Fortinet black logo

CLI Reference

web-proxy global

Configure Web proxy global settings.

  config web-proxy global
      Description: Configure Web proxy global settings.
      set ssl-cert {string}
      set ssl-ca-cert {string}
      set fast-policy-match [enable|disable]
      set proxy-fqdn {string}
      set max-request-length {integer}
      set max-message-length {integer}
      set strict-web-check [enable|disable]
      set forward-proxy-auth [enable|disable]
      set tunnel-non-http [enable|disable]
      set unknown-http-version [reject|tunnel|...]
      set forward-server-affinity-timeout {integer}
      set max-waf-body-cache-length {integer}
      set webproxy-profile {string}
      set learn-client-ip [enable|disable]
      set learn-client-ip-from-header {option1}, {option2}, ...
      set learn-client-ip-srcaddr <name1>, <name2>, ...
      set learn-client-ip-srcaddr6 <name1>, <name2>, ...
  end

config web-proxy global

Parameter Name Description Type Size
ssl-cert SSL certificate for SSL interception. string Maximum length: 35
ssl-ca-cert SSL CA certificate for SSL interception. string Maximum length: 35
fast-policy-match Enable/disable fast matching algorithm for explicit and transparent proxy policy.
enable: Enable setting.
disable: Disable setting.
option -
proxy-fqdn Fully Qualified Domain Name (FQDN) that clients connect to (default = default.fqdn) to connect to the explicit web proxy. string Maximum length: 255
max-request-length Maximum length of HTTP request line (2 - 64 Kbytes, default = 8). integer Minimum value: 2 Maximum value: 64
max-message-length Maximum length of HTTP message, not including body (16 - 256 Kbytes, default = 32). integer Minimum value: 16 Maximum value: 256
strict-web-check Enable/disable strict web checking to block web sites that send incorrect headers that don't conform to HTTP 1.1.
enable: Enable strict web checking.
disable: Disable strict web checking.
option -
forward-proxy-auth Enable/disable forwarding proxy authentication headers.
enable: Enable forwarding proxy authentication headers.
disable: Disable forwarding proxy authentication headers.
option -
tunnel-non-http Enable/disable allowing non-HTTP traffic. Allowed non-HTTP traffic is tunneled.
enable: Allow non-HTTP traffic.
disable: Block non-HTTP traffic.
option -
unknown-http-version Action to take when an unknown version of HTTP is encountered: reject, allow (tunnel), or proceed with best-effort.
reject: Rejects requests with unknown HTTP version.
tunnel: Tunnels requests with unknown HTTP version.
best-effort: Allow unknown HTTP requests and process them using best efforts.
option -
forward-server-affinity-timeout Period of time before the source IP's traffic is no longer assigned to the forwarding server (6 - 60 min, default = 30). integer Minimum value: 6 Maximum value: 60
max-waf-body-cache-length Maximum length of HTTP messages processed by Web Application Firewall (WAF) (10 - 1024 Kbytes, default = 32). integer Minimum value: 10 Maximum value: 1024
webproxy-profile Name of the web proxy profile to apply when explicit proxy traffic is allowed by default and traffic is accepted that does not match an explicit proxy policy. string Maximum length: 63
learn-client-ip Enable/disable learning the client's IP address from headers.
enable: Enable learning the client's IP address from headers.
disable: Disable learning the client's IP address from headers.
option -
learn-client-ip-from-header Learn client IP address from the specified headers.
true-client-ip: Learn the client IP address from the True-Client-IP header.
x-real-ip: Learn the client IP address from the X-Real-IP header.
x-forwarded-for: Learn the client IP address from the X-Forwarded-For header.
option -
learn-client-ip-srcaddr <name> Source address name (srcaddr or srcaddr6 must be set).
Address name.
string Maximum length: 79
learn-client-ip-srcaddr6 <name> IPv6 Source address name (srcaddr or srcaddr6 must be set).
Address name.
string Maximum length: 79

Configure Web proxy global settings.

  config web-proxy global
      Description: Configure Web proxy global settings.
      set ssl-cert {string}
      set ssl-ca-cert {string}
      set fast-policy-match [enable|disable]
      set proxy-fqdn {string}
      set max-request-length {integer}
      set max-message-length {integer}
      set strict-web-check [enable|disable]
      set forward-proxy-auth [enable|disable]
      set tunnel-non-http [enable|disable]
      set unknown-http-version [reject|tunnel|...]
      set forward-server-affinity-timeout {integer}
      set max-waf-body-cache-length {integer}
      set webproxy-profile {string}
      set learn-client-ip [enable|disable]
      set learn-client-ip-from-header {option1}, {option2}, ...
      set learn-client-ip-srcaddr <name1>, <name2>, ...
      set learn-client-ip-srcaddr6 <name1>, <name2>, ...
  end

config web-proxy global

Parameter Name Description Type Size
ssl-cert SSL certificate for SSL interception. string Maximum length: 35
ssl-ca-cert SSL CA certificate for SSL interception. string Maximum length: 35
fast-policy-match Enable/disable fast matching algorithm for explicit and transparent proxy policy.
enable: Enable setting.
disable: Disable setting.
option -
proxy-fqdn Fully Qualified Domain Name (FQDN) that clients connect to (default = default.fqdn) to connect to the explicit web proxy. string Maximum length: 255
max-request-length Maximum length of HTTP request line (2 - 64 Kbytes, default = 8). integer Minimum value: 2 Maximum value: 64
max-message-length Maximum length of HTTP message, not including body (16 - 256 Kbytes, default = 32). integer Minimum value: 16 Maximum value: 256
strict-web-check Enable/disable strict web checking to block web sites that send incorrect headers that don't conform to HTTP 1.1.
enable: Enable strict web checking.
disable: Disable strict web checking.
option -
forward-proxy-auth Enable/disable forwarding proxy authentication headers.
enable: Enable forwarding proxy authentication headers.
disable: Disable forwarding proxy authentication headers.
option -
tunnel-non-http Enable/disable allowing non-HTTP traffic. Allowed non-HTTP traffic is tunneled.
enable: Allow non-HTTP traffic.
disable: Block non-HTTP traffic.
option -
unknown-http-version Action to take when an unknown version of HTTP is encountered: reject, allow (tunnel), or proceed with best-effort.
reject: Rejects requests with unknown HTTP version.
tunnel: Tunnels requests with unknown HTTP version.
best-effort: Allow unknown HTTP requests and process them using best efforts.
option -
forward-server-affinity-timeout Period of time before the source IP's traffic is no longer assigned to the forwarding server (6 - 60 min, default = 30). integer Minimum value: 6 Maximum value: 60
max-waf-body-cache-length Maximum length of HTTP messages processed by Web Application Firewall (WAF) (10 - 1024 Kbytes, default = 32). integer Minimum value: 10 Maximum value: 1024
webproxy-profile Name of the web proxy profile to apply when explicit proxy traffic is allowed by default and traffic is accepted that does not match an explicit proxy policy. string Maximum length: 63
learn-client-ip Enable/disable learning the client's IP address from headers.
enable: Enable learning the client's IP address from headers.
disable: Disable learning the client's IP address from headers.
option -
learn-client-ip-from-header Learn client IP address from the specified headers.
true-client-ip: Learn the client IP address from the True-Client-IP header.
x-real-ip: Learn the client IP address from the X-Real-IP header.
x-forwarded-for: Learn the client IP address from the X-Forwarded-For header.
option -
learn-client-ip-srcaddr <name> Source address name (srcaddr or srcaddr6 must be set).
Address name.
string Maximum length: 79
learn-client-ip-srcaddr6 <name> IPv6 Source address name (srcaddr or srcaddr6 must be set).
Address name.
string Maximum length: 79