Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.2.1
Copy Link

Configure proxy policies.

  config firewall proxy-policy
      Description: Configure proxy policies.
      edit <policyid>
          set uuid {uuid}
          set proxy [explicit-web|transparent-web|...]
          set srcintf <name1>, <name2>, ...
          set dstintf <name1>, <name2>, ...
          set srcaddr <name1>, <name2>, ...
          set poolname <name1>, <name2>, ...
          set dstaddr <name1>, <name2>, ...
          set internet-service [enable|disable]
          set internet-service-negate [enable|disable]
          set internet-service-id <id1>, <id2>, ...
          set internet-service-group <name1>, <name2>, ...
          set internet-service-custom <name1>, <name2>, ...
          set internet-service-custom-group <name1>, <name2>, ...
          set service <name1>, <name2>, ...
          set srcaddr-negate [enable|disable]
          set dstaddr-negate [enable|disable]
          set service-negate [enable|disable]
          set action [accept|deny|...]
          set status [enable|disable]
          set schedule {string}
          set logtraffic [all|utm|...]
          set session-ttl {integer}
          set srcaddr6 <name1>, <name2>, ...
          set dstaddr6 <name1>, <name2>, ...
          set groups <name1>, <name2>, ...
          set users <name1>, <name2>, ...
          set http-tunnel-auth [enable|disable]
          set ssh-policy-redirect [enable|disable]
          set webproxy-forward-server {string}
          set webproxy-profile {string}
          set transparent [enable|disable]
          set webcache [enable|disable]
          set webcache-https [disable|enable]
          set disclaimer [disable|domain|...]
          set utm-status [enable|disable]
          set profile-type [single|group]
          set profile-group {string}
          set profile-protocol-options {string}
          set ssl-ssh-profile {string}
          set av-profile {string}
          set webfilter-profile {string}
          set emailfilter-profile {string}
          set dlp-sensor {string}
          set ips-sensor {string}
          set application-list {string}
          set icap-profile {string}
          set cifs-profile {string}
          set waf-profile {string}
          set ssh-filter-profile {string}
          set replacemsg-override-group {string}
          set logtraffic-start [enable|disable]
          set label {string}
          set global-label {string}
          set comments {var-string}
          set redirect-url {var-string}
      next
  end

config firewall proxy-policy

Parameter Name Description Type Size
uuid Universally Unique Identifier (UUID; automatically assigned but can be manually reset). uuid Not Specified
proxy Type of explicit proxy.
explicit-web: Explicit Web Proxy
transparent-web: Transparent Web Proxy
ftp: Explicit FTP Proxy
ssh: SSH Proxy
ssh-tunnel: SSH Tunnel
wanopt: WANopt Tunnel
option -
srcintf <name> Source interface names.
Interface name.
string Maximum length: 79
dstintf <name> Destination interface names.
Interface name.
string Maximum length: 79
srcaddr <name> Source address objects.
Address name.
string Maximum length: 79
poolname <name> Name of IP pool object.
IP pool name.
string Maximum length: 79
dstaddr <name> Destination address objects.
Address name.
string Maximum length: 79
internet-service Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.
enable: Enable use of Internet Services in policy.
disable: Disable use of Internet Services in policy.
option -
internet-service-negate When enabled, Internet Services match against any internet service EXCEPT the selected Internet Service.
enable: Enable negated Internet Service match.
disable: Disable negated Internet Service match.
option -
internet-service-id <id> Internet Service ID.
Internet Service ID.
integer Minimum value: 0 Maximum value: 4294967295
internet-service-group <name> Internet Service group name.
Internet Service group name.
string Maximum length: 79
internet-service-custom <name> Custom Internet Service name.
Custom name.
string Maximum length: 79
internet-service-custom-group <name> Custom Internet Service group name.
Custom Internet Service group name.
string Maximum length: 79
service <name> Name of service objects.
Service name.
string Maximum length: 79
srcaddr-negate When enabled, source addresses match against any address EXCEPT the specified source addresses.
enable: Enable source address negate.
disable: Disable destination address negate.
option -
dstaddr-negate When enabled, destination addresses match against any address EXCEPT the specified destination addresses.
enable: Enable source address negate.
disable: Disable destination address negate.
option -
service-negate When enabled, services match against any service EXCEPT the specified destination services.
enable: Enable negated service match.
disable: Disable negated service match.
option -
action Accept or deny traffic matching the policy parameters.
accept: Action accept.
deny: Action deny.
redirect: Action redirect.
option -
status Enable/disable the active status of the policy.
enable: Enable setting.
disable: Disable setting.
option -
schedule Name of schedule object. string Maximum length: 35
logtraffic Enable/disable logging traffic through the policy.
all: Log all sessions.
utm: UTM event and matched application traffic log.
disable: Disable traffic and application log.
option -
session-ttl TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL). integer Minimum value: 300 Maximum value: 2764800
srcaddr6 <name> IPv6 source address objects.
Address name.
string Maximum length: 79
dstaddr6 <name> IPv6 destination address objects.
Address name.
string Maximum length: 79
groups <name> Names of group objects.
Group name.
string Maximum length: 79
users <name> Names of user objects.
Group name.
string Maximum length: 79
http-tunnel-auth Enable/disable HTTP tunnel authentication.
enable: Enable setting.
disable: Disable setting.
option -
ssh-policy-redirect Redirect SSH traffic to matching transparent proxy policy.
enable: Enable SSH policy redirect.
disable: Disable SSH policy redirect.
option -
webproxy-forward-server Web proxy forward server name. string Maximum length: 63
webproxy-profile Name of web proxy profile. string Maximum length: 63
transparent Enable to use the IP address of the client to connect to the server.
enable: Enable use of IP address of client to connect to server.
disable: Disable use of IP address of client to connect to server.
option -
webcache Enable/disable web caching.
enable: Enable setting.
disable: Disable setting.
option -
webcache-https Enable/disable web caching for HTTPS (Requires deep-inspection enabled in ssl-ssh-profile).
disable: Disable web cache for HTTPS.
enable: Enable web cache for HTTPS.
option -
disclaimer Web proxy disclaimer setting: by domain, policy, or user.
disable: Disable disclaimer.
domain: Display disclaimer for domain
policy: Display disclaimer for policy
user: Display disclaimer for current user
option -
utm-status Enable the use of UTM profiles/sensors/lists.
enable: Enable setting.
disable: Disable setting.
option -
profile-type Determine whether the firewall policy allows security profile groups or single profiles only.
single: Do not allow security profile groups.
group: Allow security profile groups.
option -
profile-group Name of profile group. string Maximum length: 35
profile-protocol-options Name of an existing Protocol options profile. string Maximum length: 35
ssl-ssh-profile Name of an existing SSL SSH profile. string Maximum length: 35
av-profile Name of an existing Antivirus profile. string Maximum length: 35
webfilter-profile Name of an existing Web filter profile. string Maximum length: 35
emailfilter-profile Name of an existing email filter profile. string Maximum length: 35
dlp-sensor Name of an existing DLP sensor. string Maximum length: 35
ips-sensor Name of an existing IPS sensor. string Maximum length: 35
application-list Name of an existing Application list. string Maximum length: 35
icap-profile Name of an existing ICAP profile. string Maximum length: 35
cifs-profile Name of an existing CIFS profile. string Maximum length: 35
waf-profile Name of an existing Web application firewall profile. string Maximum length: 35
ssh-filter-profile Name of an existing SSH filter profile. string Maximum length: 35
replacemsg-override-group Authentication replacement message override group. string Maximum length: 35
logtraffic-start Enable/disable policy log traffic start.
enable: Enable setting.
disable: Disable setting.
option -
label VDOM-specific GUI visible label. string Maximum length: 63
global-label Global web-based manager visible label. string Maximum length: 63
comments Optional comments. var-string Maximum length: 1023
redirect-url Redirect URL for further explicit web proxy processing. var-string Maximum length: 1023

Configure proxy policies.

  config firewall proxy-policy
      Description: Configure proxy policies.
      edit <policyid>
          set uuid {uuid}
          set proxy [explicit-web|transparent-web|...]
          set srcintf <name1>, <name2>, ...
          set dstintf <name1>, <name2>, ...
          set srcaddr <name1>, <name2>, ...
          set poolname <name1>, <name2>, ...
          set dstaddr <name1>, <name2>, ...
          set internet-service [enable|disable]
          set internet-service-negate [enable|disable]
          set internet-service-id <id1>, <id2>, ...
          set internet-service-group <name1>, <name2>, ...
          set internet-service-custom <name1>, <name2>, ...
          set internet-service-custom-group <name1>, <name2>, ...
          set service <name1>, <name2>, ...
          set srcaddr-negate [enable|disable]
          set dstaddr-negate [enable|disable]
          set service-negate [enable|disable]
          set action [accept|deny|...]
          set status [enable|disable]
          set schedule {string}
          set logtraffic [all|utm|...]
          set session-ttl {integer}
          set srcaddr6 <name1>, <name2>, ...
          set dstaddr6 <name1>, <name2>, ...
          set groups <name1>, <name2>, ...
          set users <name1>, <name2>, ...
          set http-tunnel-auth [enable|disable]
          set ssh-policy-redirect [enable|disable]
          set webproxy-forward-server {string}
          set webproxy-profile {string}
          set transparent [enable|disable]
          set webcache [enable|disable]
          set webcache-https [disable|enable]
          set disclaimer [disable|domain|...]
          set utm-status [enable|disable]
          set profile-type [single|group]
          set profile-group {string}
          set profile-protocol-options {string}
          set ssl-ssh-profile {string}
          set av-profile {string}
          set webfilter-profile {string}
          set emailfilter-profile {string}
          set dlp-sensor {string}
          set ips-sensor {string}
          set application-list {string}
          set icap-profile {string}
          set cifs-profile {string}
          set waf-profile {string}
          set ssh-filter-profile {string}
          set replacemsg-override-group {string}
          set logtraffic-start [enable|disable]
          set label {string}
          set global-label {string}
          set comments {var-string}
          set redirect-url {var-string}
      next
  end

config firewall proxy-policy

Parameter Name Description Type Size
uuid Universally Unique Identifier (UUID; automatically assigned but can be manually reset). uuid Not Specified
proxy Type of explicit proxy.
explicit-web: Explicit Web Proxy
transparent-web: Transparent Web Proxy
ftp: Explicit FTP Proxy
ssh: SSH Proxy
ssh-tunnel: SSH Tunnel
wanopt: WANopt Tunnel
option -
srcintf <name> Source interface names.
Interface name.
string Maximum length: 79
dstintf <name> Destination interface names.
Interface name.
string Maximum length: 79
srcaddr <name> Source address objects.
Address name.
string Maximum length: 79
poolname <name> Name of IP pool object.
IP pool name.
string Maximum length: 79
dstaddr <name> Destination address objects.
Address name.
string Maximum length: 79
internet-service Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.
enable: Enable use of Internet Services in policy.
disable: Disable use of Internet Services in policy.
option -
internet-service-negate When enabled, Internet Services match against any internet service EXCEPT the selected Internet Service.
enable: Enable negated Internet Service match.
disable: Disable negated Internet Service match.
option -
internet-service-id <id> Internet Service ID.
Internet Service ID.
integer Minimum value: 0 Maximum value: 4294967295
internet-service-group <name> Internet Service group name.
Internet Service group name.
string Maximum length: 79
internet-service-custom <name> Custom Internet Service name.
Custom name.
string Maximum length: 79
internet-service-custom-group <name> Custom Internet Service group name.
Custom Internet Service group name.
string Maximum length: 79
service <name> Name of service objects.
Service name.
string Maximum length: 79
srcaddr-negate When enabled, source addresses match against any address EXCEPT the specified source addresses.
enable: Enable source address negate.
disable: Disable destination address negate.
option -
dstaddr-negate When enabled, destination addresses match against any address EXCEPT the specified destination addresses.
enable: Enable source address negate.
disable: Disable destination address negate.
option -
service-negate When enabled, services match against any service EXCEPT the specified destination services.
enable: Enable negated service match.
disable: Disable negated service match.
option -
action Accept or deny traffic matching the policy parameters.
accept: Action accept.
deny: Action deny.
redirect: Action redirect.
option -
status Enable/disable the active status of the policy.
enable: Enable setting.
disable: Disable setting.
option -
schedule Name of schedule object. string Maximum length: 35
logtraffic Enable/disable logging traffic through the policy.
all: Log all sessions.
utm: UTM event and matched application traffic log.
disable: Disable traffic and application log.
option -
session-ttl TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL). integer Minimum value: 300 Maximum value: 2764800
srcaddr6 <name> IPv6 source address objects.
Address name.
string Maximum length: 79
dstaddr6 <name> IPv6 destination address objects.
Address name.
string Maximum length: 79
groups <name> Names of group objects.
Group name.
string Maximum length: 79
users <name> Names of user objects.
Group name.
string Maximum length: 79
http-tunnel-auth Enable/disable HTTP tunnel authentication.
enable: Enable setting.
disable: Disable setting.
option -
ssh-policy-redirect Redirect SSH traffic to matching transparent proxy policy.
enable: Enable SSH policy redirect.
disable: Disable SSH policy redirect.
option -
webproxy-forward-server Web proxy forward server name. string Maximum length: 63
webproxy-profile Name of web proxy profile. string Maximum length: 63
transparent Enable to use the IP address of the client to connect to the server.
enable: Enable use of IP address of client to connect to server.
disable: Disable use of IP address of client to connect to server.
option -
webcache Enable/disable web caching.
enable: Enable setting.
disable: Disable setting.
option -
webcache-https Enable/disable web caching for HTTPS (Requires deep-inspection enabled in ssl-ssh-profile).
disable: Disable web cache for HTTPS.
enable: Enable web cache for HTTPS.
option -
disclaimer Web proxy disclaimer setting: by domain, policy, or user.
disable: Disable disclaimer.
domain: Display disclaimer for domain
policy: Display disclaimer for policy
user: Display disclaimer for current user
option -
utm-status Enable the use of UTM profiles/sensors/lists.
enable: Enable setting.
disable: Disable setting.
option -
profile-type Determine whether the firewall policy allows security profile groups or single profiles only.
single: Do not allow security profile groups.
group: Allow security profile groups.
option -
profile-group Name of profile group. string Maximum length: 35
profile-protocol-options Name of an existing Protocol options profile. string Maximum length: 35
ssl-ssh-profile Name of an existing SSL SSH profile. string Maximum length: 35
av-profile Name of an existing Antivirus profile. string Maximum length: 35
webfilter-profile Name of an existing Web filter profile. string Maximum length: 35
emailfilter-profile Name of an existing email filter profile. string Maximum length: 35
dlp-sensor Name of an existing DLP sensor. string Maximum length: 35
ips-sensor Name of an existing IPS sensor. string Maximum length: 35
application-list Name of an existing Application list. string Maximum length: 35
icap-profile Name of an existing ICAP profile. string Maximum length: 35
cifs-profile Name of an existing CIFS profile. string Maximum length: 35
waf-profile Name of an existing Web application firewall profile. string Maximum length: 35
ssh-filter-profile Name of an existing SSH filter profile. string Maximum length: 35
replacemsg-override-group Authentication replacement message override group. string Maximum length: 35
logtraffic-start Enable/disable policy log traffic start.
enable: Enable setting.
disable: Disable setting.
option -
label VDOM-specific GUI visible label. string Maximum length: 63
global-label Global web-based manager visible label. string Maximum length: 63
comments Optional comments. var-string Maximum length: 1023
redirect-url Redirect URL for further explicit web proxy processing. var-string Maximum length: 1023