Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    6.2.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.0.0
    5.6.0
    5.4.0
    5.2.0
    5.0.0

    firewall proxy-policy

    Configure proxy policies.

      config firewall proxy-policy
      Description: Configure proxy policies.
      edit <policyid>
          set uuid {uuid}
          set proxy [explicit-web|transparent-web|...]
          set srcintf <name1>, <name2>, ...
          set dstintf <name1>, <name2>, ...
          set srcaddr <name1>, <name2>, ...
          set poolname <name1>, <name2>, ...
          set dstaddr <name1>, <name2>, ...
          set internet-service [enable|disable]
          set internet-service-negate [enable|disable]
          set internet-service-id <id1>, <id2>, ...
          set internet-service-group <name1>, <name2>, ...
          set internet-service-custom <name1>, <name2>, ...
          set internet-service-custom-group <name1>, <name2>, ...
          set service <name1>, <name2>, ...
          set srcaddr-negate [enable|disable]
          set dstaddr-negate [enable|disable]
          set service-negate [enable|disable]
          set action [accept|deny|...]
          set status [enable|disable]
          set schedule {string}
          set logtraffic [all|utm|...]
          set session-ttl {integer}
          set srcaddr6 <name1>, <name2>, ...
          set dstaddr6 <name1>, <name2>, ...
          set groups <name1>, <name2>, ...
          set users <name1>, <name2>, ...
          set http-tunnel-auth [enable|disable]
          set ssh-policy-redirect [enable|disable]
          set webproxy-forward-server {string}
          set webproxy-profile {string}
          set transparent [enable|disable]
          set webcache [enable|disable]
          set webcache-https [disable|enable]
          set disclaimer [disable|domain|...]
          set utm-status [enable|disable]
          set profile-type [single|group]
          set profile-group {string}
          set profile-protocol-options {string}
          set ssl-ssh-profile {string}
          set av-profile {string}
          set webfilter-profile {string}
          set emailfilter-profile {string}
          set dlp-sensor {string}
          set ips-sensor {string}
          set application-list {string}
          set icap-profile {string}
          set cifs-profile {string}
          set waf-profile {string}
          set ssh-filter-profile {string}
          set replacemsg-override-group {string}
          set logtraffic-start [enable|disable]
          set label {string}
          set global-label {string}
          set comments {var-string}
          set redirect-url {var-string}
      next
  end

    config firewall proxy-policy

    Parameter Name Description Type Size
    uuid Universally Unique Identifier (UUID; automatically assigned but can be manually reset). uuid Not Specified
    proxy Type of explicit proxy.
    explicit-web: Explicit Web Proxy
    transparent-web: Transparent Web Proxy
    ftp: Explicit FTP Proxy
    ssh: SSH Proxy
    ssh-tunnel: SSH Tunnel
    wanopt: WANopt Tunnel
    		 option -
    srcintf <name> Source interface names.
    Interface name.    		 string Maximum length: 79
    dstintf <name> Destination interface names.
    Interface name.    		 string Maximum length: 79
    srcaddr <name> Source address objects.
    Address name.    		 string Maximum length: 79
    poolname <name> Name of IP pool object.
    IP pool name.    		 string Maximum length: 79
    dstaddr <name> Destination address objects.
    Address name.    		 string Maximum length: 79
    internet-service Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.
    enable: Enable use of Internet Services in policy.
    disable: Disable use of Internet Services in policy.
    		 option -
    internet-service-negate When enabled, Internet Services match against any internet service EXCEPT the selected Internet Service.
    enable: Enable negated Internet Service match.
    disable: Disable negated Internet Service match.
    		 option -
    internet-service-id <id> Internet Service ID.
    Internet Service ID.    		 integer Minimum value: 0 Maximum value: 4294967295
    internet-service-group <name> Internet Service group name.
    Internet Service group name.    		 string Maximum length: 79
    internet-service-custom <name> Custom Internet Service name.
    Custom name.    		 string Maximum length: 79
    internet-service-custom-group <name> Custom Internet Service group name.
    Custom Internet Service group name.    		 string Maximum length: 79
    service <name> Name of service objects.
    Service name.    		 string Maximum length: 79
    srcaddr-negate When enabled, source addresses match against any address EXCEPT the specified source addresses.
    enable: Enable source address negate.
    disable: Disable destination address negate.
    		 option -
    dstaddr-negate When enabled, destination addresses match against any address EXCEPT the specified destination addresses.
    enable: Enable source address negate.
    disable: Disable destination address negate.
    		 option -
    service-negate When enabled, services match against any service EXCEPT the specified destination services.
    enable: Enable negated service match.
    disable: Disable negated service match.
    		 option -
    action Accept or deny traffic matching the policy parameters.
    accept: Action accept.
    deny: Action deny.
    redirect: Action redirect.
    		 option -
    status Enable/disable the active status of the policy.
    enable: Enable setting.
    disable: Disable setting.
    		 option -
    schedule Name of schedule object. string Maximum length: 35
    logtraffic Enable/disable logging traffic through the policy.
    all: Log all sessions.
    utm: UTM event and matched application traffic log.
    disable: Disable traffic and application log.
    		 option -
    session-ttl TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL). integer Minimum value: 300 Maximum value: 2764800
    srcaddr6 <name> IPv6 source address objects.
    Address name.    		 string Maximum length: 79
    dstaddr6 <name> IPv6 destination address objects.
    Address name.    		 string Maximum length: 79
    groups <name> Names of group objects.
    Group name.    		 string Maximum length: 79
    users <name> Names of user objects.
    Group name.    		 string Maximum length: 79
    http-tunnel-auth Enable/disable HTTP tunnel authentication.
    enable: Enable setting.
    disable: Disable setting.
    		 option -
    ssh-policy-redirect Redirect SSH traffic to matching transparent proxy policy.
    enable: Enable SSH policy redirect.
    disable: Disable SSH policy redirect.
    		 option -
    webproxy-forward-server Web proxy forward server name. string Maximum length: 63
    webproxy-profile Name of web proxy profile. string Maximum length: 63
    transparent Enable to use the IP address of the client to connect to the server.
    enable: Enable use of IP address of client to connect to server.
    disable: Disable use of IP address of client to connect to server.
    		 option -
    webcache Enable/disable web caching.
    enable: Enable setting.
    disable: Disable setting.
    		 option -
    webcache-https Enable/disable web caching for HTTPS (Requires deep-inspection enabled in ssl-ssh-profile).
    disable: Disable web cache for HTTPS.
    enable: Enable web cache for HTTPS.
    		 option -
    disclaimer Web proxy disclaimer setting: by domain, policy, or user.
    disable: Disable disclaimer.
    domain: Display disclaimer for domain
    policy: Display disclaimer for policy
    user: Display disclaimer for current user
    		 option -
    utm-status Enable the use of UTM profiles/sensors/lists.
    enable: Enable setting.
    disable: Disable setting.
    		 option -
    profile-type Determine whether the firewall policy allows security profile groups or single profiles only.
    single: Do not allow security profile groups.
    group: Allow security profile groups.
    		 option -
    profile-group Name of profile group. string Maximum length: 35
    profile-protocol-options Name of an existing Protocol options profile. string Maximum length: 35
    ssl-ssh-profile Name of an existing SSL SSH profile. string Maximum length: 35
    av-profile Name of an existing Antivirus profile. string Maximum length: 35
    webfilter-profile Name of an existing Web filter profile. string Maximum length: 35
    emailfilter-profile Name of an existing email filter profile. string Maximum length: 35
    dlp-sensor Name of an existing DLP sensor. string Maximum length: 35
    ips-sensor Name of an existing IPS sensor. string Maximum length: 35
    application-list Name of an existing Application list. string Maximum length: 35
    icap-profile Name of an existing ICAP profile. string Maximum length: 35
    cifs-profile Name of an existing CIFS profile. string Maximum length: 35
    waf-profile Name of an existing Web application firewall profile. string Maximum length: 35
    ssh-filter-profile Name of an existing SSH filter profile. string Maximum length: 35
    replacemsg-override-group Authentication replacement message override group. string Maximum length: 35
    logtraffic-start Enable/disable policy log traffic start.
    enable: Enable setting.
    disable: Disable setting.
    		 option -
    label VDOM-specific GUI visible label. string Maximum length: 63
    global-label Global web-based manager visible label. string Maximum length: 63
    comments Optional comments. var-string Maximum length: 1023
    redirect-url Redirect URL for further explicit web proxy processing. var-string Maximum length: 1023
    Previous
    Next

    firewall proxy-policy

    Configure proxy policies.

      config firewall proxy-policy
      Description: Configure proxy policies.
      edit <policyid>
          set uuid {uuid}
          set proxy [explicit-web|transparent-web|...]
          set srcintf <name1>, <name2>, ...
          set dstintf <name1>, <name2>, ...
          set srcaddr <name1>, <name2>, ...
          set poolname <name1>, <name2>, ...
          set dstaddr <name1>, <name2>, ...
          set internet-service [enable|disable]
          set internet-service-negate [enable|disable]
          set internet-service-id <id1>, <id2>, ...
          set internet-service-group <name1>, <name2>, ...
          set internet-service-custom <name1>, <name2>, ...
          set internet-service-custom-group <name1>, <name2>, ...
          set service <name1>, <name2>, ...
          set srcaddr-negate [enable|disable]
          set dstaddr-negate [enable|disable]
          set service-negate [enable|disable]
          set action [accept|deny|...]
          set status [enable|disable]
          set schedule {string}
          set logtraffic [all|utm|...]
          set session-ttl {integer}
          set srcaddr6 <name1>, <name2>, ...
          set dstaddr6 <name1>, <name2>, ...
          set groups <name1>, <name2>, ...
          set users <name1>, <name2>, ...
          set http-tunnel-auth [enable|disable]
          set ssh-policy-redirect [enable|disable]
          set webproxy-forward-server {string}
          set webproxy-profile {string}
          set transparent [enable|disable]
          set webcache [enable|disable]
          set webcache-https [disable|enable]
          set disclaimer [disable|domain|...]
          set utm-status [enable|disable]
          set profile-type [single|group]
          set profile-group {string}
          set profile-protocol-options {string}
          set ssl-ssh-profile {string}
          set av-profile {string}
          set webfilter-profile {string}
          set emailfilter-profile {string}
          set dlp-sensor {string}
          set ips-sensor {string}
          set application-list {string}
          set icap-profile {string}
          set cifs-profile {string}
          set waf-profile {string}
          set ssh-filter-profile {string}
          set replacemsg-override-group {string}
          set logtraffic-start [enable|disable]
          set label {string}
          set global-label {string}
          set comments {var-string}
          set redirect-url {var-string}
      next
  end

    config firewall proxy-policy

    Parameter Name Description Type Size
    uuid Universally Unique Identifier (UUID; automatically assigned but can be manually reset). uuid Not Specified
    proxy Type of explicit proxy.
    explicit-web: Explicit Web Proxy
    transparent-web: Transparent Web Proxy
    ftp: Explicit FTP Proxy
    ssh: SSH Proxy
    ssh-tunnel: SSH Tunnel
    wanopt: WANopt Tunnel
    		 option -
    srcintf <name> Source interface names.
    Interface name.    		 string Maximum length: 79
    dstintf <name> Destination interface names.
    Interface name.    		 string Maximum length: 79
    srcaddr <name> Source address objects.
    Address name.    		 string Maximum length: 79
    poolname <name> Name of IP pool object.
    IP pool name.    		 string Maximum length: 79
    dstaddr <name> Destination address objects.
    Address name.    		 string Maximum length: 79
    internet-service Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.
    enable: Enable use of Internet Services in policy.
    disable: Disable use of Internet Services in policy.
    		 option -
    internet-service-negate When enabled, Internet Services match against any internet service EXCEPT the selected Internet Service.
    enable: Enable negated Internet Service match.
    disable: Disable negated Internet Service match.
    		 option -
    internet-service-id <id> Internet Service ID.
    Internet Service ID.    		 integer Minimum value: 0 Maximum value: 4294967295
    internet-service-group <name> Internet Service group name.
    Internet Service group name.    		 string Maximum length: 79
    internet-service-custom <name> Custom Internet Service name.
    Custom name.    		 string Maximum length: 79
    internet-service-custom-group <name> Custom Internet Service group name.
    Custom Internet Service group name.    		 string Maximum length: 79
    service <name> Name of service objects.
    Service name.    		 string Maximum length: 79
    srcaddr-negate When enabled, source addresses match against any address EXCEPT the specified source addresses.
    enable: Enable source address negate.
    disable: Disable destination address negate.
    		 option -
    dstaddr-negate When enabled, destination addresses match against any address EXCEPT the specified destination addresses.
    enable: Enable source address negate.
    disable: Disable destination address negate.
    		 option -
    service-negate When enabled, services match against any service EXCEPT the specified destination services.
    enable: Enable negated service match.
    disable: Disable negated service match.
    		 option -
    action Accept or deny traffic matching the policy parameters.
    accept: Action accept.
    deny: Action deny.
    redirect: Action redirect.
    		 option -
    status Enable/disable the active status of the policy.
    enable: Enable setting.
    disable: Disable setting.
    		 option -
    schedule Name of schedule object. string Maximum length: 35
    logtraffic Enable/disable logging traffic through the policy.
    all: Log all sessions.
    utm: UTM event and matched application traffic log.
    disable: Disable traffic and application log.
    		 option -
    session-ttl TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL). integer Minimum value: 300 Maximum value: 2764800
    srcaddr6 <name> IPv6 source address objects.
    Address name.    		 string Maximum length: 79
    dstaddr6 <name> IPv6 destination address objects.
    Address name.    		 string Maximum length: 79
    groups <name> Names of group objects.
    Group name.    		 string Maximum length: 79
    users <name> Names of user objects.
    Group name.    		 string Maximum length: 79
    http-tunnel-auth Enable/disable HTTP tunnel authentication.
    enable: Enable setting.
    disable: Disable setting.
    		 option -
    ssh-policy-redirect Redirect SSH traffic to matching transparent proxy policy.
    enable: Enable SSH policy redirect.
    disable: Disable SSH policy redirect.
    		 option -
    webproxy-forward-server Web proxy forward server name. string Maximum length: 63
    webproxy-profile Name of web proxy profile. string Maximum length: 63
    transparent Enable to use the IP address of the client to connect to the server.
    enable: Enable use of IP address of client to connect to server.
    disable: Disable use of IP address of client to connect to server.
    		 option -
    webcache Enable/disable web caching.
    enable: Enable setting.
    disable: Disable setting.
    		 option -
    webcache-https Enable/disable web caching for HTTPS (Requires deep-inspection enabled in ssl-ssh-profile).
    disable: Disable web cache for HTTPS.
    enable: Enable web cache for HTTPS.
    		 option -
    disclaimer Web proxy disclaimer setting: by domain, policy, or user.
    disable: Disable disclaimer.
    domain: Display disclaimer for domain
    policy: Display disclaimer for policy
    user: Display disclaimer for current user
    		 option -
    utm-status Enable the use of UTM profiles/sensors/lists.
    enable: Enable setting.
    disable: Disable setting.
    		 option -
    profile-type Determine whether the firewall policy allows security profile groups or single profiles only.
    single: Do not allow security profile groups.
    group: Allow security profile groups.
    		 option -
    profile-group Name of profile group. string Maximum length: 35
    profile-protocol-options Name of an existing Protocol options profile. string Maximum length: 35
    ssl-ssh-profile Name of an existing SSL SSH profile. string Maximum length: 35
    av-profile Name of an existing Antivirus profile. string Maximum length: 35
    webfilter-profile Name of an existing Web filter profile. string Maximum length: 35
    emailfilter-profile Name of an existing email filter profile. string Maximum length: 35
    dlp-sensor Name of an existing DLP sensor. string Maximum length: 35
    ips-sensor Name of an existing IPS sensor. string Maximum length: 35
    application-list Name of an existing Application list. string Maximum length: 35
    icap-profile Name of an existing ICAP profile. string Maximum length: 35
    cifs-profile Name of an existing CIFS profile. string Maximum length: 35
    waf-profile Name of an existing Web application firewall profile. string Maximum length: 35
    ssh-filter-profile Name of an existing SSH filter profile. string Maximum length: 35
    replacemsg-override-group Authentication replacement message override group. string Maximum length: 35
    logtraffic-start Enable/disable policy log traffic start.
    enable: Enable setting.
    disable: Disable setting.
    		 option -
    label VDOM-specific GUI visible label. string Maximum length: 63
    global-label Global web-based manager visible label. string Maximum length: 63
    comments Optional comments. var-string Maximum length: 1023
    redirect-url Redirect URL for further explicit web proxy processing. var-string Maximum length: 1023
    Previous
    Next