In FortiOS, there is an option to enable proxy forwarding for transparent web proxy policies and regular firewall policies for HTTP and HTTPS.
In previous versions of FortiOS, you could forward proxy traffic to another proxy server (proxy chaining) with explicit proxy. Now, you can forward web traffic to the upstream proxy without having to reconfigure your browsers or publish a proxy auto-reconfiguration (PAC) file.
Once configured, the FortiGate forwards traffic generated by a client to the upstream proxy. The upstream proxy then forwards it to the server.
- Configure the web proxy forwarding server:
config web-proxy forward-server edit "upStream_proxy_1" set ip 172.16.200.20 set healthcheck enable set monitor "http://www.google.ca" next end
- Append the web proxy forwarding server to a firewall policy:
config firewall policy edit 1 set name "LAN To WAN" set srcintf "port10" set dstintf "port9" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set logtraffic all set webproxy-forward-server "upStream_proxy_1" set fsso disable set av-profile "av" set ssl-ssh-profile "deep-custom" set nat enable next end
Web traffic over HTTP/HTTPS can be forwarded selectively by the FortiGate's transparent web proxy to an upstream web proxy to avoid overwhelming the proxy server. Traffic can be selected by specifying the proxy address, which can be based on a FortiGuard URL category.