Fortinet black logo

Cookbook

Proxy policy security profiles

Copy Link
Copy Doc ID 5be0d1a4-3f0d-11eb-96b9-00505692583a:149927
Download PDF

Proxy policy security profiles

Web proxy policies support most security profile types.

Note

Security profiles must be created before they can be used in a policy, see Security Profiles for information.

Explicit web proxy policy

The security profiles supported by explicit web proxy policies are:

  • AntiVirus
  • Web Filter
  • Application Control
  • IPS
  • DLP Sensor
  • ICAP
  • Web Application Firewall
  • SSL Inspection
To configure security profiles on an explicit web proxy policy in the GUI:
  1. Go to Policy & Objects > Proxy Policy.
  2. Click Create New.
  3. Set the following:

    Proxy Type

    Explicit Web

    Outgoing Interface

    port1

    Source

    all

    Destination

    all

    Schedule

    always

    Service

    webproxy

    Action

    ACCEPT

  4. In the Firewall / Network Options section, set Protocol Options to default.
  5. In the Security Profiles section, make the following selections (for this example, these profiles have all already been created):

    AntiVirus

    av

    Web Filter

    urlfiler

    Application Control

    app

    IPS

    Sensor-1

    DLP Sensor

    dlp

    ICAP

    default

    Web Application Firewall

    default

    SSL Inspection

    deep-inspection

  6. Click OK to create the policy.
To configure security profiles on an explicit web proxy policy in the CLI:
config firewall proxy-policy
    edit 1
        set uuid c8a71a2c-54be-51e9-fa7a-858f83139c70
        set proxy explicit-web
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set service "web"
        set action accept
        set schedule "always"
        set utm-status enable
        set av-profile "av"
        set webfilter-profile "urlfilter"
        set dlp-sensor "dlp"
        set ips-sensor "sensor-1"
        set application-list "app"
        set icap-profile "default"
        set waf-profile "default"
        set ssl-ssh-profile "deep-inspection"
    next
end

Transparent proxy

The security profiles supported by transparent proxy policies are:

  • AntiVirus
  • Web Filter
  • Application Control
  • IPS
  • DLP Sensor
  • ICAP
  • Web Application Firewall
  • SSL Inspection
To configure security profiles on a transparent proxy policy in the GUI:
  1. Go to Policy & Objects > Proxy Policy.
  2. Click Create New.
  3. Set the following:

    Proxy Type

    Transparent Web

    Incoming Interfae

    port2

    Outgoing Interface

    port1

    Source

    all

    Destination

    all

    Schedule

    always

    Service

    webproxy

    Action

    ACCEPT

  4. In the Firewall / Network Options section, set Protocol Options to default.
  5. In the Security Profiles section, make the following selections (for this example, these profiles have all already been created):

    AntiVirus

    av

    Web Filter

    urlfiler

    Application Control

    app

    IPS

    Sensor-1

    DLP Sensor

    dlp

    ICAP

    default

    Web Application Firewall

    default

    SSL Inspection

    deep-inspection

  6. Click OK to create the policy.
To configure security profiles on a transparent proxy policy in the CLI:
config firewall proxy-policy
    edit 2
        set uuid 8fb05036-56fc-51e9-76a1-86f757d3d8dc
        set proxy transparent-web
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set service "webproxy"
        set action accept
        set schedule "always"
        set utm-status enable
        set av-profile "av"
        set webfilter-profile "urlfilter"
        set dlp-sensor "dlp"
        set ips-sensor "sensor-1"
        set application-list "app"
        set icap-profile "default"
        set waf-profile "default"
        set ssl-ssh-profile "certificate-inspection"
    next
end

FTP proxy

The security profiles supported by FTP proxy policies are:

  • AntiVirus
  • Application Control
  • IPS
  • DLP Sensor
To configure security profiles on an FTP proxy policy in the GUI:
  1. Go to Policy & Objects > Proxy Policy.
  2. Click Create New.
  3. Set the following:

    Proxy Type

    FTP

    Outgoing Interface

    port1

    Source

    all

    Destination

    all

    Schedule

    always

    Action

    ACCEPT

  4. In the Firewall / Network Options section, set Protocol Options to default.
  5. In the Security Profiles section, make the following selections (for this example, these profiles have all already been created):

    AntiVirus

    av

    Application Control

    app

    IPS

    Sensor-1

    DLP Sensor

    dlp

  6. Click OK to create the policy.
To configure security profiles on an FTP proxy policy in the CLI:
config firewall proxy-policy
    edit 3
        set uuid cb89af34-54be-51e9-4496-c69ccfc4d5d4
        set proxy ftp
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set utm-status enable
        set av-profile "av"
        set dlp-sensor "dlp"
        set ips-sensor "sensor-1"
        set application-list "app"
    next
end

Proxy policy security profiles

Web proxy policies support most security profile types.

Note

Security profiles must be created before they can be used in a policy, see Security Profiles for information.

Explicit web proxy policy

The security profiles supported by explicit web proxy policies are:

  • AntiVirus
  • Web Filter
  • Application Control
  • IPS
  • DLP Sensor
  • ICAP
  • Web Application Firewall
  • SSL Inspection
To configure security profiles on an explicit web proxy policy in the GUI:
  1. Go to Policy & Objects > Proxy Policy.
  2. Click Create New.
  3. Set the following:

    Proxy Type

    Explicit Web

    Outgoing Interface

    port1

    Source

    all

    Destination

    all

    Schedule

    always

    Service

    webproxy

    Action

    ACCEPT

  4. In the Firewall / Network Options section, set Protocol Options to default.
  5. In the Security Profiles section, make the following selections (for this example, these profiles have all already been created):

    AntiVirus

    av

    Web Filter

    urlfiler

    Application Control

    app

    IPS

    Sensor-1

    DLP Sensor

    dlp

    ICAP

    default

    Web Application Firewall

    default

    SSL Inspection

    deep-inspection

  6. Click OK to create the policy.
To configure security profiles on an explicit web proxy policy in the CLI:
config firewall proxy-policy
    edit 1
        set uuid c8a71a2c-54be-51e9-fa7a-858f83139c70
        set proxy explicit-web
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set service "web"
        set action accept
        set schedule "always"
        set utm-status enable
        set av-profile "av"
        set webfilter-profile "urlfilter"
        set dlp-sensor "dlp"
        set ips-sensor "sensor-1"
        set application-list "app"
        set icap-profile "default"
        set waf-profile "default"
        set ssl-ssh-profile "deep-inspection"
    next
end

Transparent proxy

The security profiles supported by transparent proxy policies are:

  • AntiVirus
  • Web Filter
  • Application Control
  • IPS
  • DLP Sensor
  • ICAP
  • Web Application Firewall
  • SSL Inspection
To configure security profiles on a transparent proxy policy in the GUI:
  1. Go to Policy & Objects > Proxy Policy.
  2. Click Create New.
  3. Set the following:

    Proxy Type

    Transparent Web

    Incoming Interfae

    port2

    Outgoing Interface

    port1

    Source

    all

    Destination

    all

    Schedule

    always

    Service

    webproxy

    Action

    ACCEPT

  4. In the Firewall / Network Options section, set Protocol Options to default.
  5. In the Security Profiles section, make the following selections (for this example, these profiles have all already been created):

    AntiVirus

    av

    Web Filter

    urlfiler

    Application Control

    app

    IPS

    Sensor-1

    DLP Sensor

    dlp

    ICAP

    default

    Web Application Firewall

    default

    SSL Inspection

    deep-inspection

  6. Click OK to create the policy.
To configure security profiles on a transparent proxy policy in the CLI:
config firewall proxy-policy
    edit 2
        set uuid 8fb05036-56fc-51e9-76a1-86f757d3d8dc
        set proxy transparent-web
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set service "webproxy"
        set action accept
        set schedule "always"
        set utm-status enable
        set av-profile "av"
        set webfilter-profile "urlfilter"
        set dlp-sensor "dlp"
        set ips-sensor "sensor-1"
        set application-list "app"
        set icap-profile "default"
        set waf-profile "default"
        set ssl-ssh-profile "certificate-inspection"
    next
end

FTP proxy

The security profiles supported by FTP proxy policies are:

  • AntiVirus
  • Application Control
  • IPS
  • DLP Sensor
To configure security profiles on an FTP proxy policy in the GUI:
  1. Go to Policy & Objects > Proxy Policy.
  2. Click Create New.
  3. Set the following:

    Proxy Type

    FTP

    Outgoing Interface

    port1

    Source

    all

    Destination

    all

    Schedule

    always

    Action

    ACCEPT

  4. In the Firewall / Network Options section, set Protocol Options to default.
  5. In the Security Profiles section, make the following selections (for this example, these profiles have all already been created):

    AntiVirus

    av

    Application Control

    app

    IPS

    Sensor-1

    DLP Sensor

    dlp

  6. Click OK to create the policy.
To configure security profiles on an FTP proxy policy in the CLI:
config firewall proxy-policy
    edit 3
        set uuid cb89af34-54be-51e9-4496-c69ccfc4d5d4
        set proxy ftp
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set utm-status enable
        set av-profile "av"
        set dlp-sensor "dlp"
        set ips-sensor "sensor-1"
        set application-list "app"
    next
end