Fortinet white logo
Fortinet white logo

Cookbook

Proxy policy security profiles

Proxy policy security profiles

Web proxy policies support most security profile types.

Note

Security profiles must be created before they can be used in a policy, see Security Profiles for information.

Explicit web proxy policy

The security profiles supported by explicit web proxy policies are:

  • AntiVirus
  • Web Filter
  • Application Control
  • IPS
  • DLP Sensor
  • ICAP
  • Web Application Firewall
  • SSL Inspection
To configure security profiles on an explicit web proxy policy in the GUI:
  1. Go to Policy & Objects > Proxy Policy.
  2. Click Create New.
  3. Set the following:

    Proxy Type

    Explicit Web

    Outgoing Interface

    port1

    Source

    all

    Destination

    all

    Schedule

    always

    Service

    webproxy

    Action

    ACCEPT

  4. In the Firewall / Network Options section, set Protocol Options to default.
  5. In the Security Profiles section, make the following selections (for this example, these profiles have all already been created):

    AntiVirus

    av

    Web Filter

    urlfiler

    Application Control

    app

    IPS

    Sensor-1

    DLP Sensor

    dlp

    ICAP

    default

    Web Application Firewall

    default

    SSL Inspection

    deep-inspection

  6. Click OK to create the policy.
To configure security profiles on an explicit web proxy policy in the CLI:
config firewall proxy-policy
    edit 1
        set uuid c8a71a2c-54be-51e9-fa7a-858f83139c70
        set proxy explicit-web
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set service "web"
        set action accept
        set schedule "always"
        set utm-status enable
        set av-profile "av"
        set webfilter-profile "urlfilter"
        set dlp-sensor "dlp"
        set ips-sensor "sensor-1"
        set application-list "app"
        set icap-profile "default"
        set waf-profile "default"
        set ssl-ssh-profile "deep-inspection"
    next
end

Transparent proxy

The security profiles supported by transparent proxy policies are:

  • AntiVirus
  • Web Filter
  • Application Control
  • IPS
  • DLP Sensor
  • ICAP
  • Web Application Firewall
  • SSL Inspection
To configure security profiles on a transparent proxy policy in the GUI:
  1. Go to Policy & Objects > Proxy Policy.
  2. Click Create New.
  3. Set the following:

    Proxy Type

    Explicit Web

    Incoming Interfae

    port2

    Outgoing Interface

    port1

    Source

    all

    Destination

    all

    Schedule

    always

    Service

    webproxy

    Action

    ACCEPT

  4. In the Firewall / Network Options section, set Protocol Options to default.
  5. In the Security Profiles section, make the following selections (for this example, these profiles have all already been created):

    AntiVirus

    av

    Web Filter

    urlfiler

    Application Control

    app

    IPS

    Sensor-1

    DLP Sensor

    dlp

    ICAP

    default

    Web Application Firewall

    default

    SSL Inspection

    deep-inspection

  6. Click OK to create the policy.
To configure security profiles on a transparent proxy policy in the CLI:
config firewall proxy-policy
    edit 2
        set uuid 8fb05036-56fc-51e9-76a1-86f757d3d8dc
        set proxy transparent-web
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set service "webproxy"
        set action accept
        set schedule "always"
        set utm-status enable
        set av-profile "av"
        set webfilter-profile "urlfilter"
        set dlp-sensor "dlp"
        set ips-sensor "sensor-1"
        set application-list "app"
        set icap-profile "default"
        set waf-profile "default"
        set ssl-ssh-profile "certificate-inspection"
    next
end

FTP proxy

The security profiles supported by FTP proxy policies are:

  • AntiVirus
  • Application Control
  • IPS
  • DLP Sensor
To configure security profiles on an FTP proxy policy in the GUI:
  1. Go to Policy & Objects > Proxy Policy.
  2. Click Create New.
  3. Set the following:

    Proxy Type

    FTP

    Outgoing Interface

    port1

    Source

    all

    Destination

    all

    Schedule

    always

    Action

    ACCEPT

  4. In the Firewall / Network Options section, set Protocol Options to default.
  5. In the Security Profiles section, make the following selections (for this example, these profiles have all already been created):

    AntiVirus

    av

    Application Control

    app

    IPS

    Sensor-1

    DLP Sensor

    dlp

  6. Click OK to create the policy.
To configure security profiles on an FTP proxy policy in the CLI:
config firewall proxy-policy
    edit 3
        set uuid cb89af34-54be-51e9-4496-c69ccfc4d5d4
        set proxy ftp
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set utm-status enable
        set av-profile "av"
        set dlp-sensor "dlp"
        set ips-sensor "sensor-1"
        set application-list "app"
    next
end

Proxy policy security profiles

Proxy policy security profiles

Web proxy policies support most security profile types.

Note

Security profiles must be created before they can be used in a policy, see Security Profiles for information.

Explicit web proxy policy

The security profiles supported by explicit web proxy policies are:

  • AntiVirus
  • Web Filter
  • Application Control
  • IPS
  • DLP Sensor
  • ICAP
  • Web Application Firewall
  • SSL Inspection
To configure security profiles on an explicit web proxy policy in the GUI:
  1. Go to Policy & Objects > Proxy Policy.
  2. Click Create New.
  3. Set the following:

    Proxy Type

    Explicit Web

    Outgoing Interface

    port1

    Source

    all

    Destination

    all

    Schedule

    always

    Service

    webproxy

    Action

    ACCEPT

  4. In the Firewall / Network Options section, set Protocol Options to default.
  5. In the Security Profiles section, make the following selections (for this example, these profiles have all already been created):

    AntiVirus

    av

    Web Filter

    urlfiler

    Application Control

    app

    IPS

    Sensor-1

    DLP Sensor

    dlp

    ICAP

    default

    Web Application Firewall

    default

    SSL Inspection

    deep-inspection

  6. Click OK to create the policy.
To configure security profiles on an explicit web proxy policy in the CLI:
config firewall proxy-policy
    edit 1
        set uuid c8a71a2c-54be-51e9-fa7a-858f83139c70
        set proxy explicit-web
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set service "web"
        set action accept
        set schedule "always"
        set utm-status enable
        set av-profile "av"
        set webfilter-profile "urlfilter"
        set dlp-sensor "dlp"
        set ips-sensor "sensor-1"
        set application-list "app"
        set icap-profile "default"
        set waf-profile "default"
        set ssl-ssh-profile "deep-inspection"
    next
end

Transparent proxy

The security profiles supported by transparent proxy policies are:

  • AntiVirus
  • Web Filter
  • Application Control
  • IPS
  • DLP Sensor
  • ICAP
  • Web Application Firewall
  • SSL Inspection
To configure security profiles on a transparent proxy policy in the GUI:
  1. Go to Policy & Objects > Proxy Policy.
  2. Click Create New.
  3. Set the following:

    Proxy Type

    Explicit Web

    Incoming Interfae

    port2

    Outgoing Interface

    port1

    Source

    all

    Destination

    all

    Schedule

    always

    Service

    webproxy

    Action

    ACCEPT

  4. In the Firewall / Network Options section, set Protocol Options to default.
  5. In the Security Profiles section, make the following selections (for this example, these profiles have all already been created):

    AntiVirus

    av

    Web Filter

    urlfiler

    Application Control

    app

    IPS

    Sensor-1

    DLP Sensor

    dlp

    ICAP

    default

    Web Application Firewall

    default

    SSL Inspection

    deep-inspection

  6. Click OK to create the policy.
To configure security profiles on a transparent proxy policy in the CLI:
config firewall proxy-policy
    edit 2
        set uuid 8fb05036-56fc-51e9-76a1-86f757d3d8dc
        set proxy transparent-web
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set service "webproxy"
        set action accept
        set schedule "always"
        set utm-status enable
        set av-profile "av"
        set webfilter-profile "urlfilter"
        set dlp-sensor "dlp"
        set ips-sensor "sensor-1"
        set application-list "app"
        set icap-profile "default"
        set waf-profile "default"
        set ssl-ssh-profile "certificate-inspection"
    next
end

FTP proxy

The security profiles supported by FTP proxy policies are:

  • AntiVirus
  • Application Control
  • IPS
  • DLP Sensor
To configure security profiles on an FTP proxy policy in the GUI:
  1. Go to Policy & Objects > Proxy Policy.
  2. Click Create New.
  3. Set the following:

    Proxy Type

    FTP

    Outgoing Interface

    port1

    Source

    all

    Destination

    all

    Schedule

    always

    Action

    ACCEPT

  4. In the Firewall / Network Options section, set Protocol Options to default.
  5. In the Security Profiles section, make the following selections (for this example, these profiles have all already been created):

    AntiVirus

    av

    Application Control

    app

    IPS

    Sensor-1

    DLP Sensor

    dlp

  6. Click OK to create the policy.
To configure security profiles on an FTP proxy policy in the CLI:
config firewall proxy-policy
    edit 3
        set uuid cb89af34-54be-51e9-4496-c69ccfc4d5d4
        set proxy ftp
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set utm-status enable
        set av-profile "av"
        set dlp-sensor "dlp"
        set ips-sensor "sensor-1"
        set application-list "app"
    next
end