Fortinet white logo
Fortinet white logo

CLI Reference

web-proxy explicit

Configure explicit Web proxy settings.

  config web-proxy explicit
      Description: Configure explicit Web proxy settings.
      set status [enable|disable]
      set ftp-over-http [enable|disable]
      set socks [enable|disable]
      set http-incoming-port {user}
      set https-incoming-port {user}
      set ftp-incoming-port {user}
      set socks-incoming-port {user}
      set incoming-ip {ipv4-address-any}
      set outgoing-ip {ipv4-address-any}
      set ipv6-status [enable|disable]
      set incoming-ip6 {ipv6-address}
      set outgoing-ip6 {ipv6-address}
      set strict-guest [enable|disable]
      set pref-dns-result [ipv4|ipv6]
      set unknown-http-version [reject|tunnel|...]
      set realm {string}
      set sec-default-action [accept|deny]
      set https-replacement-message [enable|disable]
      set message-upon-server-error [enable|disable]
      set pac-file-server-status [enable|disable]
      set pac-file-url {user}
      set pac-file-server-port {user}
      set pac-file-name {string}
      set pac-file-data {user}
      config pac-policy
          Description: PAC policies.
          edit <policyid>
              set status [enable|disable]
              set srcaddr <name1>, <name2>, ...
              set srcaddr6 <name1>, <name2>, ...
              set dstaddr <name1>, <name2>, ...
              set pac-file-name {string}
              set pac-file-data {user}
              set comments {var-string}
          next
      end
      set ssl-algorithm [high|medium|...]
      set trace-auth-no-rsp [enable|disable]
  end

config web-proxy explicit

Parameter Name Description Type Size
status Enable/disable the explicit Web proxy for HTTP and HTTPS session.
enable: Enable the explicit web proxy.
disable: Disable the explicit web proxy.
option -
ftp-over-http Enable to proxy FTP-over-HTTP sessions sent from a web browser.
enable: Enable FTP-over-HTTP sessions.
disable: Disable FTP-over-HTTP sessions.
option -
socks Enable/disable the SOCKS proxy.
enable: Enable the SOCKS proxy.
disable: Disable the SOCKS proxy.
option -
http-incoming-port Accept incoming HTTP requests on one or more ports (0 - 65535, default = 8080). user Not Specified
https-incoming-port Accept incoming HTTPS requests on one or more ports (0 - 65535, default = 0, use the same as HTTP). user Not Specified
ftp-incoming-port Accept incoming FTP-over-HTTP requests on one or more ports (0 - 65535, default = 0; use the same as HTTP). user Not Specified
socks-incoming-port Accept incoming SOCKS proxy requests on one or more ports (0 - 65535, default = 0; use the same as HTTP). user Not Specified
incoming-ip Restrict the explicit HTTP proxy to only accept sessions from this IP address. An interface must have this IP address. ipv4-address-any Not Specified
outgoing-ip Outgoing HTTP requests will have this IP address as their source address. An interface must have this IP address. ipv4-address-any Not Specified
ipv6-status Enable/disable allowing an IPv6 web proxy destination in policies and all IPv6 related entries in this command.
enable: Enable allowing an IPv6 web proxy destination.
disable: Disable allowing an IPv6 web proxy destination.
option -
incoming-ip6 Restrict the explicit web proxy to only accept sessions from this IPv6 address. An interface must have this IPv6 address. ipv6-address Not Specified
outgoing-ip6 Outgoing HTTP requests will leave this IPv6. Multiple interfaces can be specified. Interfaces must have these IPv6 addresses. ipv6-address Not Specified
strict-guest Enable/disable strict guest user checking by the explicit web proxy.
enable: Enable strict guest user checking.
disable: Disable strict guest user checking.
option -
pref-dns-result Prefer resolving addresses using the configured IPv4 or IPv6 DNS server (default = ipv4).
ipv4: Prefer the IPv4 DNS server.
ipv6: Prefer the IPv6 DNS server.
option -
unknown-http-version How to handle HTTP sessions that do not comply with HTTP 0.9, 1.0, or 1.1.
reject: Reject or tear down HTTP sessions that do not use HTTP 0.9, 1.0, or 1.1.
tunnel: Pass HTTP traffic that does not use HTTP 0.9, 1.0, or 1.1 without applying HTTP protocol optimization, byte-caching, or web caching. TCP protocol optimization is applied.
best-effort: Assume all HTTP sessions comply with HTTP 0.9, 1.0, or 1.1. If a session uses a different HTTP version, it may not parse correctly and the connection may be lost.
option -
realm Authentication realm used to identify the explicit web proxy (maximum of 63 characters). string Maximum length: 63
sec-default-action Accept or deny explicit web proxy sessions when no web proxy firewall policy exists.
accept: Accept requests. All explicit web proxy traffic is accepted whether there is an explicit web proxy policy or not.
deny: Deny requests unless there is a matching explicit web proxy policy.
option -
https-replacement-message Enable/disable sending the client a replacement message for HTTPS requests.
enable: Display a replacement message for HTTPS requests.
disable: Do not display a replacement message for HTTPS requests.
option -
message-upon-server-error Enable/disable displaying a replacement message when a server error is detected.
enable: Display a replacement message when a server error is detected.
disable: Do not display a replacement message when a server error is detected.
option -
pac-file-server-status Enable/disable Proxy Auto-Configuration (PAC) for users of this explicit proxy profile.
enable: Enable Proxy Auto-Configuration (PAC).
disable: Disable Proxy Auto-Configuration (PAC).
option -
pac-file-url PAC file access URL. user Not Specified
pac-file-server-port Port number that PAC traffic from client web browsers uses to connect to the explicit web proxy (0 - 65535, default = 0; use the same as HTTP). user Not Specified
pac-file-name Pac file name. string Maximum length: 63
pac-file-data PAC file contents enclosed in quotes (maximum of 256K bytes). user Not Specified
ssl-algorithm Relative strength of encryption algorithms accepted in HTTPS deep scan: high, medium, or low.
high: High encrption. Allow only AES and ChaCha.
medium: Medium encryption. Allow AES, ChaCha, 3DES, and RC4.
low: Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.
option -
trace-auth-no-rsp Enable/disable logging timed-out authentication requests.
enable: Enable logging timed-out authentication requests.
disable: Disable logging timed-out authentication requests.
option -

config pac-policy

Parameter Name Description Type Size
status Enable/disable policy.
enable: Enable policy.
disable: Disable policy.
option -
srcaddr <name> Source address objects.
Address name.
string Maximum length: 79
srcaddr6 <name> Source address6 objects.
Address name.
string Maximum length: 79
dstaddr <name> Destination address objects.
Address name.
string Maximum length: 79
pac-file-name Pac file name. string Maximum length: 63
pac-file-data PAC file contents enclosed in quotes (maximum of 256K bytes). user Not Specified
comments Optional comments. var-string Maximum length: 1023

web-proxy explicit

Configure explicit Web proxy settings.

  config web-proxy explicit
      Description: Configure explicit Web proxy settings.
      set status [enable|disable]
      set ftp-over-http [enable|disable]
      set socks [enable|disable]
      set http-incoming-port {user}
      set https-incoming-port {user}
      set ftp-incoming-port {user}
      set socks-incoming-port {user}
      set incoming-ip {ipv4-address-any}
      set outgoing-ip {ipv4-address-any}
      set ipv6-status [enable|disable]
      set incoming-ip6 {ipv6-address}
      set outgoing-ip6 {ipv6-address}
      set strict-guest [enable|disable]
      set pref-dns-result [ipv4|ipv6]
      set unknown-http-version [reject|tunnel|...]
      set realm {string}
      set sec-default-action [accept|deny]
      set https-replacement-message [enable|disable]
      set message-upon-server-error [enable|disable]
      set pac-file-server-status [enable|disable]
      set pac-file-url {user}
      set pac-file-server-port {user}
      set pac-file-name {string}
      set pac-file-data {user}
      config pac-policy
          Description: PAC policies.
          edit <policyid>
              set status [enable|disable]
              set srcaddr <name1>, <name2>, ...
              set srcaddr6 <name1>, <name2>, ...
              set dstaddr <name1>, <name2>, ...
              set pac-file-name {string}
              set pac-file-data {user}
              set comments {var-string}
          next
      end
      set ssl-algorithm [high|medium|...]
      set trace-auth-no-rsp [enable|disable]
  end

config web-proxy explicit

Parameter Name Description Type Size
status Enable/disable the explicit Web proxy for HTTP and HTTPS session.
enable: Enable the explicit web proxy.
disable: Disable the explicit web proxy.
option -
ftp-over-http Enable to proxy FTP-over-HTTP sessions sent from a web browser.
enable: Enable FTP-over-HTTP sessions.
disable: Disable FTP-over-HTTP sessions.
option -
socks Enable/disable the SOCKS proxy.
enable: Enable the SOCKS proxy.
disable: Disable the SOCKS proxy.
option -
http-incoming-port Accept incoming HTTP requests on one or more ports (0 - 65535, default = 8080). user Not Specified
https-incoming-port Accept incoming HTTPS requests on one or more ports (0 - 65535, default = 0, use the same as HTTP). user Not Specified
ftp-incoming-port Accept incoming FTP-over-HTTP requests on one or more ports (0 - 65535, default = 0; use the same as HTTP). user Not Specified
socks-incoming-port Accept incoming SOCKS proxy requests on one or more ports (0 - 65535, default = 0; use the same as HTTP). user Not Specified
incoming-ip Restrict the explicit HTTP proxy to only accept sessions from this IP address. An interface must have this IP address. ipv4-address-any Not Specified
outgoing-ip Outgoing HTTP requests will have this IP address as their source address. An interface must have this IP address. ipv4-address-any Not Specified
ipv6-status Enable/disable allowing an IPv6 web proxy destination in policies and all IPv6 related entries in this command.
enable: Enable allowing an IPv6 web proxy destination.
disable: Disable allowing an IPv6 web proxy destination.
option -
incoming-ip6 Restrict the explicit web proxy to only accept sessions from this IPv6 address. An interface must have this IPv6 address. ipv6-address Not Specified
outgoing-ip6 Outgoing HTTP requests will leave this IPv6. Multiple interfaces can be specified. Interfaces must have these IPv6 addresses. ipv6-address Not Specified
strict-guest Enable/disable strict guest user checking by the explicit web proxy.
enable: Enable strict guest user checking.
disable: Disable strict guest user checking.
option -
pref-dns-result Prefer resolving addresses using the configured IPv4 or IPv6 DNS server (default = ipv4).
ipv4: Prefer the IPv4 DNS server.
ipv6: Prefer the IPv6 DNS server.
option -
unknown-http-version How to handle HTTP sessions that do not comply with HTTP 0.9, 1.0, or 1.1.
reject: Reject or tear down HTTP sessions that do not use HTTP 0.9, 1.0, or 1.1.
tunnel: Pass HTTP traffic that does not use HTTP 0.9, 1.0, or 1.1 without applying HTTP protocol optimization, byte-caching, or web caching. TCP protocol optimization is applied.
best-effort: Assume all HTTP sessions comply with HTTP 0.9, 1.0, or 1.1. If a session uses a different HTTP version, it may not parse correctly and the connection may be lost.
option -
realm Authentication realm used to identify the explicit web proxy (maximum of 63 characters). string Maximum length: 63
sec-default-action Accept or deny explicit web proxy sessions when no web proxy firewall policy exists.
accept: Accept requests. All explicit web proxy traffic is accepted whether there is an explicit web proxy policy or not.
deny: Deny requests unless there is a matching explicit web proxy policy.
option -
https-replacement-message Enable/disable sending the client a replacement message for HTTPS requests.
enable: Display a replacement message for HTTPS requests.
disable: Do not display a replacement message for HTTPS requests.
option -
message-upon-server-error Enable/disable displaying a replacement message when a server error is detected.
enable: Display a replacement message when a server error is detected.
disable: Do not display a replacement message when a server error is detected.
option -
pac-file-server-status Enable/disable Proxy Auto-Configuration (PAC) for users of this explicit proxy profile.
enable: Enable Proxy Auto-Configuration (PAC).
disable: Disable Proxy Auto-Configuration (PAC).
option -
pac-file-url PAC file access URL. user Not Specified
pac-file-server-port Port number that PAC traffic from client web browsers uses to connect to the explicit web proxy (0 - 65535, default = 0; use the same as HTTP). user Not Specified
pac-file-name Pac file name. string Maximum length: 63
pac-file-data PAC file contents enclosed in quotes (maximum of 256K bytes). user Not Specified
ssl-algorithm Relative strength of encryption algorithms accepted in HTTPS deep scan: high, medium, or low.
high: High encrption. Allow only AES and ChaCha.
medium: Medium encryption. Allow AES, ChaCha, 3DES, and RC4.
low: Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.
option -
trace-auth-no-rsp Enable/disable logging timed-out authentication requests.
enable: Enable logging timed-out authentication requests.
disable: Disable logging timed-out authentication requests.
option -

config pac-policy

Parameter Name Description Type Size
status Enable/disable policy.
enable: Enable policy.
disable: Disable policy.
option -
srcaddr <name> Source address objects.
Address name.
string Maximum length: 79
srcaddr6 <name> Source address6 objects.
Address name.
string Maximum length: 79
dstaddr <name> Destination address objects.
Address name.
string Maximum length: 79
pac-file-name Pac file name. string Maximum length: 63
pac-file-data PAC file contents enclosed in quotes (maximum of 256K bytes). user Not Specified
comments Optional comments. var-string Maximum length: 1023