Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config firewall proxy-policy

Configure proxy policies.

config firewall proxy-policy

Description: Configure proxy policies.

edit <policyid>

set uuid {uuid}

set proxy [explicit-web|transparent-web|...]

set srcintf <name1>, <name2>, ...

set dstintf <name1>, <name2>, ...

set srcaddr <name1>, <name2>, ...

set poolname <name1>, <name2>, ...

set dstaddr <name1>, <name2>, ...

set internet-service [enable|disable]

set internet-service-negate [enable|disable]

set internet-service-id <id1>, <id2>, ...

set internet-service-group <name1>, <name2>, ...

set internet-service-custom <name1>, <name2>, ...

set internet-service-custom-group <name1>, <name2>, ...

set service <name1>, <name2>, ...

set srcaddr-negate [enable|disable]

set dstaddr-negate [enable|disable]

set service-negate [enable|disable]

set action [accept|deny|...]

set status [enable|disable]

set schedule {string}

set logtraffic [all|utm|...]

set session-ttl {integer}

set srcaddr6 <name1>, <name2>, ...

set dstaddr6 <name1>, <name2>, ...

set groups <name1>, <name2>, ...

set users <name1>, <name2>, ...

set http-tunnel-auth [enable|disable]

set ssh-policy-redirect [enable|disable]

set webproxy-forward-server {string}

set webproxy-profile {string}

set transparent [enable|disable]

set disclaimer [disable|domain|...]

set utm-status [enable|disable]

set profile-type [single|group]

set profile-group {string}

set profile-protocol-options {string}

set ssl-ssh-profile {string}

set av-profile {string}

set webfilter-profile {string}

set emailfilter-profile {string}

set dlp-sensor {string}

set ips-sensor {string}

set application-list {string}

set icap-profile {string}

set cifs-profile {string}

set waf-profile {string}

set ssh-filter-profile {string}

set replacemsg-override-group {string}

set logtraffic-start [enable|disable]

set comments {var-string}

set redirect-url {var-string}

next

end

config firewall proxy-policy

Parameter

Description

Type

Size

uuid

Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

uuid

Not Specified

proxy

Type of explicit proxy.

option

-

 

Option

Description

explicit-web

Explicit Web Proxy

transparent-web

Transparent Web Proxy

ftp

Explicit FTP Proxy

ssh

SSH Proxy

ssh-tunnel

SSH Tunnel

srcintf <name>

Source interface names.

Interface name.

string

Maximum length: 79

dstintf <name>

Destination interface names.

Interface name.

string

Maximum length: 79

srcaddr <name>

Source address objects.

Address name.

string

Maximum length: 79

poolname <name>

Name of IP pool object.

IP pool name.

string

Maximum length: 79

dstaddr <name>

Destination address objects.

Address name.

string

Maximum length: 79

internet-service

Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.

option

-

 

Option

Description

enable

Enable use of Internet Services in policy.

disable

Disable use of Internet Services in policy.

internet-service-negate

When enabled, Internet Services match against any internet service EXCEPT the selected Internet Service.

option

-

 

Option

Description

enable

Enable negated Internet Service match.

disable

Disable negated Internet Service match.

internet-service-id <id>

Internet Service ID.

Internet Service ID.

integer

Minimum value: 0 Maximum value: 4294967295

internet-service-group <name>

Internet Service group name.

Internet Service group name.

string

Maximum length: 79

internet-service-custom <name>

Custom Internet Service name.

Custom name.

string

Maximum length: 79

internet-service-custom-group <name>

Custom Internet Service group name.

Custom Internet Service group name.

string

Maximum length: 79

service <name>

Name of service objects.

Service name.

string

Maximum length: 79

srcaddr-negate

When enabled, source addresses match against any address EXCEPT the specified source addresses.

option

-

 

Option

Description

enable

Enable source address negate.

disable

Disable destination address negate.

dstaddr-negate

When enabled, destination addresses match against any address EXCEPT the specified destination addresses.

option

-

 

Option

Description

enable

Enable source address negate.

disable

Disable destination address negate.

service-negate

When enabled, services match against any service EXCEPT the specified destination services.

option

-

 

Option

Description

enable

Enable negated service match.

disable

Disable negated service match.

action

Accept or deny traffic matching the policy parameters.

option

-

 

Option

Description

accept

Action accept.

deny

Action deny.

redirect

Action redirect.

status

Enable/disable the active status of the policy.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

schedule

Name of schedule object.

string

Maximum length: 35

logtraffic

Enable/disable logging traffic through the policy.

option

-

 

Option

Description

all

Log all sessions.

utm

UTM event and matched application traffic log.

disable

Disable traffic and application log.

session-ttl

TTL in seconds for sessions accepted by this policy .

integer

Minimum value: 300 Maximum value: 2764800

srcaddr6 <name>

IPv6 source address objects.

Address name.

string

Maximum length: 79

dstaddr6 <name>

IPv6 destination address objects.

Address name.

string

Maximum length: 79

groups <name>

Names of group objects.

Group name.

string

Maximum length: 79

users <name>

Names of user objects.

Group name.

string

Maximum length: 79

http-tunnel-auth

Enable/disable HTTP tunnel authentication.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

ssh-policy-redirect

Redirect SSH traffic to matching transparent proxy policy.

option

-

 

Option

Description

enable

Enable SSH policy redirect.

disable

Disable SSH policy redirect.

webproxy-forward-server

Web proxy forward server name.

string

Maximum length: 63

webproxy-profile

Name of web proxy profile.

string

Maximum length: 63

transparent

Enable to use the IP address of the client to connect to the server.

option

-

 

Option

Description

enable

Enable use of IP address of client to connect to server.

disable

Disable use of IP address of client to connect to server.

disclaimer

Web proxy disclaimer setting: by domain, policy, or user.

option

-

 

Option

Description

disable

Disable disclaimer.

domain

Display disclaimer for domain

policy

Display disclaimer for policy

user

Display disclaimer for current user

utm-status

Enable the use of UTM profiles/sensors/lists.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

profile-type

Determine whether the firewall policy allows security profile groups or single profiles only.

option

-

 

Option

Description

single

Do not allow security profile groups.

group

Allow security profile groups.

profile-group

Name of profile group.

string

Maximum length: 35

profile-protocol-options

Name of an existing Protocol options profile.

string

Maximum length: 35

ssl-ssh-profile

Name of an existing SSL SSH profile.

string

Maximum length: 35

av-profile

Name of an existing Antivirus profile.

string

Maximum length: 35

webfilter-profile

Name of an existing Web filter profile.

string

Maximum length: 35

emailfilter-profile

Name of an existing email filter profile.

string

Maximum length: 35

dlp-sensor

Name of an existing DLP sensor.

string

Maximum length: 35

ips-sensor

Name of an existing IPS sensor.

string

Maximum length: 35

application-list

Name of an existing Application list.

string

Maximum length: 35

icap-profile

Name of an existing ICAP profile.

string

Maximum length: 35

cifs-profile

Name of an existing CIFS profile.

string

Maximum length: 35

waf-profile

Name of an existing Web application firewall profile.

string

Maximum length: 35

ssh-filter-profile

Name of an existing SSH filter profile.

string

Maximum length: 35

replacemsg-override-group

Authentication replacement message override group.

string

Maximum length: 35

logtraffic-start

Enable/disable policy log traffic start.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

comments

Optional comments.

var-string

Maximum length: 1023

redirect-url

Redirect URL for further explicit web proxy processing.

var-string

Maximum length: 1023

config firewall proxy-policy

Configure proxy policies.

config firewall proxy-policy

Description: Configure proxy policies.

edit <policyid>

set uuid {uuid}

set proxy [explicit-web|transparent-web|...]

set srcintf <name1>, <name2>, ...

set dstintf <name1>, <name2>, ...

set srcaddr <name1>, <name2>, ...

set poolname <name1>, <name2>, ...

set dstaddr <name1>, <name2>, ...

set internet-service [enable|disable]

set internet-service-negate [enable|disable]

set internet-service-id <id1>, <id2>, ...

set internet-service-group <name1>, <name2>, ...

set internet-service-custom <name1>, <name2>, ...

set internet-service-custom-group <name1>, <name2>, ...

set service <name1>, <name2>, ...

set srcaddr-negate [enable|disable]

set dstaddr-negate [enable|disable]

set service-negate [enable|disable]

set action [accept|deny|...]

set status [enable|disable]

set schedule {string}

set logtraffic [all|utm|...]

set session-ttl {integer}

set srcaddr6 <name1>, <name2>, ...

set dstaddr6 <name1>, <name2>, ...

set groups <name1>, <name2>, ...

set users <name1>, <name2>, ...

set http-tunnel-auth [enable|disable]

set ssh-policy-redirect [enable|disable]

set webproxy-forward-server {string}

set webproxy-profile {string}

set transparent [enable|disable]

set disclaimer [disable|domain|...]

set utm-status [enable|disable]

set profile-type [single|group]

set profile-group {string}

set profile-protocol-options {string}

set ssl-ssh-profile {string}

set av-profile {string}

set webfilter-profile {string}

set emailfilter-profile {string}

set dlp-sensor {string}

set ips-sensor {string}

set application-list {string}

set icap-profile {string}

set cifs-profile {string}

set waf-profile {string}

set ssh-filter-profile {string}

set replacemsg-override-group {string}

set logtraffic-start [enable|disable]

set comments {var-string}

set redirect-url {var-string}

next

end

config firewall proxy-policy

Parameter

Description

Type

Size

uuid

Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

uuid

Not Specified

proxy

Type of explicit proxy.

option

-

 

Option

Description

explicit-web

Explicit Web Proxy

transparent-web

Transparent Web Proxy

ftp

Explicit FTP Proxy

ssh

SSH Proxy

ssh-tunnel

SSH Tunnel

srcintf <name>

Source interface names.

Interface name.

string

Maximum length: 79

dstintf <name>

Destination interface names.

Interface name.

string

Maximum length: 79

srcaddr <name>

Source address objects.

Address name.

string

Maximum length: 79

poolname <name>

Name of IP pool object.

IP pool name.

string

Maximum length: 79

dstaddr <name>

Destination address objects.

Address name.

string

Maximum length: 79

internet-service

Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.

option

-

 

Option

Description

enable

Enable use of Internet Services in policy.

disable

Disable use of Internet Services in policy.

internet-service-negate

When enabled, Internet Services match against any internet service EXCEPT the selected Internet Service.

option

-

 

Option

Description

enable

Enable negated Internet Service match.

disable

Disable negated Internet Service match.

internet-service-id <id>

Internet Service ID.

Internet Service ID.

integer

Minimum value: 0 Maximum value: 4294967295

internet-service-group <name>

Internet Service group name.

Internet Service group name.

string

Maximum length: 79

internet-service-custom <name>

Custom Internet Service name.

Custom name.

string

Maximum length: 79

internet-service-custom-group <name>

Custom Internet Service group name.

Custom Internet Service group name.

string

Maximum length: 79

service <name>

Name of service objects.

Service name.

string

Maximum length: 79

srcaddr-negate

When enabled, source addresses match against any address EXCEPT the specified source addresses.

option

-

 

Option

Description

enable

Enable source address negate.

disable

Disable destination address negate.

dstaddr-negate

When enabled, destination addresses match against any address EXCEPT the specified destination addresses.

option

-

 

Option

Description

enable

Enable source address negate.

disable

Disable destination address negate.

service-negate

When enabled, services match against any service EXCEPT the specified destination services.

option

-

 

Option

Description

enable

Enable negated service match.

disable

Disable negated service match.

action

Accept or deny traffic matching the policy parameters.

option

-

 

Option

Description

accept

Action accept.

deny

Action deny.

redirect

Action redirect.

status

Enable/disable the active status of the policy.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

schedule

Name of schedule object.

string

Maximum length: 35

logtraffic

Enable/disable logging traffic through the policy.

option

-

 

Option

Description

all

Log all sessions.

utm

UTM event and matched application traffic log.

disable

Disable traffic and application log.

session-ttl

TTL in seconds for sessions accepted by this policy .

integer

Minimum value: 300 Maximum value: 2764800

srcaddr6 <name>

IPv6 source address objects.

Address name.

string

Maximum length: 79

dstaddr6 <name>

IPv6 destination address objects.

Address name.

string

Maximum length: 79

groups <name>

Names of group objects.

Group name.

string

Maximum length: 79

users <name>

Names of user objects.

Group name.

string

Maximum length: 79

http-tunnel-auth

Enable/disable HTTP tunnel authentication.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

ssh-policy-redirect

Redirect SSH traffic to matching transparent proxy policy.

option

-

 

Option

Description

enable

Enable SSH policy redirect.

disable

Disable SSH policy redirect.

webproxy-forward-server

Web proxy forward server name.

string

Maximum length: 63

webproxy-profile

Name of web proxy profile.

string

Maximum length: 63

transparent

Enable to use the IP address of the client to connect to the server.

option

-

 

Option

Description

enable

Enable use of IP address of client to connect to server.

disable

Disable use of IP address of client to connect to server.

disclaimer

Web proxy disclaimer setting: by domain, policy, or user.

option

-

 

Option

Description

disable

Disable disclaimer.

domain

Display disclaimer for domain

policy

Display disclaimer for policy

user

Display disclaimer for current user

utm-status

Enable the use of UTM profiles/sensors/lists.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

profile-type

Determine whether the firewall policy allows security profile groups or single profiles only.

option

-

 

Option

Description

single

Do not allow security profile groups.

group

Allow security profile groups.

profile-group

Name of profile group.

string

Maximum length: 35

profile-protocol-options

Name of an existing Protocol options profile.

string

Maximum length: 35

ssl-ssh-profile

Name of an existing SSL SSH profile.

string

Maximum length: 35

av-profile

Name of an existing Antivirus profile.

string

Maximum length: 35

webfilter-profile

Name of an existing Web filter profile.

string

Maximum length: 35

emailfilter-profile

Name of an existing email filter profile.

string

Maximum length: 35

dlp-sensor

Name of an existing DLP sensor.

string

Maximum length: 35

ips-sensor

Name of an existing IPS sensor.

string

Maximum length: 35

application-list

Name of an existing Application list.

string

Maximum length: 35

icap-profile

Name of an existing ICAP profile.

string

Maximum length: 35

cifs-profile

Name of an existing CIFS profile.

string

Maximum length: 35

waf-profile

Name of an existing Web application firewall profile.

string

Maximum length: 35

ssh-filter-profile

Name of an existing SSH filter profile.

string

Maximum length: 35

replacemsg-override-group

Authentication replacement message override group.

string

Maximum length: 35

logtraffic-start

Enable/disable policy log traffic start.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

comments

Optional comments.

var-string

Maximum length: 1023

redirect-url

Redirect URL for further explicit web proxy processing.

var-string

Maximum length: 1023