Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config firewall proxy-policy

Configure proxy policies.

config firewall proxy-policy

Description: Configure proxy policies.

edit <policyid>

set uuid {uuid}

set name {string}

set proxy [explicit-web|transparent-web|...]

set access-proxy <name1>, <name2>, ...

set access-proxy6 <name1>, <name2>, ...

set srcintf <name1>, <name2>, ...

set dstintf <name1>, <name2>, ...

set srcaddr <name1>, <name2>, ...

set poolname <name1>, <name2>, ...

set dstaddr <name1>, <name2>, ...

set ztna-ems-tag <name1>, <name2>, ...

set ztna-tags-match-logic [or|and]

set device-ownership [enable|disable]

set internet-service [enable|disable]

set internet-service-negate [enable|disable]

set internet-service-name <name1>, <name2>, ...

set internet-service-group <name1>, <name2>, ...

set internet-service-custom <name1>, <name2>, ...

set internet-service-custom-group <name1>, <name2>, ...

set service <name1>, <name2>, ...

set srcaddr-negate [enable|disable]

set dstaddr-negate [enable|disable]

set service-negate [enable|disable]

set action [accept|deny|...]

set status [enable|disable]

set schedule {string}

set logtraffic [all|utm|...]

set session-ttl {integer}

set srcaddr6 <name1>, <name2>, ...

set dstaddr6 <name1>, <name2>, ...

set groups <name1>, <name2>, ...

set users <name1>, <name2>, ...

set http-tunnel-auth [enable|disable]

set ssh-policy-redirect [enable|disable]

set webproxy-forward-server {string}

set webproxy-profile {string}

set transparent [enable|disable]

set disclaimer [disable|domain|...]

set utm-status [enable|disable]

set profile-type [single|group]

set profile-group {string}

set profile-protocol-options {string}

set ssl-ssh-profile {string}

set av-profile {string}

set webfilter-profile {string}

set emailfilter-profile {string}

set dlp-sensor {string}

set file-filter-profile {string}

set ips-sensor {string}

set application-list {string}

set voip-profile {string}

set sctp-filter-profile {string}

set icap-profile {string}

set cifs-profile {string}

set videofilter-profile {string}

set waf-profile {string}

set ssh-filter-profile {string}

set replacemsg-override-group {string}

set logtraffic-start [enable|disable]

set comments {var-string}

set redirect-url {var-string}

set decrypted-traffic-mirror {string}

next

end

config firewall proxy-policy

Parameter

Description

Type

Size

Default

uuid

Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

uuid

Not Specified

00000000-0000-0000-0000-000000000000

name

Policy name.

string

Maximum length: 35

proxy

Type of explicit proxy.

option

-

 

Option

Description

explicit-web

Explicit Web Proxy

transparent-web

Transparent Web Proxy

ftp

Explicit FTP Proxy

ssh

SSH Proxy

ssh-tunnel

SSH Tunnel

access-proxy

Access Proxy

access-proxy <name>

IPv4 access proxy.

Access Proxy name.

string

Maximum length: 79

access-proxy6 <name>

IPv6 access proxy.

Access proxy name.

string

Maximum length: 79

srcintf <name>

Source interface names.

Interface name.

string

Maximum length: 79

dstintf <name>

Destination interface names.

Interface name.

string

Maximum length: 79

srcaddr <name>

Source address objects.

Address name.

string

Maximum length: 79

poolname <name>

Name of IP pool object.

IP pool name.

string

Maximum length: 79

dstaddr <name>

Destination address objects.

Address name.

string

Maximum length: 79

ztna-ems-tag <name>

ZTNA EMS Tag names.

EMS Tag name.

string

Maximum length: 79

ztna-tags-match-logic

ZTNA tag matching logic.

option

-

or

 

Option

Description

or

Match ZTNA tags using a logical OR operator.

and

Match ZTNA tags using a logical AND operator.

device-ownership

When enabled, the ownership enforcement will be done at policy level.

option

-

disable

 

Option

Description

enable

Enable device ownership.

disable

Disable device ownership.

internet-service

Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.

option

-

disable

 

Option

Description

enable

Enable use of Internet Services in policy.

disable

Disable use of Internet Services in policy.

internet-service-negate

When enabled, Internet Services match against any internet service EXCEPT the selected Internet Service.

option

-

disable

 

Option

Description

enable

Enable negated Internet Service match.

disable

Disable negated Internet Service match.

internet-service-name <name>

Internet Service name.

Internet Service name.

string

Maximum length: 79

internet-service-group <name>

Internet Service group name.

Internet Service group name.

string

Maximum length: 79

internet-service-custom <name>

Custom Internet Service name.

Custom Internet Service name.

string

Maximum length: 79

internet-service-custom-group <name>

Custom Internet Service group name.

Custom Internet Service group name.

string

Maximum length: 79

service <name>

Name of service objects.

Service name.

string

Maximum length: 79

srcaddr-negate

When enabled, source addresses match against any address EXCEPT the specified source addresses.

option

-

disable

 

Option

Description

enable

Enable source address negate.

disable

Disable destination address negate.

dstaddr-negate

When enabled, destination addresses match against any address EXCEPT the specified destination addresses.

option

-

disable

 

Option

Description

enable

Enable source address negate.

disable

Disable destination address negate.

service-negate

When enabled, services match against any service EXCEPT the specified destination services.

option

-

disable

 

Option

Description

enable

Enable negated service match.

disable

Disable negated service match.

action

Accept or deny traffic matching the policy parameters.

option

-

deny

 

Option

Description

accept

Action accept.

deny

Action deny.

redirect

Action redirect.

status

Enable/disable the active status of the policy.

option

-

enable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

schedule

Name of schedule object.

string

Maximum length: 35

logtraffic

Enable/disable logging traffic through the policy.

option

-

utm

 

Option

Description

all

Log all sessions.

utm

UTM event and matched application traffic log.

disable

Disable traffic and application log.

session-ttl

TTL in seconds for sessions accepted by this policy .

integer

Minimum value: 300 Maximum value: 2764800

0

srcaddr6 <name>

IPv6 source address objects.

Address name.

string

Maximum length: 79

dstaddr6 <name>

IPv6 destination address objects.

Address name.

string

Maximum length: 79

groups <name>

Names of group objects.

Group name.

string

Maximum length: 79

users <name>

Names of user objects.

Group name.

string

Maximum length: 79

http-tunnel-auth

Enable/disable HTTP tunnel authentication.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

ssh-policy-redirect

Redirect SSH traffic to matching transparent proxy policy.

option

-

disable

 

Option

Description

enable

Enable SSH policy redirect.

disable

Disable SSH policy redirect.

webproxy-forward-server

Web proxy forward server name.

string

Maximum length: 63

webproxy-profile

Name of web proxy profile.

string

Maximum length: 63

transparent

Enable to use the IP address of the client to connect to the server.

option

-

disable

 

Option

Description

enable

Enable use of IP address of client to connect to server.

disable

Disable use of IP address of client to connect to server.

disclaimer

Web proxy disclaimer setting: by domain, policy, or user.

option

-

disable

 

Option

Description

disable

Disable disclaimer.

domain

Display disclaimer for domain

policy

Display disclaimer for policy

user

Display disclaimer for current user

utm-status

Enable the use of UTM profiles/sensors/lists.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

profile-type

Determine whether the firewall policy allows security profile groups or single profiles only.

option

-

single

 

Option

Description

single

Do not allow security profile groups.

group

Allow security profile groups.

profile-group

Name of profile group.

string

Maximum length: 35

profile-protocol-options

Name of an existing Protocol options profile.

string

Maximum length: 35

default

ssl-ssh-profile

Name of an existing SSL SSH profile.

string

Maximum length: 35

no-inspection

av-profile

Name of an existing Antivirus profile.

string

Maximum length: 35

webfilter-profile

Name of an existing Web filter profile.

string

Maximum length: 35

emailfilter-profile

Name of an existing email filter profile.

string

Maximum length: 35

dlp-sensor

Name of an existing DLP sensor.

string

Maximum length: 35

file-filter-profile

Name of an existing file-filter profile.

string

Maximum length: 35

ips-sensor

Name of an existing IPS sensor.

string

Maximum length: 35

application-list

Name of an existing Application list.

string

Maximum length: 35

voip-profile

Name of an existing VoIP profile.

string

Maximum length: 35

sctp-filter-profile

Name of an existing SCTP filter profile.

string

Maximum length: 35

icap-profile

Name of an existing ICAP profile.

string

Maximum length: 35

cifs-profile

Name of an existing CIFS profile.

string

Maximum length: 35

videofilter-profile

Name of an existing VideoFilter profile.

string

Maximum length: 35

waf-profile

Name of an existing Web application firewall profile.

string

Maximum length: 35

ssh-filter-profile

Name of an existing SSH filter profile.

string

Maximum length: 35

replacemsg-override-group

Authentication replacement message override group.

string

Maximum length: 35

logtraffic-start

Enable/disable policy log traffic start.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

comments

Optional comments.

var-string

Maximum length: 1023

redirect-url

Redirect URL for further explicit web proxy processing.

var-string

Maximum length: 1023

decrypted-traffic-mirror

Decrypted traffic mirror.

string

Maximum length: 35

config firewall proxy-policy

Configure proxy policies.

config firewall proxy-policy

Description: Configure proxy policies.

edit <policyid>

set uuid {uuid}

set name {string}

set proxy [explicit-web|transparent-web|...]

set access-proxy <name1>, <name2>, ...

set access-proxy6 <name1>, <name2>, ...

set srcintf <name1>, <name2>, ...

set dstintf <name1>, <name2>, ...

set srcaddr <name1>, <name2>, ...

set poolname <name1>, <name2>, ...

set dstaddr <name1>, <name2>, ...

set ztna-ems-tag <name1>, <name2>, ...

set ztna-tags-match-logic [or|and]

set device-ownership [enable|disable]

set internet-service [enable|disable]

set internet-service-negate [enable|disable]

set internet-service-name <name1>, <name2>, ...

set internet-service-group <name1>, <name2>, ...

set internet-service-custom <name1>, <name2>, ...

set internet-service-custom-group <name1>, <name2>, ...

set service <name1>, <name2>, ...

set srcaddr-negate [enable|disable]

set dstaddr-negate [enable|disable]

set service-negate [enable|disable]

set action [accept|deny|...]

set status [enable|disable]

set schedule {string}

set logtraffic [all|utm|...]

set session-ttl {integer}

set srcaddr6 <name1>, <name2>, ...

set dstaddr6 <name1>, <name2>, ...

set groups <name1>, <name2>, ...

set users <name1>, <name2>, ...

set http-tunnel-auth [enable|disable]

set ssh-policy-redirect [enable|disable]

set webproxy-forward-server {string}

set webproxy-profile {string}

set transparent [enable|disable]

set disclaimer [disable|domain|...]

set utm-status [enable|disable]

set profile-type [single|group]

set profile-group {string}

set profile-protocol-options {string}

set ssl-ssh-profile {string}

set av-profile {string}

set webfilter-profile {string}

set emailfilter-profile {string}

set dlp-sensor {string}

set file-filter-profile {string}

set ips-sensor {string}

set application-list {string}

set voip-profile {string}

set sctp-filter-profile {string}

set icap-profile {string}

set cifs-profile {string}

set videofilter-profile {string}

set waf-profile {string}

set ssh-filter-profile {string}

set replacemsg-override-group {string}

set logtraffic-start [enable|disable]

set comments {var-string}

set redirect-url {var-string}

set decrypted-traffic-mirror {string}

next

end

config firewall proxy-policy

Parameter

Description

Type

Size

Default

uuid

Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

uuid

Not Specified

00000000-0000-0000-0000-000000000000

name

Policy name.

string

Maximum length: 35

proxy

Type of explicit proxy.

option

-

 

Option

Description

explicit-web

Explicit Web Proxy

transparent-web

Transparent Web Proxy

ftp

Explicit FTP Proxy

ssh

SSH Proxy

ssh-tunnel

SSH Tunnel

access-proxy

Access Proxy

access-proxy <name>

IPv4 access proxy.

Access Proxy name.

string

Maximum length: 79

access-proxy6 <name>

IPv6 access proxy.

Access proxy name.

string

Maximum length: 79

srcintf <name>

Source interface names.

Interface name.

string

Maximum length: 79

dstintf <name>

Destination interface names.

Interface name.

string

Maximum length: 79

srcaddr <name>

Source address objects.

Address name.

string

Maximum length: 79

poolname <name>

Name of IP pool object.

IP pool name.

string

Maximum length: 79

dstaddr <name>

Destination address objects.

Address name.

string

Maximum length: 79

ztna-ems-tag <name>

ZTNA EMS Tag names.

EMS Tag name.

string

Maximum length: 79

ztna-tags-match-logic

ZTNA tag matching logic.

option

-

or

 

Option

Description

or

Match ZTNA tags using a logical OR operator.

and

Match ZTNA tags using a logical AND operator.

device-ownership

When enabled, the ownership enforcement will be done at policy level.

option

-

disable

 

Option

Description

enable

Enable device ownership.

disable

Disable device ownership.

internet-service

Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.

option

-

disable

 

Option

Description

enable

Enable use of Internet Services in policy.

disable

Disable use of Internet Services in policy.

internet-service-negate

When enabled, Internet Services match against any internet service EXCEPT the selected Internet Service.

option

-

disable

 

Option

Description

enable

Enable negated Internet Service match.

disable

Disable negated Internet Service match.

internet-service-name <name>

Internet Service name.

Internet Service name.

string

Maximum length: 79

internet-service-group <name>

Internet Service group name.

Internet Service group name.

string

Maximum length: 79

internet-service-custom <name>

Custom Internet Service name.

Custom Internet Service name.

string

Maximum length: 79

internet-service-custom-group <name>

Custom Internet Service group name.

Custom Internet Service group name.

string

Maximum length: 79

service <name>

Name of service objects.

Service name.

string

Maximum length: 79

srcaddr-negate

When enabled, source addresses match against any address EXCEPT the specified source addresses.

option

-

disable

 

Option

Description

enable

Enable source address negate.

disable

Disable destination address negate.

dstaddr-negate

When enabled, destination addresses match against any address EXCEPT the specified destination addresses.

option

-

disable

 

Option

Description

enable

Enable source address negate.

disable

Disable destination address negate.

service-negate

When enabled, services match against any service EXCEPT the specified destination services.

option

-

disable

 

Option

Description

enable

Enable negated service match.

disable

Disable negated service match.

action

Accept or deny traffic matching the policy parameters.

option

-

deny

 

Option

Description

accept

Action accept.

deny

Action deny.

redirect

Action redirect.

status

Enable/disable the active status of the policy.

option

-

enable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

schedule

Name of schedule object.

string

Maximum length: 35

logtraffic

Enable/disable logging traffic through the policy.

option

-

utm

 

Option

Description

all

Log all sessions.

utm

UTM event and matched application traffic log.

disable

Disable traffic and application log.

session-ttl

TTL in seconds for sessions accepted by this policy .

integer

Minimum value: 300 Maximum value: 2764800

0

srcaddr6 <name>

IPv6 source address objects.

Address name.

string

Maximum length: 79

dstaddr6 <name>

IPv6 destination address objects.

Address name.

string

Maximum length: 79

groups <name>

Names of group objects.

Group name.

string

Maximum length: 79

users <name>

Names of user objects.

Group name.

string

Maximum length: 79

http-tunnel-auth

Enable/disable HTTP tunnel authentication.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

ssh-policy-redirect

Redirect SSH traffic to matching transparent proxy policy.

option

-

disable

 

Option

Description

enable

Enable SSH policy redirect.

disable

Disable SSH policy redirect.

webproxy-forward-server

Web proxy forward server name.

string

Maximum length: 63

webproxy-profile

Name of web proxy profile.

string

Maximum length: 63

transparent

Enable to use the IP address of the client to connect to the server.

option

-

disable

 

Option

Description

enable

Enable use of IP address of client to connect to server.

disable

Disable use of IP address of client to connect to server.

disclaimer

Web proxy disclaimer setting: by domain, policy, or user.

option

-