Fortinet black logo

CLI Reference

config web-proxy explicit

config web-proxy explicit

Configure explicit Web proxy settings.

config web-proxy explicit

Description: Configure explicit Web proxy settings.

set status [enable|disable]

set ftp-over-http [enable|disable]

set socks [enable|disable]

set http-incoming-port {user}

set https-incoming-port {user}

set ftp-incoming-port {user}

set socks-incoming-port {user}

set incoming-ip {ipv4-address-any}

set outgoing-ip {ipv4-address-any}

set ipv6-status [enable|disable]

set incoming-ip6 {ipv6-address}

set outgoing-ip6 {ipv6-address}

set strict-guest [enable|disable]

set pref-dns-result [ipv4|ipv6]

set unknown-http-version [reject|best-effort]

set realm {string}

set sec-default-action [accept|deny]

set https-replacement-message [enable|disable]

set message-upon-server-error [enable|disable]

set pac-file-server-status [enable|disable]

set pac-file-url {user}

set pac-file-server-port {user}

set pac-file-name {string}

set pac-file-data {user}

config pac-policy

Description: PAC policies.

edit <policyid>

set status [enable|disable]

set srcaddr <name1>, <name2>, ...

set srcaddr6 <name1>, <name2>, ...

set dstaddr <name1>, <name2>, ...

set pac-file-name {string}

set pac-file-data {user}

set comments {var-string}

next

end

set ssl-algorithm [high|medium|...]

set trace-auth-no-rsp [enable|disable]

end

config web-proxy explicit

Parameter

Description

Type

Size

Default

status

Enable/disable the explicit Web proxy for HTTP and HTTPS session.

option

-

disable

Option

Description

enable

Enable the explicit web proxy.

disable

Disable the explicit web proxy.

ftp-over-http

Enable to proxy FTP-over-HTTP sessions sent from a web browser.

option

-

disable

Option

Description

enable

Enable FTP-over-HTTP sessions.

disable

Disable FTP-over-HTTP sessions.

socks

Enable/disable the SOCKS proxy.

option

-

disable

Option

Description

enable

Enable the SOCKS proxy.

disable

Disable the SOCKS proxy.

http-incoming-port

Accept incoming HTTP requests on one or more ports .

user

Not Specified

https-incoming-port

Accept incoming HTTPS requests on one or more ports .

user

Not Specified

ftp-incoming-port

Accept incoming FTP-over-HTTP requests on one or more ports .

user

Not Specified

socks-incoming-port

Accept incoming SOCKS proxy requests on one or more ports .

user

Not Specified

incoming-ip

Restrict the explicit HTTP proxy to only accept sessions from this IP address. An interface must have this IP address.

ipv4-address-any

Not Specified

0.0.0.0

outgoing-ip

Outgoing HTTP requests will have this IP address as their source address. An interface must have this IP address.

ipv4-address-any

Not Specified

ipv6-status

Enable/disable allowing an IPv6 web proxy destination in policies and all IPv6 related entries in this command.

option

-

disable

Option

Description

enable

Enable allowing an IPv6 web proxy destination.

disable

Disable allowing an IPv6 web proxy destination.

incoming-ip6

Restrict the explicit web proxy to only accept sessions from this IPv6 address. An interface must have this IPv6 address.

ipv6-address

Not Specified

::

outgoing-ip6

Outgoing HTTP requests will leave this IPv6. Multiple interfaces can be specified. Interfaces must have these IPv6 addresses.

ipv6-address

Not Specified

strict-guest

Enable/disable strict guest user checking by the explicit web proxy.

option

-

disable

Option

Description

enable

Enable strict guest user checking.

disable

Disable strict guest user checking.

pref-dns-result

Prefer resolving addresses using the configured IPv4 or IPv6 DNS server .

option

-

ipv4

Option

Description

ipv4

Prefer the IPv4 DNS server.

ipv6

Prefer the IPv6 DNS server.

unknown-http-version

How to handle HTTP sessions that do not comply with HTTP 0.9, 1.0, or 1.1.

option

-

reject

Option

Description

reject

Reject or tear down HTTP sessions that do not use HTTP 0.9, 1.0, or 1.1.

best-effort

Assume all HTTP sessions comply with HTTP 0.9, 1.0, or 1.1. If a session uses a different HTTP version, it may not parse correctly and the connection may be lost.

realm

Authentication realm used to identify the explicit web proxy (maximum of 63 characters).

string

Maximum length: 63

default

sec-default-action

Accept or deny explicit web proxy sessions when no web proxy firewall policy exists.

option

-

deny

Option

Description

accept

Accept requests. All explicit web proxy traffic is accepted whether there is an explicit web proxy policy or not.

deny

Deny requests unless there is a matching explicit web proxy policy.

https-replacement-message

Enable/disable sending the client a replacement message for HTTPS requests.

option

-

enable

Option

Description

enable

Display a replacement message for HTTPS requests.

disable

Do not display a replacement message for HTTPS requests.

message-upon-server-error

Enable/disable displaying a replacement message when a server error is detected.

option

-

enable

Option

Description

enable

Display a replacement message when a server error is detected.

disable

Do not display a replacement message when a server error is detected.

pac-file-server-status

Enable/disable Proxy Auto-Configuration (PAC) for users of this explicit proxy profile.

option

-

disable

Option

Description

enable

Enable Proxy Auto-Configuration (PAC).

disable

Disable Proxy Auto-Configuration (PAC).

pac-file-url

PAC file access URL.

user

Not Specified

pac-file-server-port

Port number that PAC traffic from client web browsers uses to connect to the explicit web proxy .

user

Not Specified

pac-file-name

Pac file name.

string

Maximum length: 63

proxy.pac

pac-file-data

PAC file contents enclosed in quotes (maximum of 256K bytes).

user

Not Specified

ssl-algorithm

Relative strength of encryption algorithms accepted in HTTPS deep scan: high, medium, or low.

option

-

low

Option

Description

high

High encrption. Allow only AES and ChaCha.

medium

Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low

Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

trace-auth-no-rsp

Enable/disable logging timed-out authentication requests.

option

-

disable

Option

Description

enable

Enable logging timed-out authentication requests.

disable

Disable logging timed-out authentication requests.

config pac-policy

Parameter

Description

Type

Size

Default

status

Enable/disable policy.

option

-

enable

Option

Description

enable

Enable policy.

disable

Disable policy.

srcaddr <name>

Source address objects.

Address name.

string

Maximum length: 79

srcaddr6 <name>

Source address6 objects.

Address name.

string

Maximum length: 79

dstaddr <name>

Destination address objects.

Address name.

string

Maximum length: 79

pac-file-name

Pac file name.

string

Maximum length: 63

proxy.pac

pac-file-data

PAC file contents enclosed in quotes (maximum of 256K bytes).

user

Not Specified

comments

Optional comments.

var-string

Maximum length: 1023

config web-proxy explicit

Configure explicit Web proxy settings.

config web-proxy explicit

Description: Configure explicit Web proxy settings.

set status [enable|disable]

set ftp-over-http [enable|disable]

set socks [enable|disable]

set http-incoming-port {user}

set https-incoming-port {user}

set ftp-incoming-port {user}

set socks-incoming-port {user}

set incoming-ip {ipv4-address-any}

set outgoing-ip {ipv4-address-any}

set ipv6-status [enable|disable]

set incoming-ip6 {ipv6-address}

set outgoing-ip6 {ipv6-address}

set strict-guest [enable|disable]

set pref-dns-result [ipv4|ipv6]

set unknown-http-version [reject|best-effort]

set realm {string}

set sec-default-action [accept|deny]

set https-replacement-message [enable|disable]

set message-upon-server-error [enable|disable]

set pac-file-server-status [enable|disable]

set pac-file-url {user}

set pac-file-server-port {user}

set pac-file-name {string}

set pac-file-data {user}

config pac-policy

Description: PAC policies.

edit <policyid>

set status [enable|disable]

set srcaddr <name1>, <name2>, ...

set srcaddr6 <name1>, <name2>, ...

set dstaddr <name1>, <name2>, ...

set pac-file-name {string}

set pac-file-data {user}

set comments {var-string}

next

end

set ssl-algorithm [high|medium|...]

set trace-auth-no-rsp [enable|disable]

end

config web-proxy explicit

Parameter

Description

Type

Size

Default

status

Enable/disable the explicit Web proxy for HTTP and HTTPS session.

option

-

disable

Option

Description

enable

Enable the explicit web proxy.

disable

Disable the explicit web proxy.

ftp-over-http

Enable to proxy FTP-over-HTTP sessions sent from a web browser.

option

-

disable

Option

Description

enable

Enable FTP-over-HTTP sessions.

disable

Disable FTP-over-HTTP sessions.

socks

Enable/disable the SOCKS proxy.

option

-

disable

Option

Description

enable

Enable the SOCKS proxy.

disable

Disable the SOCKS proxy.

http-incoming-port

Accept incoming HTTP requests on one or more ports .

user

Not Specified

https-incoming-port

Accept incoming HTTPS requests on one or more ports .

user

Not Specified

ftp-incoming-port

Accept incoming FTP-over-HTTP requests on one or more ports .

user

Not Specified

socks-incoming-port

Accept incoming SOCKS proxy requests on one or more ports .

user

Not Specified

incoming-ip

Restrict the explicit HTTP proxy to only accept sessions from this IP address. An interface must have this IP address.

ipv4-address-any

Not Specified

0.0.0.0

outgoing-ip

Outgoing HTTP requests will have this IP address as their source address. An interface must have this IP address.

ipv4-address-any

Not Specified

ipv6-status

Enable/disable allowing an IPv6 web proxy destination in policies and all IPv6 related entries in this command.

option

-

disable

Option

Description

enable

Enable allowing an IPv6 web proxy destination.

disable

Disable allowing an IPv6 web proxy destination.

incoming-ip6

Restrict the explicit web proxy to only accept sessions from this IPv6 address. An interface must have this IPv6 address.

ipv6-address

Not Specified

::

outgoing-ip6

Outgoing HTTP requests will leave this IPv6. Multiple interfaces can be specified. Interfaces must have these IPv6 addresses.

ipv6-address

Not Specified

strict-guest

Enable/disable strict guest user checking by the explicit web proxy.

option

-

disable

Option

Description

enable

Enable strict guest user checking.

disable

Disable strict guest user checking.

pref-dns-result

Prefer resolving addresses using the configured IPv4 or IPv6 DNS server .

option

-

ipv4

Option

Description

ipv4

Prefer the IPv4 DNS server.

ipv6

Prefer the IPv6 DNS server.

unknown-http-version

How to handle HTTP sessions that do not comply with HTTP 0.9, 1.0, or 1.1.

option

-

reject

Option

Description

reject

Reject or tear down HTTP sessions that do not use HTTP 0.9, 1.0, or 1.1.

best-effort

Assume all HTTP sessions comply with HTTP 0.9, 1.0, or 1.1. If a session uses a different HTTP version, it may not parse correctly and the connection may be lost.

realm

Authentication realm used to identify the explicit web proxy (maximum of 63 characters).

string

Maximum length: 63

default

sec-default-action

Accept or deny explicit web proxy sessions when no web proxy firewall policy exists.

option

-

deny

Option

Description

accept

Accept requests. All explicit web proxy traffic is accepted whether there is an explicit web proxy policy or not.

deny

Deny requests unless there is a matching explicit web proxy policy.

https-replacement-message

Enable/disable sending the client a replacement message for HTTPS requests.

option

-

enable

Option

Description

enable

Display a replacement message for HTTPS requests.

disable

Do not display a replacement message for HTTPS requests.

message-upon-server-error

Enable/disable displaying a replacement message when a server error is detected.

option

-

enable

Option

Description

enable

Display a replacement message when a server error is detected.

disable

Do not display a replacement message when a server error is detected.

pac-file-server-status

Enable/disable Proxy Auto-Configuration (PAC) for users of this explicit proxy profile.

option

-

disable

Option

Description

enable

Enable Proxy Auto-Configuration (PAC).

disable

Disable Proxy Auto-Configuration (PAC).

pac-file-url

PAC file access URL.

user

Not Specified

pac-file-server-port

Port number that PAC traffic from client web browsers uses to connect to the explicit web proxy .

user

Not Specified

pac-file-name

Pac file name.

string

Maximum length: 63

proxy.pac

pac-file-data

PAC file contents enclosed in quotes (maximum of 256K bytes).

user

Not Specified

ssl-algorithm

Relative strength of encryption algorithms accepted in HTTPS deep scan: high, medium, or low.

option

-

low

Option

Description

high

High encrption. Allow only AES and ChaCha.

medium

Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low

Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

trace-auth-no-rsp

Enable/disable logging timed-out authentication requests.

option

-

disable

Option

Description

enable

Enable logging timed-out authentication requests.

disable

Disable logging timed-out authentication requests.

config pac-policy

Parameter

Description

Type

Size

Default

status

Enable/disable policy.

option

-

enable

Option

Description

enable

Enable policy.

disable

Disable policy.

srcaddr <name>

Source address objects.

Address name.

string

Maximum length: 79

srcaddr6 <name>

Source address6 objects.

Address name.

string

Maximum length: 79

dstaddr <name>

Destination address objects.

Address name.

string

Maximum length: 79

pac-file-name

Pac file name.

string

Maximum length: 63

proxy.pac

pac-file-data

PAC file contents enclosed in quotes (maximum of 256K bytes).

user

Not Specified

comments

Optional comments.

var-string

Maximum length: 1023