firewall proxy-policy
Use this command to configure proxy policies. These policies used to be referred to as explicit proxy policies.
History
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.
Command | Description |
---|---|
set proxy {ssh | ssh-tunnel | ...} |
New SSH explicit proxy types to support SSH proxy policy for SSH sessions, and access control for TCP/IP port forwarding traffic. |
set proxy ssh set srcaddr6 <src-addr6> set dstaddr6 <dst-addr6> |
When proxy is set to ssh , the IPv6 versions of the source or destination address options are available, as part of supporting SSH traffic through IPv6. |
config firewall proxy-policy edit {policyid} # Configure proxy policies. set uuid {uuid} Universally Unique Identifier (UUID; automatically assigned but can be manually reset). set policyid {integer} Policy ID. range[0-4294967295] set proxy {option} Type of explicit proxy. explicit-web Explicit Web Proxy transparent-web Transparent Web Proxy ftp Explicit FTP Proxy ssh SSH Proxy ssh-tunnel SSH Tunnel wanopt WANopt Tunnel config srcintf edit {name} # Source interface names. set name {string} Interface name. size[64] - datasource(s): system.interface.name,system.zone.name next config dstintf edit {name} # Destination interface names. set name {string} Interface name. size[64] - datasource(s): system.interface.name,system.zone.name next config srcaddr edit {name} # Source address objects. set name {string} Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name,firewall.proxy-address.name,firewall.proxy-addrgrp.name,system.external-resource.name next config poolname edit {name} # Name of IP pool object. set name {string} IP pool name. size[64] - datasource(s): firewall.ippool.name next config dstaddr edit {name} # Destination address objects. set name {string} Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name,firewall.proxy-address.name,firewall.proxy-addrgrp.name,firewall.vip.name,firewall.vipgrp.name,firewall.vip46.name,firewall.vipgrp46.name,system.external-resource.name next set internet-service {enable | disable} Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. set internet-service-negate {enable | disable} When enabled, Internet Services match against any internet service EXCEPT the selected Internet Service. config internet-service-id edit {id} # Internet Service ID. set id {integer} Internet Service ID. range[0-4294967295] - datasource(s): firewall.internet-service.id next config internet-service-custom edit {name} # Custom Internet Service name. set name {string} Custom name. size[64] - datasource(s): firewall.internet-service-custom.name next config service edit {name} # Name of service objects. set name {string} Service name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name next set srcaddr-negate {enable | disable} When enabled, source addresses match against any address EXCEPT the specified source addresses. set dstaddr-negate {enable | disable} When enabled, destination addresses match against any address EXCEPT the specified destination addresses. set service-negate {enable | disable} When enabled, services match against any service EXCEPT the specified destination services. set action {accept | deny | redirect} Accept or deny traffic matching the policy parameters. accept Action accept. deny Action deny. redirect Action redirect. set status {enable | disable} Enable/disable the active status of the policy. set schedule {string} Name of schedule object. size[35] - datasource(s): firewall.schedule.onetime.name,firewall.schedule.recurring.name,firewall.schedule.group.name set logtraffic {all | utm | disable} Enable/disable logging traffic through the policy. all Log all sessions. utm UTM event and matched application traffic log. disable Disable traffic and application log. set session-ttl {integer} TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL). range[300-604800] config srcaddr6 edit {name} # IPv6 source address objects. set name {string} Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name,system.external-resource.name next config dstaddr6 edit {name} # IPv6 destination address objects. set name {string} Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name,firewall.vip6.name,firewall.vipgrp6.name,firewall.vip64.name,firewall.vipgrp64.name,system.external-resource.name next config groups edit {name} # Names of group objects. set name {string} Group name. size[64] - datasource(s): user.group.name next config users edit {name} # Names of user objects. set name {string} Group name. size[64] - datasource(s): user.local.name next set http-tunnel-auth {enable | disable} Enable/disable HTTP tunnel authentication. set webproxy-forward-server {string} Name of web proxy forward server. size[63] - datasource(s): web-proxy.forward-server.name,web-proxy.forward-server-group.name set webproxy-profile {string} Name of web proxy profile. size[63] - datasource(s): web-proxy.profile.name set transparent {enable | disable} Enable to use the IP address of the client to connect to the server. set webcache {enable | disable} Enable/disable web caching. set webcache-https {disable | enable} Enable/disable web caching for HTTPS (Requires deep-inspection enabled in ssl-ssh-profile). set disclaimer {disable | domain | policy | user} Web proxy disclaimer setting: by domain, policy, or user. disable Disable disclaimer. domain Display disclaimer for domain policy Display disclaimer for policy user Display disclaimer for current user set utm-status {enable | disable} Enable the use of UTM profiles/sensors/lists. set profile-type {single | group} Determine whether the firewall policy allows security profile groups or single profiles only. single Do not allow security profile groups. group Allow security profile groups. set profile-group {string} Name of profile group. size[35] - datasource(s): firewall.profile-group.name set av-profile {string} Name of an existing Antivirus profile. size[35] - datasource(s): antivirus.profile.name set webfilter-profile {string} Name of an existing Web filter profile. size[35] - datasource(s): webfilter.profile.name set spamfilter-profile {string} Name of an existing Spam filter profile. size[35] - datasource(s): spamfilter.profile.name set dlp-sensor {string} Name of an existing DLP sensor. size[35] - datasource(s): dlp.sensor.name set ips-sensor {string} Name of an existing IPS sensor. size[35] - datasource(s): ips.sensor.name set application-list {string} Name of an existing Application list. size[35] - datasource(s): application.list.name set icap-profile {string} Name of an existing ICAP profile. size[35] - datasource(s): icap.profile.name set waf-profile {string} Name of an existing Web application firewall profile. size[35] - datasource(s): waf.profile.name set ssh-filter-profile {string} Name of an existing SSH filter profile. size[35] - datasource(s): ssh-filter.profile.name set profile-protocol-options {string} Name of an existing Protocol options profile. size[35] - datasource(s): firewall.profile-protocol-options.name set ssl-ssh-profile {string} Name of an existing SSL SSH profile. size[35] - datasource(s): firewall.ssl-ssh-profile.name set replacemsg-override-group {string} Authentication replacement message override group. size[35] - datasource(s): system.replacemsg-group.name set logtraffic-start {enable | disable} Enable/disable policy log traffic start. set label {string} VDOM-specific GUI visible label. size[63] set global-label {string} Global web-based manager visible label. size[63] set scan-botnet-connections {disable | block | monitor} Enable/disable scanning of connections to Botnet servers. disable Do not scan connections to botnet servers. block Block connections to botnet servers. monitor Log connections to botnet servers. set comments {string} Optional comments. size[1023] set redirect-url {string} Redirect URL for further explicit web proxy processing. size[1023] next end
Additional information
The following section is for those options that require additional explanation.