP. Note that explicit proxy users must configure their web browser’s FTP proxy settings to use this port.

socks-incoming-port <port>

Note: This entry is only available when socks is set to enable.

Port number that SOCKS traffic from client web browsers will use to connect to the explicit proxy. Set the value between 0-65535. The default is set to 0, meaning it will use the same port as HTTP.

{incoming-ip | incoming-ip6} <ip-addresses>

Note: This entry is not available in Transparent mode.

IP address (IPv4 or IPv6) of a FortiGate interface that should accept sessions for the explicit web proxy. Use this command to restrict the explicit web proxy to only accepting sessions from one FortiGate interface The destination IP address of explicit web proxy sessions should match this IP address.

{outgoing-ip | outgoing-ip6} <ip-addresses>

Note: This entry is not available in Transparent mode. IP addresses (IPv4 or IPv6) that outgoing HTTP requests will leave through. Note that an interface must have this IP address to be configured here. Multiple interfaces can be specified. This IP address becomes the source address of web proxy sessions exiting the FortiGate.

ipv6-status {enable | disable}

Enable or disable (by default) IPv6 web proxy functionality. Note that all entries in this command involving IPv6 are only available when ipv6-status is set to enable.

strict-guest {enable | disable}

Enable or disable (by default) strict guest user check in explicit proxy.

unknown-http-version {reject | best-effort}

Action to take when the proxy server handles an unknown HTTP version request or message:

  • reject: Treats the HTTP traffic as malformed and drops it (set by default; more secure option).
  • best-effort: Attempts to handle the HTTP traffic as best as it can.

realm <name>

Name of the authentication realm used to identify the explicit web proxy. Text string can be up to a maximum of 63 characters. If the realm's name includes spaces, enclose it in quotes. No special characters are permitted; only use alphanumeric characters. When a user authenticates with the explicit proxy the HTTP authentication dialog includes the realm so users can use the realm to identify the explicit web proxy.

sec-default-action {accept | deny}

Determines whether the explicit web proxy accepts or denies (by default) sessions if firewall policies have not been added for the explicit web proxy.

https-replacement-message {enable | disable}

Enable (by default) or disable the return of a replacement message for HTTPS requests.

message-upon-server-error {enable | disable}

Enable (by default) or disable the return of a replacement message upon server error detection.

pac-file-server-status {enable | disable}

Enable or disable (by default) Proxy Auto-Configuration (PAC) file server settings.

pac-file-server-port <port>

Note: This entry is only available when pac-file-server-status is set to enable.

Port number that PAC traffic from client web browsers will use to connect to the explicit proxy. Set the value between 0-65535. The default is set to 0, meaning it will use the same port as HTTP. Note that explicit proxy users must configure their web browser’s PAC proxy settings to use this port.

pac-file-name <name>

Note: This entry is only available when pac-file-server-status is set to enable.

Name of the PAC file. The default is set to proxy.pac.

pac-file-data <file>

Note: This entry is only available when pac-file-server-status is set to enable.

Contents of the PAC file made available from the explicit proxy server for PAC support. Enclose the PAC file text in quotes. The maximum PAC file size is 8192 bytes. You can also copy the contents of a PAC text file and paste the contents into the CLI, so long as the pasted content is between two quotation marks. You can use any PAC file syntax that is supported by your users’s browsers. The FortiGate does not parse the PAC file.

pac-file-url <url>

Note: This entry is only available to read when you enter get; you cannot use this entry to edit the PAC file URL. The PAC file URL is made up of the values entered in both pac-file-server-port and pac-file-name entries.

Displays the PAC file URL in the following format:

http://<interface-ip>:<pac-port>/<pac-name>

By default, <pac-port> references the value entered in the http-incoming-port entry (see above). However, it will instead reference the value entered in pac-file-server-port if it is changed from its default value. The <interface-ip> component of the URL is the interface of the explicit web proxy.

If the explicit web proxy is enabled on multiple interfaces there will be multiple PAC URLs. If you have configured an incoming-ip (see entry above) then only one PAC file URL is listed. This URL is to be distributed to PAC users.

ssl-algorithm {high | medium | low}

Relative strength of encryption accepted for deep scan:

  • high: Encryption allows AES and 3DES.
  • medium: Encryption allows AES, 3DES, and RC4.
  • low: Encryption allows AES, 3DES, RC4, and DES (set by default).

trace-auth-rsp {enable | disable}

Enable or disable (by default) tracing (or logging) of timed-out authentication requests.