Fortinet white logo
Fortinet white logo

Cookbook

Transparent web proxy forwarding

Transparent web proxy forwarding

In FortiOS, there is an option to enable proxy forwarding for transparent web proxy policies and regular firewall policies for HTTP and HTTPS.

In previous versions of FortiOS, you could forward proxy traffic to another proxy server (proxy chaining) with explicit proxy. Now, you can forward web traffic to the upstream proxy without having to reconfigure your browsers or publish a proxy auto-reconfiguration (PAC) file.

Once configured, the FortiGate forwards traffic generated by a client to the upstream proxy. The upstream proxy then forwards it to the server.

To enable proxy forwarding using the CLI:
  1. Configure the web proxy forwarding server:
    config web-proxy forward-server
        edit "PC_03"
            set ip 172.16.200.46
            set healthcheck enable
            set monitor "http://www.google.ca"
        next
    end
  2. Append the web proxy forwarding server to a firewall policy:
    config firewall policy
        edit 1
            set name "LAN to WAN"
            set uuid b89f6184-2a6b-51e9-5e2d-9b877903a308
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set logtraffic all
            set webproxy-forward-server "PC_03"
            set fsso disable
            set av-profile "av"
            set ssl-ssh-profile "deep-custom"
            set nat enable
        next
    end

Transparent web proxy forwarding

Transparent web proxy forwarding

In FortiOS, there is an option to enable proxy forwarding for transparent web proxy policies and regular firewall policies for HTTP and HTTPS.

In previous versions of FortiOS, you could forward proxy traffic to another proxy server (proxy chaining) with explicit proxy. Now, you can forward web traffic to the upstream proxy without having to reconfigure your browsers or publish a proxy auto-reconfiguration (PAC) file.

Once configured, the FortiGate forwards traffic generated by a client to the upstream proxy. The upstream proxy then forwards it to the server.

To enable proxy forwarding using the CLI:
  1. Configure the web proxy forwarding server:
    config web-proxy forward-server
        edit "PC_03"
            set ip 172.16.200.46
            set healthcheck enable
            set monitor "http://www.google.ca"
        next
    end
  2. Append the web proxy forwarding server to a firewall policy:
    config firewall policy
        edit 1
            set name "LAN to WAN"
            set uuid b89f6184-2a6b-51e9-5e2d-9b877903a308
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set logtraffic all
            set webproxy-forward-server "PC_03"
            set fsso disable
            set av-profile "av"
            set ssl-ssh-profile "deep-custom"
            set nat enable
        next
    end