Fortinet Document Library

Version:


Table of Contents

Cookbook

6.2.0
Download PDF
Copy Link

Proxy policy addresses

Proxy addresses are designed to be used only by proxy policies. The following address types are available:

Fast policy match

The fast policy match function improves the performance of IPv4 explicit and transparent web proxies on FortiGate devices.

When enabled, after the proxy policies are configured, the FortiGate builds a fast searching table based on the different proxy policy matching criteria. When fast policy matching is disabled, web proxy traffic is compared to the policies one at a time from the beginning of the policy list.

Fast policy matching is enabled by default, and can be configured with the following CLI command:

config web-proxy global
    set fast-policy-match {enable | disable}
end

Host regex match

In this address type, a user can create a hostname as a regular expression. Once created, the hostname address can be selected on the destination tab of an explicit proxy policy. This means that a policy will only allow or block requests that match the regular expression.

This example creates a host regex match address with the pattern qa.[a-z]*.com.

To create a host regex match address in the GUI:
  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Set the following:

    • Category to Proxy Address,
    • Name to Host Regex,
    • Type to Host Regex Match, and
    • Host Regex Pattern to qa.[a‑z]*.com.

  4. Click OK.
To create a host regex match address in the CLI:
config firewall proxy-address
    edit "Host Regex"
        set uuid 8e374390-57c9-51e9-9353-ee4469629df8
        set type host-regex
        set host-regex "qa.[a-z]*.com"
    next
end

URL pattern

In this address type, a user can create a URL path as a regular expression. Once created, the path address can be selected in the destination tab of an explicit proxy policy. This means that a policy will only allow or block requests that match the regular expression.

This example creates a URL pattern address with the pattern /filetypes/.

To create a URL pattern address in the GUI:
  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Set the following:
    • Category to Proxy Address,
    • Name to URL Regex,
    • Type to URL Pattern,
    • Host to all, and
    • URL Path Regex to /filetypes/.

  4. Click OK.
To create a URL pattern address in the CLI:
config firewall proxy-address
    edit "URL Regex"
        set uuid 267dc8e4-57cb-51e9-0cfe-27877bff51d3
        set type url
        set host "all"
        set path "/filetypes/"
    next
end

URL category

In this address type, a user can create a URL category based on a FortiGuard URL ID. Once created, the address can be selected in the destination tab of an explicit proxy policy. This means that a policy will only allow or block requests that match the URL category.

The example creates a URL category address for URLs in the Education category. For more information about categories, see https://fortiguard.com/webfilter/categories.

To create a URL category address in the GUI:
  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Set the following:
    • Category to Proxy Address,
    • Name to url-category,
    • Type to URL Category,
    • Host to all, and
    • URL Category to Education.

  4. Click OK.
To create a URL category address in the CLI:
config firewall proxy-address
    edit "url-category"
        set uuid 7a5465d2-57cf-51e9-49fd-0c6b5ad2ff4f
        set type category
        set host "all"
        set category 30
    next
end

To see a list of all the categories and their numbers, when editing the address, enter set category ?.

HTTP method

In this address type, a user can create an address based on the HTTP request methods that are used. Multiple method options are supported, including: CONNECT, DELETE, GET, HEAD, OPTIONS, POST, PUT, and TRACE. Once created, the address can be selected in the source tab of an explicit proxy policy. This means that a policy will only allow or block requests that match the selected HTTP method.

The example creates a HTTP method address that uses the GET method.

To create a HTTP method address in the GUI:
  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Set the following:
    • Category to Proxy Address,
    • Name to method_get,
    • Type to HTTP Method,
    • Host to all, and
    • Request Method to GET.

  4. Click OK.
To create a HTTP method address in the CLI:
config firewall proxy-address
    edit "method_get"
        set uuid 1e4d1a02-57d6-51e9-a5c4-73387925b7de
        set type method
        set host "all"
        set method get
    next
end

HTTP header

In this address type, a user can create a HTTP header as a regular expression. Once created, the header address can be selected in the source tab of an explicit proxy policy. This means that a policy will only allow or block requests where the HTTP header matches the regular expression.

This example creates a HTTP header address with the pattern Q[A-B].

To create a HTTP header address in the GUI:
  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Set the following:
    • Category to Proxy Address,
    • Name to HTTP-header,
    • Type to HTTP Header,
    • Host to all,
    • Header Name to Header_Test, and
    • Header Regex to Q[A-B].

  4. Click OK.
To create a HTTP header address in the CLI:
config firewall proxy-address
    edit "method_get"
        set uuid a0f1b806-57e9-51e9-b214-7a1cfafa9bb3
        set type header
        set host "all"
        set header-name "Header_Test"
        set header "Q[A-B]"
    next
end

User agent

In this address type, a user can create an address based on the names of the browsers that are used as user agents. Multiple browsers are supported, such as Chrome, Firefox, Internet Explorer, and others. Once created, the address can be selected in the destination tab of an explicit proxy policy. This means that a policy will only allow or block requests from the specified user agent.

This example creates a user agent address for Google Chrome.

To create a user agent address in the GUI:
  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Set the following:
    • Category to Proxy Address,
    • Name to UA-Chrome,
    • Type to User Agent,
    • Host to all, and
    • User Agent to Google Chrome.

  4. Click OK.
To create a user agent address in the CLI:
config firewall proxy-address
    edit "UA-Chrome"
        set uuid e3550196-57d8-51e9-eed0-115095a7920b
        set type ua
        set host "all"
        set ua chrome
    next
end

Advanced (source)

In this address type, a user can create an address based on multiple parameters, including HTTP method, User Agent, and HTTP header. Once created, the address can be selected in the source tab of an explicit proxy policy. This means that a policy will only allow or block requests that match the selected address.

This example creates an address that uses the get method, a user agent for Google Chrome, and an HTTP header with the pattern Q[A-B].

To create an advanced (source) address in the GUI:
  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Set the following:
    • Category to Proxy Address,
    • Name to advanced_src,
    • Type to Advanced (Source),
    • Host to all,
    • Request Method to GET,
    • User Agent to Google Chrome, and
    • HTTP header to Header_Test : Q[A-B].

  4. Click OK.
To create an advanced (source) address in the CLI:
config firewall proxy-address
    edit "advance_src"
        set uuid fb9991d0-57e3-51e9-9fed-855e0bca16c3
        set type src-advanced
        set host "all"
        set method get
        set ua chrome
        config header-group
            edit 1
                set header-name "Header_Test"
                set header "Q[A-B]"
            next
        end
    next
end

Advanced (destination)

In this address type, a user can create an address based on URL pattern and URL category parameters. Once created, the address can be selected in the destination tab of an explicit proxy policy. This means that a policy will only allow or block requests that match the selected address.

This example creates an address with the URL pattern /about that are in the Education category. For more information about categories, see https://fortiguard.com/webfilter/categories.

To create an advanced (destination) address in the GUI:
  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Set the following:
    • Category to Proxy Address,
    • Name to Advanced-dst,
    • Type to Advanced (Destination),
    • Host to all,
    • URL Path Regex to /about, and
    • URL Category to Education.

  4. Click OK.
To create an advanced (destination) address in the CLI:
config firewall proxy-address
    edit "Advanced-dst"
        set uuid d9c2a0d6-57e5-51e9-8c92-6aa8b3372198
        set type dst-advanced
        set host "ubc"
        set path "/about"
        set category 30
    next
end

Proxy policy addresses

Proxy addresses are designed to be used only by proxy policies. The following address types are available:

Fast policy match

The fast policy match function improves the performance of IPv4 explicit and transparent web proxies on FortiGate devices.

When enabled, after the proxy policies are configured, the FortiGate builds a fast searching table based on the different proxy policy matching criteria. When fast policy matching is disabled, web proxy traffic is compared to the policies one at a time from the beginning of the policy list.

Fast policy matching is enabled by default, and can be configured with the following CLI command:

config web-proxy global
    set fast-policy-match {enable | disable}
end

Host regex match

In this address type, a user can create a hostname as a regular expression. Once created, the hostname address can be selected on the destination tab of an explicit proxy policy. This means that a policy will only allow or block requests that match the regular expression.

This example creates a host regex match address with the pattern qa.[a-z]*.com.

To create a host regex match address in the GUI:
  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Set the following:

    • Category to Proxy Address,
    • Name to Host Regex,
    • Type to Host Regex Match, and
    • Host Regex Pattern to qa.[a‑z]*.com.

  4. Click OK.
To create a host regex match address in the CLI:
config firewall proxy-address
    edit "Host Regex"
        set uuid 8e374390-57c9-51e9-9353-ee4469629df8
        set type host-regex
        set host-regex "qa.[a-z]*.com"
    next
end

URL pattern

In this address type, a user can create a URL path as a regular expression. Once created, the path address can be selected in the destination tab of an explicit proxy policy. This means that a policy will only allow or block requests that match the regular expression.

This example creates a URL pattern address with the pattern /filetypes/.

To create a URL pattern address in the GUI:
  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Set the following:
    • Category to Proxy Address,
    • Name to URL Regex,
    • Type to URL Pattern,
    • Host to all, and
    • URL Path Regex to /filetypes/.

  4. Click OK.
To create a URL pattern address in the CLI:
config firewall proxy-address
    edit "URL Regex"
        set uuid 267dc8e4-57cb-51e9-0cfe-27877bff51d3
        set type url
        set host "all"
        set path "/filetypes/"
    next
end

URL category

In this address type, a user can create a URL category based on a FortiGuard URL ID. Once created, the address can be selected in the destination tab of an explicit proxy policy. This means that a policy will only allow or block requests that match the URL category.

The example creates a URL category address for URLs in the Education category. For more information about categories, see https://fortiguard.com/webfilter/categories.

To create a URL category address in the GUI:
  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Set the following:
    • Category to Proxy Address,
    • Name to url-category,
    • Type to URL Category,
    • Host to all, and
    • URL Category to Education.

  4. Click OK.
To create a URL category address in the CLI:
config firewall proxy-address
    edit "url-category"
        set uuid 7a5465d2-57cf-51e9-49fd-0c6b5ad2ff4f
        set type category
        set host "all"
        set category 30
    next
end

To see a list of all the categories and their numbers, when editing the address, enter set category ?.

HTTP method

In this address type, a user can create an address based on the HTTP request methods that are used. Multiple method options are supported, including: CONNECT, DELETE, GET, HEAD, OPTIONS, POST, PUT, and TRACE. Once created, the address can be selected in the source tab of an explicit proxy policy. This means that a policy will only allow or block requests that match the selected HTTP method.

The example creates a HTTP method address that uses the GET method.

To create a HTTP method address in the GUI:
  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Set the following:
    • Category to Proxy Address,
    • Name to method_get,
    • Type to HTTP Method,
    • Host to all, and
    • Request Method to GET.

  4. Click OK.
To create a HTTP method address in the CLI:
config firewall proxy-address
    edit "method_get"
        set uuid 1e4d1a02-57d6-51e9-a5c4-73387925b7de
        set type method
        set host "all"
        set method get
    next
end

HTTP header

In this address type, a user can create a HTTP header as a regular expression. Once created, the header address can be selected in the source tab of an explicit proxy policy. This means that a policy will only allow or block requests where the HTTP header matches the regular expression.

This example creates a HTTP header address with the pattern Q[A-B].

To create a HTTP header address in the GUI:
  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Set the following:
    • Category to Proxy Address,
    • Name to HTTP-header,
    • Type to HTTP Header,
    • Host to all,
    • Header Name to Header_Test, and
    • Header Regex to Q[A-B].

  4. Click OK.
To create a HTTP header address in the CLI:
config firewall proxy-address
    edit "method_get"
        set uuid a0f1b806-57e9-51e9-b214-7a1cfafa9bb3
        set type header
        set host "all"
        set header-name "Header_Test"
        set header "Q[A-B]"
    next
end

User agent

In this address type, a user can create an address based on the names of the browsers that are used as user agents. Multiple browsers are supported, such as Chrome, Firefox, Internet Explorer, and others. Once created, the address can be selected in the destination tab of an explicit proxy policy. This means that a policy will only allow or block requests from the specified user agent.

This example creates a user agent address for Google Chrome.

To create a user agent address in the GUI:
  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Set the following:
    • Category to Proxy Address,
    • Name to UA-Chrome,
    • Type to User Agent,
    • Host to all, and
    • User Agent to Google Chrome.

  4. Click OK.
To create a user agent address in the CLI:
config firewall proxy-address
    edit "UA-Chrome"
        set uuid e3550196-57d8-51e9-eed0-115095a7920b
        set type ua
        set host "all"
        set ua chrome
    next
end

Advanced (source)

In this address type, a user can create an address based on multiple parameters, including HTTP method, User Agent, and HTTP header. Once created, the address can be selected in the source tab of an explicit proxy policy. This means that a policy will only allow or block requests that match the selected address.

This example creates an address that uses the get method, a user agent for Google Chrome, and an HTTP header with the pattern Q[A-B].

To create an advanced (source) address in the GUI:
  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Set the following:
    • Category to Proxy Address,
    • Name to advanced_src,
    • Type to Advanced (Source),
    • Host to all,
    • Request Method to GET,
    • User Agent to Google Chrome, and
    • HTTP header to Header_Test : Q[A-B].

  4. Click OK.
To create an advanced (source) address in the CLI:
config firewall proxy-address
    edit "advance_src"
        set uuid fb9991d0-57e3-51e9-9fed-855e0bca16c3
        set type src-advanced
        set host "all"
        set method get
        set ua chrome
        config header-group
            edit 1
                set header-name "Header_Test"
                set header "Q[A-B]"
            next
        end
    next
end

Advanced (destination)

In this address type, a user can create an address based on URL pattern and URL category parameters. Once created, the address can be selected in the destination tab of an explicit proxy policy. This means that a policy will only allow or block requests that match the selected address.

This example creates an address with the URL pattern /about that are in the Education category. For more information about categories, see https://fortiguard.com/webfilter/categories.

To create an advanced (destination) address in the GUI:
  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Set the following:
    • Category to Proxy Address,
    • Name to Advanced-dst,
    • Type to Advanced (Destination),
    • Host to all,
    • URL Path Regex to /about, and
    • URL Category to Education.

  4. Click OK.
To create an advanced (destination) address in the CLI:
config firewall proxy-address
    edit "Advanced-dst"
        set uuid d9c2a0d6-57e5-51e9-8c92-6aa8b3372198
        set type dst-advanced
        set host "ubc"
        set path "/about"
        set category 30
    next
end