Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.2.10 Administration Guide
    7.2.10
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Transparent proxy

    Transparent proxy

    In a transparent proxy deployment, the user's client software, such as a browser, is unaware that it is communicating with a proxy.

    Users request internet content as usual, without any special client configuration, and the proxy serves their requests. FortiGate also allows users to configure in transparent proxy mode.

    To redirect HTTPS traffic, SSL inspection is required.

    Note

    HTTP and HTTPS traffic that is successfully redirected to a proxy policy is subject to security profiles configured on the proxy policy, not the base firewall policy. Security profiles configured on the base firewall policy still apply to other traffic, such as FTP.
    To configure transparent proxy in the GUI:

    1. Configure a regular firewall policy with HTTP redirect:

      1. Go to Policy & Objects > Firewall Policy.

      2. Click Create New.

      3. Name the policy appropriately, set the Incoming Interface to port2, and set the Outgoing Interface to port1.

      4. Also set Source and Destination to all, Schedule to always, Service to ALL, and Action to ACCEPT.

      5. Set Inspection Mode to Proxy-based and SSL Inspection to deep-inspection.

      6. Configure the remaining settings as needed.

      7. Click OK.

        8. Note

        By default, HTTP redirect can only be enabled in the CLI. Enable Policy Advanced Options in Feature Visibility to configure it in the GUI. See Feature visibility on page 1 for more information.

    2. Configure a transparent proxy policy:

      1. Go to Policy & Objects > Proxy Policy.

      2. Click Create New.

      3. Set Proxy Type to Transparent Web, set the Incoming Interface to port2, and set the Outgoing Interface to port1.

      4. Also set Source and Destination to all, Scheduleto always, Service to webproxy, and Action to ACCEPT.

      5. Configure the remaining settings as needed.

      6. Click OK to create the policy.

      Note

      This example creates a basic policy. If required, security profiles can be enabled, and deep SSL inspection can be selected to inspect HTTPS traffic.

    3. No special configuration is required on the client to use FortiGate transparent proxy. As the client is using the FortiGate as its default gateway, requests will first hit the regular firewall policy, and then be redirected to the transparent proxy policy.

    To configure transparent proxy in the CLI:

    1. Configure a regular firewall policy with HTTP redirect:

      config firewall policy
    edit 1
        set name "LAN To WAN"
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set inspection-mode proxy
        set http-policy-redirect enable
        set fsso disable
        set ssl-ssh-profile "deep-inspection"
        set nat enable
    next
end

    2. Configure a transparent proxy policy:

      config firewall proxy-policy
    edit 5
        set name "proxy-policy-transparent"
        set proxy transparent-web
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set service "webproxy"
        set action accept
        set schedule "always"
    next
end
      Note

      This example creates a basic policy. If required, security profiles can be enabled, and deep SSL inspection can be selected to inspect HTTPS traffic.

    3. No special configuration is required on the client to use FortiGate transparent proxy. As the client is using the FortiGate as its default gateway, requests will first hit the regular firewall policy, and then be redirected to the transparent proxy policy.

    Previous
    Next

    Transparent proxy

    Transparent proxy

    In a transparent proxy deployment, the user's client software, such as a browser, is unaware that it is communicating with a proxy.

    Users request internet content as usual, without any special client configuration, and the proxy serves their requests. FortiGate also allows users to configure in transparent proxy mode.

    To redirect HTTPS traffic, SSL inspection is required.

    Note

    HTTP and HTTPS traffic that is successfully redirected to a proxy policy is subject to security profiles configured on the proxy policy, not the base firewall policy. Security profiles configured on the base firewall policy still apply to other traffic, such as FTP.
    To configure transparent proxy in the GUI:

    1. Configure a regular firewall policy with HTTP redirect:

      1. Go to Policy & Objects > Firewall Policy.

      2. Click Create New.

      3. Name the policy appropriately, set the Incoming Interface to port2, and set the Outgoing Interface to port1.

      4. Also set Source and Destination to all, Schedule to always, Service to ALL, and Action to ACCEPT.

      5. Set Inspection Mode to Proxy-based and SSL Inspection to deep-inspection.

      6. Configure the remaining settings as needed.

      7. Click OK.

        8. Note

        By default, HTTP redirect can only be enabled in the CLI. Enable Policy Advanced Options in Feature Visibility to configure it in the GUI. See Feature visibility on page 1 for more information.

    2. Configure a transparent proxy policy:

      1. Go to Policy & Objects > Proxy Policy.

      2. Click Create New.

      3. Set Proxy Type to Transparent Web, set the Incoming Interface to port2, and set the Outgoing Interface to port1.

      4. Also set Source and Destination to all, Scheduleto always, Service to webproxy, and Action to ACCEPT.

      5. Configure the remaining settings as needed.

      6. Click OK to create the policy.

      Note

      This example creates a basic policy. If required, security profiles can be enabled, and deep SSL inspection can be selected to inspect HTTPS traffic.

    3. No special configuration is required on the client to use FortiGate transparent proxy. As the client is using the FortiGate as its default gateway, requests will first hit the regular firewall policy, and then be redirected to the transparent proxy policy.

    To configure transparent proxy in the CLI:

    1. Configure a regular firewall policy with HTTP redirect:

      config firewall policy
    edit 1
        set name "LAN To WAN"
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set inspection-mode proxy
        set http-policy-redirect enable
        set fsso disable
        set ssl-ssh-profile "deep-inspection"
        set nat enable
    next
end

    2. Configure a transparent proxy policy:

      config firewall proxy-policy
    edit 5
        set name "proxy-policy-transparent"
        set proxy transparent-web
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set service "webproxy"
        set action accept
        set schedule "always"
    next
end
      Note

      This example creates a basic policy. If required, security profiles can be enabled, and deep SSL inspection can be selected to inspect HTTPS traffic.

    3. No special configuration is required on the client to use FortiGate transparent proxy. As the client is using the FortiGate as its default gateway, requests will first hit the regular firewall policy, and then be redirected to the transparent proxy policy.

    Previous
    Next