Fortinet black logo

CLI Reference

config firewall proxy-policy

config firewall proxy-policy

Configure proxy policies.

config firewall proxy-policy
    Description: Configure proxy policies.
    edit <policyid>
        set access-proxy <name1>, <name2>, ...
        set access-proxy6 <name1>, <name2>, ...
        set action [accept|deny|...]
        set application-list {string}
        set av-profile {string}
        set block-notification [enable|disable]
        set comments {var-string}
        set decrypted-traffic-mirror {string}
        set device-ownership [enable|disable]
        set disclaimer [disable|domain|...]
        set dlp-sensor {string}
        set dstaddr <name1>, <name2>, ...
        set dstaddr-negate [enable|disable]
        set dstaddr6 <name1>, <name2>, ...
        set dstintf <name1>, <name2>, ...
        set emailfilter-profile {string}
        set file-filter-profile {string}
        set groups <name1>, <name2>, ...
        set http-tunnel-auth [enable|disable]
        set icap-profile {string}
        set internet-service [enable|disable]
        set internet-service-custom <name1>, <name2>, ...
        set internet-service-custom-group <name1>, <name2>, ...
        set internet-service-group <name1>, <name2>, ...
        set internet-service-name <name1>, <name2>, ...
        set internet-service-negate [enable|disable]
        set ips-sensor {string}
        set logtraffic [all|utm|...]
        set logtraffic-start [enable|disable]
        set name {string}
        set poolname <name1>, <name2>, ...
        set profile-group {string}
        set profile-protocol-options {string}
        set profile-type [single|group]
        set proxy [explicit-web|transparent-web|...]
        set redirect-url {var-string}
        set replacemsg-override-group {string}
        set schedule {string}
        set service <name1>, <name2>, ...
        set service-negate [enable|disable]
        set session-ttl {integer}
        set srcaddr <name1>, <name2>, ...
        set srcaddr-negate [enable|disable]
        set srcaddr6 <name1>, <name2>, ...
        set srcintf <name1>, <name2>, ...
        set ssh-filter-profile {string}
        set ssh-policy-redirect [enable|disable]
        set ssl-ssh-profile {string}
        set status [enable|disable]
        set transparent [enable|disable]
        set users <name1>, <name2>, ...
        set utm-status [enable|disable]
        set uuid {uuid}
        set videofilter-profile {string}
        set waf-profile {string}
        set webcache [enable|disable]
        set webcache-https [disable|enable]
        set webfilter-profile {string}
        set webproxy-forward-server {string}
        set webproxy-profile {string}
        set ztna-ems-tag <name1>, <name2>, ...
        set ztna-tags-match-logic [or|and]
    next
end

config firewall proxy-policy

Parameter

Description

Type

Size

Default

access-proxy <name>

IPv4 access proxy.

Access Proxy name.

string

Maximum length: 79

access-proxy6 <name>

IPv6 access proxy.

Access proxy name.

string

Maximum length: 79

action

Accept or deny traffic matching the policy parameters.

option

-

deny

Option

Description

accept

Action accept.

deny

Action deny.

redirect

Action redirect.

application-list

Name of an existing Application list.

string

Maximum length: 35

av-profile

Name of an existing Antivirus profile.

string

Maximum length: 35

block-notification

Enable/disable block notification.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

comments

Optional comments.

var-string

Maximum length: 1023

decrypted-traffic-mirror

Decrypted traffic mirror.

string

Maximum length: 35

device-ownership

When enabled, the ownership enforcement will be done at policy level.

option

-

disable

Option

Description

enable

Enable device ownership.

disable

Disable device ownership.

disclaimer

Web proxy disclaimer setting: by domain, policy, or user.

option

-

disable

Option

Description

disable

Disable disclaimer.

domain

Display disclaimer for domain

policy

Display disclaimer for policy

user

Display disclaimer for current user

dlp-sensor

Name of an existing DLP sensor.

string

Maximum length: 35

dstaddr <name>

Destination address objects.

Address name.

string

Maximum length: 79

dstaddr-negate

When enabled, destination addresses match against any address EXCEPT the specified destination addresses.

option

-

disable

Option

Description

enable

Enable source address negate.

disable

Disable destination address negate.

dstaddr6 <name>

IPv6 destination address objects.

Address name.

string

Maximum length: 79

dstintf <name>

Destination interface names.

Interface name.

string

Maximum length: 79

emailfilter-profile

Name of an existing email filter profile.

string

Maximum length: 35

file-filter-profile

Name of an existing file-filter profile.

string

Maximum length: 35

groups <name>

Names of group objects.

Group name.

string

Maximum length: 79

http-tunnel-auth

Enable/disable HTTP tunnel authentication.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

icap-profile

Name of an existing ICAP profile.

string

Maximum length: 35

internet-service

Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.

option

-

disable

Option

Description

enable

Enable use of Internet Services in policy.

disable

Disable use of Internet Services in policy.

internet-service-custom <name>

Custom Internet Service name.

Custom Internet Service name.

string

Maximum length: 79

internet-service-custom-group <name>

Custom Internet Service group name.

Custom Internet Service group name.

string

Maximum length: 79

internet-service-group <name>

Internet Service group name.

Internet Service group name.

string

Maximum length: 79

internet-service-name <name>

Internet Service name.

Internet Service name.

string

Maximum length: 79

internet-service-negate

When enabled, Internet Services match against any internet service EXCEPT the selected Internet Service.

option

-

disable

Option

Description

enable

Enable negated Internet Service match.

disable

Disable negated Internet Service match.

ips-sensor

Name of an existing IPS sensor.

string

Maximum length: 35

logtraffic

Enable/disable logging traffic through the policy.

option

-

utm

Option

Description

all

Log all sessions.

utm

UTM event and matched application traffic log.

disable

Disable traffic and application log.

logtraffic-start

Enable/disable policy log traffic start.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

name

Policy name.

string

Maximum length: 35

policyid

Policy ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

poolname <name>

Name of IP pool object.

IP pool name.

string

Maximum length: 79

profile-group

Name of profile group.

string

Maximum length: 35

profile-protocol-options

Name of an existing Protocol options profile.

string

Maximum length: 35

default

profile-type

Determine whether the firewall policy allows security profile groups or single profiles only.

option

-

single

Option

Description

single

Do not allow security profile groups.

group

Allow security profile groups.

proxy

Type of explicit proxy.

option

-

Option

Description

explicit-web

Explicit Web Proxy

transparent-web

Transparent Web Proxy

ftp

Explicit FTP Proxy

ssh

SSH Proxy

ssh-tunnel

SSH Tunnel

access-proxy

Access Proxy

wanopt

WANopt Tunnel

redirect-url

Redirect URL for further explicit web proxy processing.

var-string

Maximum length: 1023

replacemsg-override-group

Authentication replacement message override group.

string

Maximum length: 35

schedule

Name of schedule object.

string

Maximum length: 35

service <name>

Name of service objects.

Service name.

string

Maximum length: 79

service-negate

When enabled, services match against any service EXCEPT the specified destination services.

option

-

disable

Option

Description

enable

Enable negated service match.

disable

Disable negated service match.

session-ttl

TTL in seconds for sessions accepted by this policy.

integer

Minimum value: 300 Maximum value: 2764800

0

srcaddr <name>

Source address objects.

Address name.

string

Maximum length: 79

srcaddr-negate

When enabled, source addresses match against any address EXCEPT the specified source addresses.

option

-

disable

Option

Description

enable

Enable source address negate.

disable

Disable destination address negate.

srcaddr6 <name>

IPv6 source address objects.

Address name.

string

Maximum length: 79

srcintf <name>

Source interface names.

Interface name.

string

Maximum length: 79

ssh-filter-profile

Name of an existing SSH filter profile.

string

Maximum length: 35

ssh-policy-redirect

Redirect SSH traffic to matching transparent proxy policy.

option

-

disable

Option

Description

enable

Enable SSH policy redirect.

disable

Disable SSH policy redirect.

ssl-ssh-profile

Name of an existing SSL SSH profile.

string

Maximum length: 35

no-inspection

status

Enable/disable the active status of the policy.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

transparent

Enable to use the IP address of the client to connect to the server.

option

-

disable

Option

Description

enable

Enable use of IP address of client to connect to server.

disable

Disable use of IP address of client to connect to server.

users <name>

Names of user objects.

Group name.

string

Maximum length: 79

utm-status

Enable the use of UTM profiles/sensors/lists.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

uuid

Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

uuid

Not Specified

00000000-0000-0000-0000-000000000000

videofilter-profile

Name of an existing VideoFilter profile.

string

Maximum length: 35

waf-profile

Name of an existing Web application firewall profile.

string

Maximum length: 35

webcache *

Enable/disable web caching.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

webcache-https *

Enable/disable web caching for HTTPS (Requires deep-inspection enabled in ssl-ssh-profile).

option

-

disable

Option

Description

disable

Disable web cache for HTTPS.

enable

Enable web cache for HTTPS.

webfilter-profile

Name of an existing Web filter profile.

string

Maximum length: 35

webproxy-forward-server

Web proxy forward server name.

string

Maximum length: 63

webproxy-profile

Name of web proxy profile.

string

Maximum length: 63

ztna-ems-tag <name>

ZTNA EMS Tag names.

EMS Tag name.

string

Maximum length: 79

ztna-tags-match-logic

ZTNA tag matching logic.

option

-

or

Option

Description

or

Match ZTNA tags using a logical OR operator.

and

Match ZTNA tags using a logical AND operator.

* This parameter may not exist in some models.

config firewall proxy-policy

Configure proxy policies.

config firewall proxy-policy
    Description: Configure proxy policies.
    edit <policyid>
        set access-proxy <name1>, <name2>, ...
        set access-proxy6 <name1>, <name2>, ...
        set action [accept|deny|...]
        set application-list {string}
        set av-profile {string}
        set block-notification [enable|disable]
        set comments {var-string}
        set decrypted-traffic-mirror {string}
        set device-ownership [enable|disable]
        set disclaimer [disable|domain|...]
        set dlp-sensor {string}
        set dstaddr <name1>, <name2>, ...
        set dstaddr-negate [enable|disable]
        set dstaddr6 <name1>, <name2>, ...
        set dstintf <name1>, <name2>, ...
        set emailfilter-profile {string}
        set file-filter-profile {string}
        set groups <name1>, <name2>, ...
        set http-tunnel-auth [enable|disable]
        set icap-profile {string}
        set internet-service [enable|disable]
        set internet-service-custom <name1>, <name2>, ...
        set internet-service-custom-group <name1>, <name2>, ...
        set internet-service-group <name1>, <name2>, ...
        set internet-service-name <name1>, <name2>, ...
        set internet-service-negate [enable|disable]
        set ips-sensor {string}
        set logtraffic [all|utm|...]
        set logtraffic-start [enable|disable]
        set name {string}
        set poolname <name1>, <name2>, ...
        set profile-group {string}
        set profile-protocol-options {string}
        set profile-type [single|group]
        set proxy [explicit-web|transparent-web|...]
        set redirect-url {var-string}
        set replacemsg-override-group {string}
        set schedule {string}
        set service <name1>, <name2>, ...
        set service-negate [enable|disable]
        set session-ttl {integer}
        set srcaddr <name1>, <name2>, ...
        set srcaddr-negate [enable|disable]
        set srcaddr6 <name1>, <name2>, ...
        set srcintf <name1>, <name2>, ...
        set ssh-filter-profile {string}
        set ssh-policy-redirect [enable|disable]
        set ssl-ssh-profile {string}
        set status [enable|disable]
        set transparent [enable|disable]
        set users <name1>, <name2>, ...
        set utm-status [enable|disable]
        set uuid {uuid}
        set videofilter-profile {string}
        set waf-profile {string}
        set webcache [enable|disable]
        set webcache-https [disable|enable]
        set webfilter-profile {string}
        set webproxy-forward-server {string}
        set webproxy-profile {string}
        set ztna-ems-tag <name1>, <name2>, ...
        set ztna-tags-match-logic [or|and]
    next
end

config firewall proxy-policy

Parameter

Description

Type

Size

Default

access-proxy <name>

IPv4 access proxy.

Access Proxy name.

string

Maximum length: 79

access-proxy6 <name>

IPv6 access proxy.

Access proxy name.

string

Maximum length: 79

action

Accept or deny traffic matching the policy parameters.

option

-

deny

Option

Description

accept

Action accept.

deny

Action deny.

redirect

Action redirect.

application-list

Name of an existing Application list.

string

Maximum length: 35

av-profile

Name of an existing Antivirus profile.

string

Maximum length: 35

block-notification

Enable/disable block notification.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

comments

Optional comments.

var-string

Maximum length: 1023

decrypted-traffic-mirror

Decrypted traffic mirror.

string

Maximum length: 35

device-ownership

When enabled, the ownership enforcement will be done at policy level.

option

-

disable

Option

Description

enable

Enable device ownership.

disable

Disable device ownership.

disclaimer

Web proxy disclaimer setting: by domain, policy, or user.

option

-

disable

Option

Description

disable

Disable disclaimer.

domain

Display disclaimer for domain

policy

Display disclaimer for policy

user

Display disclaimer for current user

dlp-sensor

Name of an existing DLP sensor.

string

Maximum length: 35

dstaddr <name>

Destination address objects.

Address name.

string

Maximum length: 79

dstaddr-negate

When enabled, destination addresses match against any address EXCEPT the specified destination addresses.

option

-

disable

Option

Description

enable

Enable source address negate.

disable

Disable destination address negate.

dstaddr6 <name>

IPv6 destination address objects.

Address name.

string

Maximum length: 79

dstintf <name>

Destination interface names.

Interface name.

string

Maximum length: 79

emailfilter-profile

Name of an existing email filter profile.

string

Maximum length: 35

file-filter-profile

Name of an existing file-filter profile.

string

Maximum length: 35

groups <name>

Names of group objects.

Group name.

string

Maximum length: 79

http-tunnel-auth

Enable/disable HTTP tunnel authentication.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

icap-profile

Name of an existing ICAP profile.

string

Maximum length: 35

internet-service

Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.

option

-

disable

Option

Description

enable

Enable use of Internet Services in policy.

disable

Disable use of Internet Services in policy.

internet-service-custom <name>

Custom Internet Service name.

Custom Internet Service name.

string

Maximum length: 79

internet-service-custom-group <name>

Custom Internet Service group name.

Custom Internet Service group name.

string

Maximum length: 79

internet-service-group <name>

Internet Service group name.

Internet Service group name.

string

Maximum length: 79

internet-service-name <name>

Internet Service name.

Internet Service name.

string

Maximum length: 79

internet-service-negate

When enabled, Internet Services match against any internet service EXCEPT the selected Internet Service.

option

-

disable

Option

Description

enable

Enable negated Internet Service match.

disable

Disable negated Internet Service match.

ips-sensor

Name of an existing IPS sensor.

string

Maximum length: 35

logtraffic

Enable/disable logging traffic through the policy.

option

-

utm

Option

Description

all

Log all sessions.

utm

UTM event and matched application traffic log.

disable

Disable traffic and application log.

logtraffic-start

Enable/disable policy log traffic start.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

name

Policy name.

string

Maximum length: 35

policyid

Policy ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

poolname <name>

Name of IP pool object.

IP pool name.

string

Maximum length: 79

profile-group

Name of profile group.

string

Maximum length: 35

profile-protocol-options

Name of an existing Protocol options profile.

string

Maximum length: 35

default

profile-type

Determine whether the firewall policy allows security profile groups or single profiles only.

option

-

single

Option

Description

single

Do not allow security profile groups.

group

Allow security profile groups.

proxy

Type of explicit proxy.

option

-

Option

Description

explicit-web

Explicit Web Proxy

transparent-web

Transparent Web Proxy

ftp

Explicit FTP Proxy

ssh

SSH Proxy

ssh-tunnel

SSH Tunnel

access-proxy

Access Proxy

wanopt

WANopt Tunnel

redirect-url

Redirect URL for further explicit web proxy processing.

var-string

Maximum length: 1023

replacemsg-override-group

Authentication replacement message override group.

string

Maximum length: 35

schedule

Name of schedule object.

string

Maximum length: 35

service <name>

Name of service objects.

Service name.

string

Maximum length: 79

service-negate

When enabled, services match against any service EXCEPT the specified destination services.

option

-

disable

Option

Description

enable

Enable negated service match.

disable

Disable negated service match.

session-ttl

TTL in seconds for sessions accepted by this policy.

integer

Minimum value: 300 Maximum value: 2764800

0

srcaddr <name>

Source address objects.

Address name.

string

Maximum length: 79

srcaddr-negate

When enabled, source addresses match against any address EXCEPT the specified source addresses.

option

-

disable

Option

Description

enable

Enable source address negate.

disable

Disable destination address negate.

srcaddr6 <name>

IPv6 source address objects.

Address name.

string

Maximum length: 79

srcintf <name>

Source interface names.

Interface name.

string

Maximum length: 79

ssh-filter-profile

Name of an existing SSH filter profile.

string

Maximum length: 35

ssh-policy-redirect

Redirect SSH traffic to matching transparent proxy policy.

option

-

disable

Option

Description

enable

Enable SSH policy redirect.

disable

Disable SSH policy redirect.

ssl-ssh-profile

Name of an existing SSL SSH profile.

string

Maximum length: 35

no-inspection

status

Enable/disable the active status of the policy.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

transparent

Enable to use the IP address of the client to connect to the server.

option

-

disable

Option

Description

enable

Enable use of IP address of client to connect to server.

disable

Disable use of IP address of client to connect to server.

users <name>

Names of user objects.

Group name.

string

Maximum length: 79

utm-status

Enable the use of UTM profiles/sensors/lists.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

uuid

Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

uuid

Not Specified

00000000-0000-0000-0000-000000000000

videofilter-profile

Name of an existing VideoFilter profile.

string

Maximum length: 35

waf-profile

Name of an existing Web application firewall profile.

string

Maximum length: 35

webcache *

Enable/disable web caching.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

webcache-https *

Enable/disable web caching for HTTPS (Requires deep-inspection enabled in ssl-ssh-profile).

option

-

disable

Option

Description

disable

Disable web cache for HTTPS.

enable

Enable web cache for HTTPS.

webfilter-profile

Name of an existing Web filter profile.

string

Maximum length: 35

webproxy-forward-server

Web proxy forward server name.

string

Maximum length: 63

webproxy-profile

Name of web proxy profile.

string

Maximum length: 63

ztna-ems-tag <name>

ZTNA EMS Tag names.

EMS Tag name.

string

Maximum length: 79

ztna-tags-match-logic

ZTNA tag matching logic.

option

-

or

Option

Description

or

Match ZTNA tags using a logical OR operator.

and

Match ZTNA tags using a logical AND operator.

* This parameter may not exist in some models.