Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.2.2 Administration Guide
    7.2.2
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Explicit web proxy

    Explicit web proxy

    Explicit web proxy can be configured on FortiGate for proxying HTTP and HTTPS traffic.

    To deploy explicit proxy, individual client browsers can be manually configured to send requests directly to the proxy, or they can be configured to download proxy configuration instructions from a Proxy Auto-Configuration (PAC) file.

    When explicit proxy is configured on an interface, the interface IP address can be used by client browsers to forward requests directly to the FortiGate. FortiGate also supports PAC file configuration.

    To configure explicit web proxy in the GUI:

    1. Enable and configure explicit web proxy:

      1. Go to Network > Explicit Proxy.

      2. Enable Explicit Web Proxy.

      3. Select port2 as the Listen on Interfaces and set the HTTP Port to 8080.

      4. Configure the remaining settings as needed.

      5. Click Apply.

    2. Create an explicit web proxy policy:

      1. Go to Policy & Objects > Proxy Policy.

      2. Click Create New.

      3. Set Proxy Type to Explicit Web and Outgoing Interface to port1.

      4. Also set Source and Destination to all, Schedule to always, Service to webproxy, and Action to ACCEPT.

      5. Click OK to create the policy.

      3. Note

      This example creates a basic policy. If required, security profiles can be enabled, and deep SSL inspection can be selected to inspect HTTPS traffic.

    3. Configure a client to use the FortiGate explicit proxy:

      Set the FortiGate IP address as the proxy IP address in the browser, or use an automatic configuration script for the PAC file.

    To configure explicit web proxy in the CLI:
    1. Enable and configure explicit web proxy:
      config web-proxy explicit
    set status enable
    set ftp-over-http enable
    set socks enable
    set http-incoming-port 8080
    set ipv6-status enable
    set unknown-http-version best-effort
end
config system interface
    edit "port2"
        set vdom "vdom1"
        set ip 10.1.100.1 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
        set type physical
        set explicit-web-proxy enable
        set snmp-index 12
        end
    next
end
    2. Create an explicit web proxy policy:
      config firewall proxy-policy
    edit 1
        set name "proxy-policy-explicit"
        set proxy explicit-web
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set service "webproxy"
        set action accept
        set schedule "always"
        set logtraffic all
    next
end
      3. Note

      This example creates a basic policy. If required, security profiles can be enabled, and deep SSL inspection can be selected to inspect HTTPS traffic.
    3. Configure a client to use the FortiGate explicit web proxy:

      Set the FortiGate IP address as the proxy IP address in the browser, or use an automatic configuration script for the PAC file.

    Downloading a PAC file using HTTPS

    PAC files can be downloaded for an explicit proxy through the FortiGate's captive portal using HTTPS to ensure a secure download.

    In this example, a Windows PC has an HTTPS URL configured in its proxy settings to download a PAC file from a FortiGate by using a download link, https://cp.myqalab.local:7831/proxy.pac, through a captive portal. Once the PAC file is securely downloaded using HTTPS, browsers installed on the PC can use the proxy in the PAC file to visit a website.

    The global web proxy settings must be configured to use a customized SSL certificate because the default Fortinet_Factory certificate will not be accepted by Windows due to security restrictions. The customized SSL certificate is used as the HTTPS server's certificate on the FortiGate. All CA certificates in the server certificate must be installed and trusted on the Windows PC.

    To download a PAC file using HTTPS:

    1. Configure the explicit web proxy to get a PAC file through HTTPS:

      config web-proxy explicit
    set pac-file-server-status enable
    unset pac-file-server-port
    set pac-file-name "proxy.pac"
    set pac-file-data "function FindProxyForURL(url, host) {
   // testtest
   return \"PROXY 10.1.100.1:8080\";
}
"
    set pac-file-through-https enable
end

    2. Configure the captive portal to be used as an HTTPS server to provide the service to download the PAC file:

      config authentication setting
    set captive-portal-type ip
    set captive-portal-ip 10.1.100.1
    set captive-portal-ssl-port 7831
end

    3. Configure the global web proxy settings to use a customized SSL certificate:

      config web-proxy global
    set ssl-cert "server_cert"
end

    4. On the Windows PC, go to Settings > Network & Internet > Proxy.

    5. In the Automatic proxy setup section, click Save to trigger the PAC file download from the HTTPS URL.

    Previous
    Next

    Explicit web proxy

    Explicit web proxy

    Explicit web proxy can be configured on FortiGate for proxying HTTP and HTTPS traffic.

    To deploy explicit proxy, individual client browsers can be manually configured to send requests directly to the proxy, or they can be configured to download proxy configuration instructions from a Proxy Auto-Configuration (PAC) file.

    When explicit proxy is configured on an interface, the interface IP address can be used by client browsers to forward requests directly to the FortiGate. FortiGate also supports PAC file configuration.

    To configure explicit web proxy in the GUI:

    1. Enable and configure explicit web proxy:

      1. Go to Network > Explicit Proxy.

      2. Enable Explicit Web Proxy.

      3. Select port2 as the Listen on Interfaces and set the HTTP Port to 8080.

      4. Configure the remaining settings as needed.

      5. Click Apply.

    2. Create an explicit web proxy policy:

      1. Go to Policy & Objects > Proxy Policy.

      2. Click Create New.

      3. Set Proxy Type to Explicit Web and Outgoing Interface to port1.

      4. Also set Source and Destination to all, Schedule to always, Service to webproxy, and Action to ACCEPT.

      5. Click OK to create the policy.

      3. Note

      This example creates a basic policy. If required, security profiles can be enabled, and deep SSL inspection can be selected to inspect HTTPS traffic.

    3. Configure a client to use the FortiGate explicit proxy:

      Set the FortiGate IP address as the proxy IP address in the browser, or use an automatic configuration script for the PAC file.

    To configure explicit web proxy in the CLI:
    1. Enable and configure explicit web proxy:
      config web-proxy explicit
    set status enable
    set ftp-over-http enable
    set socks enable
    set http-incoming-port 8080
    set ipv6-status enable
    set unknown-http-version best-effort
end
config system interface
    edit "port2"
        set vdom "vdom1"
        set ip 10.1.100.1 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
        set type physical
        set explicit-web-proxy enable
        set snmp-index 12
        end
    next
end
    2. Create an explicit web proxy policy:
      config firewall proxy-policy
    edit 1
        set name "proxy-policy-explicit"
        set proxy explicit-web
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set service "webproxy"
        set action accept
        set schedule "always"
        set logtraffic all
    next
end
      3. Note

      This example creates a basic policy. If required, security profiles can be enabled, and deep SSL inspection can be selected to inspect HTTPS traffic.
    3. Configure a client to use the FortiGate explicit web proxy:

      Set the FortiGate IP address as the proxy IP address in the browser, or use an automatic configuration script for the PAC file.

    Downloading a PAC file using HTTPS

    PAC files can be downloaded for an explicit proxy through the FortiGate's captive portal using HTTPS to ensure a secure download.

    In this example, a Windows PC has an HTTPS URL configured in its proxy settings to download a PAC file from a FortiGate by using a download link, https://cp.myqalab.local:7831/proxy.pac, through a captive portal. Once the PAC file is securely downloaded using HTTPS, browsers installed on the PC can use the proxy in the PAC file to visit a website.

    The global web proxy settings must be configured to use a customized SSL certificate because the default Fortinet_Factory certificate will not be accepted by Windows due to security restrictions. The customized SSL certificate is used as the HTTPS server's certificate on the FortiGate. All CA certificates in the server certificate must be installed and trusted on the Windows PC.

    To download a PAC file using HTTPS:

    1. Configure the explicit web proxy to get a PAC file through HTTPS:

      config web-proxy explicit
    set pac-file-server-status enable
    unset pac-file-server-port
    set pac-file-name "proxy.pac"
    set pac-file-data "function FindProxyForURL(url, host) {
   // testtest
   return \"PROXY 10.1.100.1:8080\";
}
"
    set pac-file-through-https enable
end

    2. Configure the captive portal to be used as an HTTPS server to provide the service to download the PAC file:

      config authentication setting
    set captive-portal-type ip
    set captive-portal-ip 10.1.100.1
    set captive-portal-ssl-port 7831
end

    3. Configure the global web proxy settings to use a customized SSL certificate:

      config web-proxy global
    set ssl-cert "server_cert"
end

    4. On the Windows PC, go to Settings > Network & Internet > Proxy.

    5. In the Automatic proxy setup section, click Save to trigger the PAC file download from the HTTPS URL.

    Previous
    Next