Transparent web proxy forwarding

In FortiOS, there is an option to enable proxy forwarding for transparent web proxy policies and regular firewall policies for HTTP and HTTPS.

In previous versions of FortiOS, you could forward proxy traffic to another proxy server (proxy chaining) with explicit proxy. Now, you can forward web traffic to the upstream proxy without having to reconfigure your browsers or publish a proxy auto-reconfiguration (PAC) file.

Once configured, the FortiGate forwards traffic generated by a client to the upstream proxy. The upstream proxy then forwards it to the server.

To configure proxy forwarding:
  1. Configure the web proxy forwarding server:
    config web-proxy forward-server
        edit "upStream_proxy_1"
            set ip
            set healthcheck enable
            set monitor ""
  2. Append the web proxy forwarding server to a firewall policy:
    config firewall policy
        edit 1
            set name "LAN To WAN"
            set srcintf "port10"
            set dstintf "port9"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set logtraffic all
            set webproxy-forward-server "upStream_proxy_1"
            set fsso disable
            set av-profile "av"
            set ssl-ssh-profile "deep-custom"
            set nat enable

Selectively forward web requests to a transparent web proxy

Web traffic over HTTP/HTTPS can be forwarded selectively by the FortiGate's transparent web proxy to an upstream web proxy to avoid overwhelming the proxy server. Traffic can be selected by specifying the proxy address, which can be based on a FortiGuard URL category.