Fortinet black logo

CLI Reference

web-proxy global

web-proxy global

Use this command to configure global web proxy settings that control how the web proxy functions and handles web traffic. Typically, you should not have to change the default settings of this command. Also, if your FortiGate is operating with multiple VDOMS, these settings affect all VDOMs.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set max-waf-body-cache-length <kb>

Default value for this option has been changed from 100 KB to 32 KB.

config web-proxy global
    set fast-policy-match {enable | disable}   Enable/disable fast matching algorithm for explicit and transparent proxy policy.
    set proxy-fqdn {string}   Fully Qualified Domain Name (FQDN) that clients connect to (default = default.fqdn) to connect to the explicit web proxy. size[255]
    set max-request-length {integer}   Maximum length of HTTP request line (2 - 64 Kbytes, default = 8). range[2-64]
    set max-message-length {integer}   Maximum length of HTTP message, not including body (16 - 256 Kbytes, default = 32). range[16-256]
    set strict-web-check {enable | disable}   Enable/disable strict web checking to block web sites that send incorrect headers that don't conform to HTTP 1.1.
    set forward-proxy-auth {enable | disable}   Enable/disable forwarding proxy authentication headers.
    set tunnel-non-http {enable | disable}   Enable/disable allowing non-HTTP traffic. Allowed non-HTTP traffic is tunneled.
    set unknown-http-version {reject | tunnel | best-effort}   Action to take when an unknown version of HTTP is encountered: reject, allow (tunnel), or proceed with best-effort.
            reject       Rejects requests with unknown HTTP version.
            tunnel       Tunnels requests with unknown HTTP version.
            best-effort  Allow unknown HTTP requests and process them using best efforts.
    set forward-server-affinity-timeout {integer}   Period of time before the source IP's traffic is no longer assigned to the forwarding server (6 - 60 min, default = 30). range[6-60]
    set max-waf-body-cache-length {integer}   Maximum length of HTTP messages processed by Web Application Firewall (WAF) (10 - 1024 Kbytes, default = 32). range[10-1024]
    set webproxy-profile {string}   Name of the web proxy profile to apply when explicit proxy traffic is allowed by default and traffic is accepted that does not match an explicit proxy policy. size[63] - datasource(s): web-proxy.profile.name
    set learn-client-ip {enable | disable}   Enable/disable learning the client's IP address from headers.
    set learn-client-ip-from-header {true-client-ip | x-real-ip | x-forwarded-for}   Learn client IP address from the specified headers.
            true-client-ip   Learn the client IP address from the True-Client-IP header.
            x-real-ip        Learn the client IP address from the X-Real-IP header.
            x-forwarded-for  Learn the client IP address from the X-Forwarded-For header.
    config learn-client-ip-srcaddr
        edit {name}
        # Source address name (srcaddr or srcaddr6 must be set).
            set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
        next
    config learn-client-ip-srcaddr6
        edit {name}
        # IPv6 Source address name (srcaddr or srcaddr6 must be set).
            set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
        next
end

Additional information

The following section is for those options that require additional explanation.

proxy-fqdn <fqdn>

FQDN for the proxy for that clients use to connect. The default is set to default.fqdn.

max-request-length <kb>

Maximum length in kilobytes (kB) of the HTTP request line. Set the value between 2-64. The default is set to 4.

max-message-length <kb>

Maximum length in kB of the HTTP message, not including the body. Set the value between 16-256. The default is set to 32.

strict-web-check {enable | disable}

Enable or disable (by default) the blocking of web sites that send incorrect headers that don't conform to HTTP 1.1 (see RFC 2616 for more information). Enabling this option may block some commonly used websites.

forward-proxy-auth {enable | disable}

Enable or disable (by default) the forwarding of proxy authentication headers. Note that this option is only practical when in explicit mode, because proxy authentication headers are always forwarded when in transparent mode. By default, in explicit mode, proxy authentication headers are blocked by the explicit web proxy. Therefore, enable this entry if you need to allow proxy authentication through the explicit web proxy.

tunnel-non-http {enable | disable}

Enable (by default) or disable the allowance of non-HTTP traffic.

unknown-http-version {reject | tunnel | best-effort}

Action to take when an unknown version of HTTP is encountered. Unknown HTTP sessions are those that don’t comply with HTTP 0.9, 1.0, 1.1.

  • reject: Rejects requests with unknown HTTP version.
  • tunnel: Tunnels requests with unknown HTTP version.
  • best-effort: Proceeds with best effort (set by default).

forward-server-affinity-timeout <minutes>

Period of time in minutes before the source IP's traffic will no longer be assigned to the forward server. Set the value between 6-60 (or six minutes to one hour). The default is set to 30.

max-waf-body-cache-length <kb>

Maximum length in KB of HTTP message processed by the Web Application Firewall (WAF). Set the value between 10-1024 (or 10KB to just over 1MB). The default is set to 32.

webproxy-profile <name>

Web proxy profile name.

learn-client-ip {enable | disable}

Enable or disable (by default) the learning of client IP addresses from headers.

web-proxy global

Use this command to configure global web proxy settings that control how the web proxy functions and handles web traffic. Typically, you should not have to change the default settings of this command. Also, if your FortiGate is operating with multiple VDOMS, these settings affect all VDOMs.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set max-waf-body-cache-length <kb>

Default value for this option has been changed from 100 KB to 32 KB.

config web-proxy global
    set fast-policy-match {enable | disable}   Enable/disable fast matching algorithm for explicit and transparent proxy policy.
    set proxy-fqdn {string}   Fully Qualified Domain Name (FQDN) that clients connect to (default = default.fqdn) to connect to the explicit web proxy. size[255]
    set max-request-length {integer}   Maximum length of HTTP request line (2 - 64 Kbytes, default = 8). range[2-64]
    set max-message-length {integer}   Maximum length of HTTP message, not including body (16 - 256 Kbytes, default = 32). range[16-256]
    set strict-web-check {enable | disable}   Enable/disable strict web checking to block web sites that send incorrect headers that don't conform to HTTP 1.1.
    set forward-proxy-auth {enable | disable}   Enable/disable forwarding proxy authentication headers.
    set tunnel-non-http {enable | disable}   Enable/disable allowing non-HTTP traffic. Allowed non-HTTP traffic is tunneled.
    set unknown-http-version {reject | tunnel | best-effort}   Action to take when an unknown version of HTTP is encountered: reject, allow (tunnel), or proceed with best-effort.
            reject       Rejects requests with unknown HTTP version.
            tunnel       Tunnels requests with unknown HTTP version.
            best-effort  Allow unknown HTTP requests and process them using best efforts.
    set forward-server-affinity-timeout {integer}   Period of time before the source IP's traffic is no longer assigned to the forwarding server (6 - 60 min, default = 30). range[6-60]
    set max-waf-body-cache-length {integer}   Maximum length of HTTP messages processed by Web Application Firewall (WAF) (10 - 1024 Kbytes, default = 32). range[10-1024]
    set webproxy-profile {string}   Name of the web proxy profile to apply when explicit proxy traffic is allowed by default and traffic is accepted that does not match an explicit proxy policy. size[63] - datasource(s): web-proxy.profile.name
    set learn-client-ip {enable | disable}   Enable/disable learning the client's IP address from headers.
    set learn-client-ip-from-header {true-client-ip | x-real-ip | x-forwarded-for}   Learn client IP address from the specified headers.
            true-client-ip   Learn the client IP address from the True-Client-IP header.
            x-real-ip        Learn the client IP address from the X-Real-IP header.
            x-forwarded-for  Learn the client IP address from the X-Forwarded-For header.
    config learn-client-ip-srcaddr
        edit {name}
        # Source address name (srcaddr or srcaddr6 must be set).
            set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
        next
    config learn-client-ip-srcaddr6
        edit {name}
        # IPv6 Source address name (srcaddr or srcaddr6 must be set).
            set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
        next
end

Additional information

The following section is for those options that require additional explanation.

proxy-fqdn <fqdn>

FQDN for the proxy for that clients use to connect. The default is set to default.fqdn.

max-request-length <kb>

Maximum length in kilobytes (kB) of the HTTP request line. Set the value between 2-64. The default is set to 4.

max-message-length <kb>

Maximum length in kB of the HTTP message, not including the body. Set the value between 16-256. The default is set to 32.

strict-web-check {enable | disable}

Enable or disable (by default) the blocking of web sites that send incorrect headers that don't conform to HTTP 1.1 (see RFC 2616 for more information). Enabling this option may block some commonly used websites.

forward-proxy-auth {enable | disable}

Enable or disable (by default) the forwarding of proxy authentication headers. Note that this option is only practical when in explicit mode, because proxy authentication headers are always forwarded when in transparent mode. By default, in explicit mode, proxy authentication headers are blocked by the explicit web proxy. Therefore, enable this entry if you need to allow proxy authentication through the explicit web proxy.

tunnel-non-http {enable | disable}

Enable (by default) or disable the allowance of non-HTTP traffic.

unknown-http-version {reject | tunnel | best-effort}

Action to take when an unknown version of HTTP is encountered. Unknown HTTP sessions are those that don’t comply with HTTP 0.9, 1.0, 1.1.

  • reject: Rejects requests with unknown HTTP version.
  • tunnel: Tunnels requests with unknown HTTP version.
  • best-effort: Proceeds with best effort (set by default).

forward-server-affinity-timeout <minutes>

Period of time in minutes before the source IP's traffic will no longer be assigned to the forward server. Set the value between 6-60 (or six minutes to one hour). The default is set to 30.

max-waf-body-cache-length <kb>

Maximum length in KB of HTTP message processed by the Web Application Firewall (WAF). Set the value between 10-1024 (or 10KB to just over 1MB). The default is set to 32.

webproxy-profile <name>

Web proxy profile name.

learn-client-ip {enable | disable}

Enable or disable (by default) the learning of client IP addresses from headers.