Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.0
Download PDF
Copy Link

firewall proxy-policy

Use this command to configure proxy policies. These policies used to be referred to as explicit proxy policies.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set proxy {ssh | ssh-tunnel | ...}

New SSH explicit proxy types to support SSH proxy policy for SSH sessions, and access control for TCP/IP port forwarding traffic.

set proxy ssh

set srcaddr6 <src-addr6>

set dstaddr6 <dst-addr6>

When proxy is set to ssh, the IPv6 versions of the source or destination address options are available, as part of supporting SSH traffic through IPv6.
config firewall proxy-policy
    edit {policyid}
    # Configure proxy policies.
        set uuid {uuid}   Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
        set policyid {integer}   Policy ID. range[0-4294967295]
        set proxy {option}   Type of explicit proxy.
                explicit-web     Explicit Web Proxy
                transparent-web  Transparent Web Proxy
                ftp              Explicit FTP Proxy
                ssh              SSH Proxy
                ssh-tunnel       SSH Tunnel
                wanopt           WANopt Tunnel
        config srcintf
            edit {name}
            # Source interface names.
                set name {string}   Interface name. size[64] - datasource(s): system.interface.name,system.zone.name
            next
        config dstintf
            edit {name}
            # Destination interface names.
                set name {string}   Interface name. size[64] - datasource(s): system.interface.name,system.zone.name
            next
        config srcaddr
            edit {name}
            # Source address objects.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name,firewall.proxy-address.name,firewall.proxy-addrgrp.name,system.external-resource.name
            next
        config poolname
            edit {name}
            # Name of IP pool object.
                set name {string}   IP pool name. size[64] - datasource(s): firewall.ippool.name
            next
        config dstaddr
            edit {name}
            # Destination address objects.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name,firewall.proxy-address.name,firewall.proxy-addrgrp.name,firewall.vip.name,firewall.vipgrp.name,firewall.vip46.name,firewall.vipgrp46.name,system.external-resource.name
            next
        set internet-service {enable | disable}   Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.
        set internet-service-negate {enable | disable}   When enabled, Internet Services match against any internet service EXCEPT the selected Internet Service.
        config internet-service-id
            edit {id}
            # Internet Service ID.
                set id {integer}   Internet Service ID. range[0-4294967295] - datasource(s): firewall.internet-service.id
            next
        config internet-service-custom
            edit {name}
            # Custom Internet Service name.
                set name {string}   Custom name. size[64] - datasource(s): firewall.internet-service-custom.name
            next
        config service
            edit {name}
            # Name of service objects.
                set name {string}   Service name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name
            next
        set srcaddr-negate {enable | disable}   When enabled, source addresses match against any address EXCEPT the specified source addresses.
        set dstaddr-negate {enable | disable}   When enabled, destination addresses match against any address EXCEPT the specified destination addresses.
        set service-negate {enable | disable}   When enabled, services match against any service EXCEPT the specified destination services.
        set action {accept | deny | redirect}   Accept or deny traffic matching the policy parameters.
                accept    Action accept.
                deny      Action deny.
                redirect  Action redirect.
        set status {enable | disable}   Enable/disable the active status of the policy.
        set schedule {string}   Name of schedule object. size[35] - datasource(s): firewall.schedule.onetime.name,firewall.schedule.recurring.name,firewall.schedule.group.name
        set logtraffic {all | utm | disable}   Enable/disable logging traffic through the policy.
                all      Log all sessions.
                utm      UTM event and matched application traffic log.
                disable  Disable traffic and application log.
        set session-ttl {integer}   TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL). range[300-604800]
        config srcaddr6
            edit {name}
            # IPv6 source address objects.
                set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name,system.external-resource.name
            next
        config dstaddr6
            edit {name}
            # IPv6 destination address objects.
                set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name,firewall.vip6.name,firewall.vipgrp6.name,firewall.vip64.name,firewall.vipgrp64.name,system.external-resource.name
            next
        config groups
            edit {name}
            # Names of group objects.
                set name {string}   Group name. size[64] - datasource(s): user.group.name
            next
        config users
            edit {name}
            # Names of user objects.
                set name {string}   Group name. size[64] - datasource(s): user.local.name
            next
        set http-tunnel-auth {enable | disable}   Enable/disable HTTP tunnel authentication.
        set webproxy-forward-server {string}   Name of web proxy forward server. size[63] - datasource(s): web-proxy.forward-server.name,web-proxy.forward-server-group.name
        set webproxy-profile {string}   Name of web proxy profile. size[63] - datasource(s): web-proxy.profile.name
        set transparent {enable | disable}   Enable to use the IP address of the client to connect to the server.
        set webcache {enable | disable}   Enable/disable web caching.
        set webcache-https {disable | enable}   Enable/disable web caching for HTTPS (Requires deep-inspection enabled in ssl-ssh-profile).
        set disclaimer {disable | domain | policy | user}   Web proxy disclaimer setting: by domain, policy, or user.
                disable  Disable disclaimer.
                domain   Display disclaimer for domain
                policy   Display disclaimer for policy
                user     Display disclaimer for current user
        set utm-status {enable | disable}   Enable the use of UTM profiles/sensors/lists.
        set profile-type {single | group}   Determine whether the firewall policy allows security profile groups or single profiles only.
                single  Do not allow security profile groups.
                group   Allow security profile groups.
        set profile-group {string}   Name of profile group. size[35] - datasource(s): firewall.profile-group.name
        set av-profile {string}   Name of an existing Antivirus profile. size[35] - datasource(s): antivirus.profile.name
        set webfilter-profile {string}   Name of an existing Web filter profile. size[35] - datasource(s): webfilter.profile.name
        set spamfilter-profile {string}   Name of an existing Spam filter profile. size[35] - datasource(s): spamfilter.profile.name
        set dlp-sensor {string}   Name of an existing DLP sensor. size[35] - datasource(s): dlp.sensor.name
        set ips-sensor {string}   Name of an existing IPS sensor. size[35] - datasource(s): ips.sensor.name
        set application-list {string}   Name of an existing Application list. size[35] - datasource(s): application.list.name
        set icap-profile {string}   Name of an existing ICAP profile. size[35] - datasource(s): icap.profile.name
        set waf-profile {string}   Name of an existing Web application firewall profile. size[35] - datasource(s): waf.profile.name
        set ssh-filter-profile {string}   Name of an existing SSH filter profile. size[35] - datasource(s): ssh-filter.profile.name
        set profile-protocol-options {string}   Name of an existing Protocol options profile. size[35] - datasource(s): firewall.profile-protocol-options.name
        set ssl-ssh-profile {string}   Name of an existing SSL SSH profile. size[35] - datasource(s): firewall.ssl-ssh-profile.name
        set replacemsg-override-group {string}   Authentication replacement message override group. size[35] - datasource(s): system.replacemsg-group.name
        set logtraffic-start {enable | disable}   Enable/disable policy log traffic start.
        set label {string}   VDOM-specific GUI visible label. size[63]
        set global-label {string}   Global web-based manager visible label. size[63]
        set scan-botnet-connections {disable | block | monitor}   Enable/disable scanning of connections to Botnet servers.
                disable  Do not scan connections to botnet servers.
                block    Block connections to botnet servers.
                monitor  Log connections to botnet servers.
        set comments {string}   Optional comments. size[1023]
        set redirect-url {string}   Redirect URL for further explicit web proxy processing. size[1023]
    next
end

Additional information

The following section is for those options that require additional explanation.

firewall proxy-policy

Use this command to configure proxy policies. These policies used to be referred to as explicit proxy policies.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set proxy {ssh | ssh-tunnel | ...}

New SSH explicit proxy types to support SSH proxy policy for SSH sessions, and access control for TCP/IP port forwarding traffic.

set proxy ssh

set srcaddr6 <src-addr6>

set dstaddr6 <dst-addr6>

When proxy is set to ssh, the IPv6 versions of the source or destination address options are available, as part of supporting SSH traffic through IPv6.
config firewall proxy-policy
    edit {policyid}
    # Configure proxy policies.
        set uuid {uuid}   Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
        set policyid {integer}   Policy ID. range[0-4294967295]
        set proxy {option}   Type of explicit proxy.
                explicit-web     Explicit Web Proxy
                transparent-web  Transparent Web Proxy
                ftp              Explicit FTP Proxy
                ssh              SSH Proxy
                ssh-tunnel       SSH Tunnel
                wanopt           WANopt Tunnel
        config srcintf
            edit {name}
            # Source interface names.
                set name {string}   Interface name. size[64] - datasource(s): system.interface.name,system.zone.name
            next
        config dstintf
            edit {name}
            # Destination interface names.
                set name {string}   Interface name. size[64] - datasource(s): system.interface.name,system.zone.name
            next
        config srcaddr
            edit {name}
            # Source address objects.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name,firewall.proxy-address.name,firewall.proxy-addrgrp.name,system.external-resource.name
            next
        config poolname
            edit {name}
            # Name of IP pool object.
                set name {string}   IP pool name. size[64] - datasource(s): firewall.ippool.name
            next
        config dstaddr
            edit {name}
            # Destination address objects.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name,firewall.proxy-address.name,firewall.proxy-addrgrp.name,firewall.vip.name,firewall.vipgrp.name,firewall.vip46.name,firewall.vipgrp46.name,system.external-resource.name
            next
        set internet-service {enable | disable}   Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.
        set internet-service-negate {enable | disable}   When enabled, Internet Services match against any internet service EXCEPT the selected Internet Service.
        config internet-service-id
            edit {id}
            # Internet Service ID.
                set id {integer}   Internet Service ID. range[0-4294967295] - datasource(s): firewall.internet-service.id
            next
        config internet-service-custom
            edit {name}
            # Custom Internet Service name.
                set name {string}   Custom name. size[64] - datasource(s): firewall.internet-service-custom.name
            next
        config service
            edit {name}
            # Name of service objects.
                set name {string}   Service name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name
            next
        set srcaddr-negate {enable | disable}   When enabled, source addresses match against any address EXCEPT the specified source addresses.
        set dstaddr-negate {enable | disable}   When enabled, destination addresses match against any address EXCEPT the specified destination addresses.
        set service-negate {enable | disable}   When enabled, services match against any service EXCEPT the specified destination services.
        set action {accept | deny | redirect}   Accept or deny traffic matching the policy parameters.
                accept    Action accept.
                deny      Action deny.
                redirect  Action redirect.
        set status {enable | disable}   Enable/disable the active status of the policy.
        set schedule {string}   Name of schedule object. size[35] - datasource(s): firewall.schedule.onetime.name,firewall.schedule.recurring.name,firewall.schedule.group.name
        set logtraffic {all | utm | disable}   Enable/disable logging traffic through the policy.
                all      Log all sessions.
                utm      UTM event and matched application traffic log.
                disable  Disable traffic and application log.
        set session-ttl {integer}   TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL). range[300-604800]
        config srcaddr6
            edit {name}
            # IPv6 source address objects.
                set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name,system.external-resource.name
            next
        config dstaddr6
            edit {name}
            # IPv6 destination address objects.
                set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name,firewall.vip6.name,firewall.vipgrp6.name,firewall.vip64.name,firewall.vipgrp64.name,system.external-resource.name
            next
        config groups
            edit {name}
            # Names of group objects.
                set name {string}   Group name. size[64] - datasource(s): user.group.name
            next
        config users
            edit {name}
            # Names of user objects.
                set name {string}   Group name. size[64] - datasource(s): user.local.name
            next
        set http-tunnel-auth {enable | disable}   Enable/disable HTTP tunnel authentication.
        set webproxy-forward-server {string}   Name of web proxy forward server. size[63] - datasource(s): web-proxy.forward-server.name,web-proxy.forward-server-group.name
        set webproxy-profile {string}   Name of web proxy profile. size[63] - datasource(s): web-proxy.profile.name
        set transparent {enable | disable}   Enable to use the IP address of the client to connect to the server.
        set webcache {enable | disable}   Enable/disable web caching.
        set webcache-https {disable | enable}   Enable/disable web caching for HTTPS (Requires deep-inspection enabled in ssl-ssh-profile).
        set disclaimer {disable | domain | policy | user}   Web proxy disclaimer setting: by domain, policy, or user.
                disable  Disable disclaimer.
                domain   Display disclaimer for domain
                policy   Display disclaimer for policy
                user     Display disclaimer for current user
        set utm-status {enable | disable}   Enable the use of UTM profiles/sensors/lists.
        set profile-type {single | group}   Determine whether the firewall policy allows security profile groups or single profiles only.
                single  Do not allow security profile groups.
                group   Allow security profile groups.
        set profile-group {string}   Name of profile group. size[35] - datasource(s): firewall.profile-group.name
        set av-profile {string}   Name of an existing Antivirus profile. size[35] - datasource(s): antivirus.profile.name
        set webfilter-profile {string}   Name of an existing Web filter profile. size[35] - datasource(s): webfilter.profile.name
        set spamfilter-profile {string}   Name of an existing Spam filter profile. size[35] - datasource(s): spamfilter.profile.name
        set dlp-sensor {string}   Name of an existing DLP sensor. size[35] - datasource(s): dlp.sensor.name
        set ips-sensor {string}   Name of an existing IPS sensor. size[35] - datasource(s): ips.sensor.name
        set application-list {string}   Name of an existing Application list. size[35] - datasource(s): application.list.name
        set icap-profile {string}   Name of an existing ICAP profile. size[35] - datasource(s): icap.profile.name
        set waf-profile {string}   Name of an existing Web application firewall profile. size[35] - datasource(s): waf.profile.name
        set ssh-filter-profile {string}   Name of an existing SSH filter profile. size[35] - datasource(s): ssh-filter.profile.name
        set profile-protocol-options {string}   Name of an existing Protocol options profile. size[35] - datasource(s): firewall.profile-protocol-options.name
        set ssl-ssh-profile {string}   Name of an existing SSL SSH profile. size[35] - datasource(s): firewall.ssl-ssh-profile.name
        set replacemsg-override-group {string}   Authentication replacement message override group. size[35] - datasource(s): system.replacemsg-group.name
        set logtraffic-start {enable | disable}   Enable/disable policy log traffic start.
        set label {string}   VDOM-specific GUI visible label. size[63]
        set global-label {string}   Global web-based manager visible label. size[63]
        set scan-botnet-connections {disable | block | monitor}   Enable/disable scanning of connections to Botnet servers.
                disable  Do not scan connections to botnet servers.
                block    Block connections to botnet servers.
                monitor  Log connections to botnet servers.
        set comments {string}   Optional comments. size[1023]
        set redirect-url {string}   Redirect URL for further explicit web proxy processing. size[1023]
    next
end

Additional information

The following section is for those options that require additional explanation.