Fortinet white logo
Fortinet white logo

Administration Guide

Proxy policy addresses

Proxy policy addresses

Proxy addresses are designed to be used only by proxy policies. The following address types are available:

Fast policy match

The fast policy match function improves the performance of IPv4 explicit and transparent web proxies on FortiGate devices.

When enabled, after the proxy policies are configured, the FortiGate builds a fast searching table based on the different proxy policy matching criteria. When fast policy matching is disabled, web proxy traffic is compared to the policies one at a time from the beginning of the policy list.

Fast policy matching is enabled by default, and can be configured with the following CLI command:

config web-proxy global
    set fast-policy-match {enable | disable}
end

Host regex match

In this address type, a user can create a hostname as a regular expression to match the Host field in the Layer 7 header of a packet. Once created, the hostname address can be selected as a destination of a proxy policy. This means that a policy will only allow or block requests that match the regular expression.

This example creates a host regex match address with the pattern qa.[a-z]*.com.

To create a host regex match address in the GUI:
  1. Go to Policy & Objects > Addresses and select Proxy > Address.

  2. Click Create new.

  3. Set the following:

    • Name to Host Regex,

    • Type to Host Regex Match, and

    • Host Regex Pattern to qa.[a‑z]*.com.

  4. Click OK.

To create a host regex match address in the CLI:
config firewall proxy-address
    edit "Host Regex"
        set type host-regex
        set host-regex "qa.[a-z]*.com"
    next
end

URL pattern

In this address type, a user can create a URL path as a regular expression. Once created, the path address can be selected as a destination of a proxy policy. This means that a policy will only allow or block requests that match the regular expression.

This example creates a URL pattern address with the pattern /filetypes/.

To create a URL pattern address in the GUI:
  1. Go to Policy & Objects > Addresses and select Proxy > Address.

  2. Click Create new.

  3. Set the following:

    • Name to URL Regex,

    • Type to URL Pattern,

    • Host to all, and

    • URL Path Regex to /filetypes/.

  4. Click OK.

To create a URL pattern address in the CLI:
config firewall proxy-address
    edit "URL Regex"
        set type url
        set host "all"
        set path "/filetypes/"
    next
end

URL category

In this address type, a user can create a URL category based on a FortiGuard URL ID. Once created, the address can be selected as a destination of a proxy policy. This means that a policy will only allow or block requests that match the URL category.

The example creates a URL category address for URLs in the Education category. For more information about categories, see https://fortiguard.com/webfilter/categories.

For information about creating and using custom local and remote categories, see Web rating override, Using local and remote categories , and Threat feeds.

To create a URL category address in the GUI:
  1. Go to Policy & Objects > Addresses and select Proxy > Address.
  2. Click Create new.
  3. Set the following:
    • Name to url-category,
    • Type to URL Category,
    • Host to all, and
    • URL Category to Education.

  4. Click OK.
To create a URL category address in the CLI:
config firewall proxy-address
    edit "url-category"
        set type category
        set host "all"
        set category 30
    next
end

To see a list of all the categories and their numbers, when editing the address, enter set category ?.

HTTP method

In this address type, a user can create an address based on the HTTP request methods that are used. Multiple method options are supported, including: CONNECT, DELETE, GET, HEAD, OPTIONS, POST, PUT, and TRACE. Once created, the address can be selected as a source of a proxy policy. This means that a policy will only allow or block requests that match the selected HTTP method.

The example creates a HTTP method address that uses the GET method.

To create a HTTP method address in the GUI:
  1. Go to Policy & Objects > Addresses and select Proxy > Address.

  2. Click Create new.

  3. Set the following:

    • Name to method_get,

    • Type to HTTP Method,

    • Host to all, and

    • Request Method to GET.

  4. Click OK.

To create a HTTP method address in the CLI:
config firewall proxy-address
    edit "method_get"
        set type method
        set host "all"
        set method get
    next
end

HTTP header

In this address type, a user can create a HTTP header as a regular expression. Once created, the header address can be selected as a source of a proxy policy. This means that a policy will only allow or block requests where the HTTP header matches the regular expression.

This example creates a HTTP header address with the pattern Q[A-B].

To create a HTTP header address in the GUI:
  1. Go to Policy & Objects > Addresses and select Proxy > Address.

  2. Click Create new.

  3. Set the following:

    • Name to HTTP-header,

    • Type to HTTP Header,

    • Host to all,

    • Header Name to Header_Test, and

    • Header Regex to Q[A-B].

  4. Click OK.

To create a HTTP header address in the CLI:
config firewall proxy-address
    edit "method_get"
        set type header
        set host "all"
        set header-name "Header_Test"
        set header "Q[A-B]"
    next
end

User agent

In this address type, a user can create an address based on the names of the browsers that are used as user agents. Multiple browsers are supported, such as Chrome, Firefox, Internet Explorer, and others. Once created, the address can be selected as a source of a proxy policy. This means that a policy will only allow or block requests from the specified user agent.

This example creates a user agent address for Google Chrome.

To create a user agent address in the GUI:
  1. Go to Policy & Objects > Addresses and select Proxy > Address.

  2. Click Create new.

  3. Set the following:

    • Name to UA-Chrome,

    • Type to User Agent,

    • Host to all, and

    • User Agent to Google Chrome.

  4. Click OK.

To create a user agent address in the CLI:
config firewall proxy-address
    edit "UA-Chrome"
        set type ua
        set host "all"
        set ua chrome
    next
end

Browser version control

For security reasons, the user can restrict the browser version by specifying a range of the supported versions which can be set from the CLI using set ua-min-ver and set ua-max-ver. This option is available when the address Type is either User Agent or Advanced (Source).

To restrict the browser version:
config firewall proxy-address
    edit "ua-ver"
        set type ua
        set ua firefox
        set ua-min-ver "100.0.1"
        set ua-max-ver "160"
    next
end

Advanced (source)

In this address type, a user can create an address based on multiple parameters, including HTTP method, User Agent, and HTTP header. Once created, the address can be selected as a source of a proxy policy. This means that a policy will only allow or block requests that match the selected address.

This example creates an address that uses the get method, a user agent for Google Chrome, and an HTTP header with the pattern Q[A-B].

To create an advanced (source) address in the GUI:
  1. Go to Policy & Objects > Addresses and select Proxy > Address.

  2. Click Create new.

  3. Set the following:

    • Name to advanced_src,

    • Type to Advanced (Source),

    • Host to all,

    • Request Method to GET,

    • User Agent to Google Chrome, and

    • HTTP header to Header_Test : Q[A-B].

  4. Click OK.

To create an advanced (source) address in the CLI:
config firewall proxy-address
    edit "advance_src"
        set type src-advanced
        set host "all"
        set method get
        set ua chrome
        config header-group
            edit 1
                set header-name "Header_Test"
                set header "Q[A-B]"
            next
        end
    next
end

Advanced (destination)

In this address type, a user can create an address based on URL pattern and URL category parameters. Once created, the address can be selected as a destination of a proxy policy. This means that a policy will only allow or block requests that match the selected address.

This example creates an address with the URL pattern /about that are in the Education category. For more information about categories, see https://fortiguard.com/webfilter/categories.

To create an advanced (destination) address in the GUI:
  1. Go to Policy & Objects > Addresses and select Proxy > Address.

  2. Click Create new.

  3. Set the following:

    • Name to Advanced-dst,

    • Type to Advanced (Destination),

    • Host to all,

    • URL Path Regex to /about, and

    • URL Category to Education.

  4. Click OK.

To create an advanced (destination) address in the CLI:
config firewall proxy-address
    edit "Advanced-dst"
        set type dst-advanced
        set host "ubc"
        set path "/about"
        set category 30
    next
end

Proxy policy addresses

Proxy policy addresses

Proxy addresses are designed to be used only by proxy policies. The following address types are available:

Fast policy match

The fast policy match function improves the performance of IPv4 explicit and transparent web proxies on FortiGate devices.

When enabled, after the proxy policies are configured, the FortiGate builds a fast searching table based on the different proxy policy matching criteria. When fast policy matching is disabled, web proxy traffic is compared to the policies one at a time from the beginning of the policy list.

Fast policy matching is enabled by default, and can be configured with the following CLI command:

config web-proxy global
    set fast-policy-match {enable | disable}
end

Host regex match

In this address type, a user can create a hostname as a regular expression to match the Host field in the Layer 7 header of a packet. Once created, the hostname address can be selected as a destination of a proxy policy. This means that a policy will only allow or block requests that match the regular expression.

This example creates a host regex match address with the pattern qa.[a-z]*.com.

To create a host regex match address in the GUI:
  1. Go to Policy & Objects > Addresses and select Proxy > Address.

  2. Click Create new.

  3. Set the following:

    • Name to Host Regex,

    • Type to Host Regex Match, and

    • Host Regex Pattern to qa.[a‑z]*.com.

  4. Click OK.

To create a host regex match address in the CLI:
config firewall proxy-address
    edit "Host Regex"
        set type host-regex
        set host-regex "qa.[a-z]*.com"
    next
end

URL pattern

In this address type, a user can create a URL path as a regular expression. Once created, the path address can be selected as a destination of a proxy policy. This means that a policy will only allow or block requests that match the regular expression.

This example creates a URL pattern address with the pattern /filetypes/.

To create a URL pattern address in the GUI:
  1. Go to Policy & Objects > Addresses and select Proxy > Address.

  2. Click Create new.

  3. Set the following:

    • Name to URL Regex,

    • Type to URL Pattern,

    • Host to all, and

    • URL Path Regex to /filetypes/.

  4. Click OK.

To create a URL pattern address in the CLI:
config firewall proxy-address
    edit "URL Regex"
        set type url
        set host "all"
        set path "/filetypes/"
    next
end

URL category

In this address type, a user can create a URL category based on a FortiGuard URL ID. Once created, the address can be selected as a destination of a proxy policy. This means that a policy will only allow or block requests that match the URL category.

The example creates a URL category address for URLs in the Education category. For more information about categories, see https://fortiguard.com/webfilter/categories.

For information about creating and using custom local and remote categories, see Web rating override, Using local and remote categories , and Threat feeds.

To create a URL category address in the GUI:
  1. Go to Policy & Objects > Addresses and select Proxy > Address.
  2. Click Create new.
  3. Set the following:
    • Name to url-category,
    • Type to URL Category,
    • Host to all, and
    • URL Category to Education.

  4. Click OK.
To create a URL category address in the CLI:
config firewall proxy-address
    edit "url-category"
        set type category
        set host "all"
        set category 30
    next
end

To see a list of all the categories and their numbers, when editing the address, enter set category ?.

HTTP method

In this address type, a user can create an address based on the HTTP request methods that are used. Multiple method options are supported, including: CONNECT, DELETE, GET, HEAD, OPTIONS, POST, PUT, and TRACE. Once created, the address can be selected as a source of a proxy policy. This means that a policy will only allow or block requests that match the selected HTTP method.

The example creates a HTTP method address that uses the GET method.

To create a HTTP method address in the GUI:
  1. Go to Policy & Objects > Addresses and select Proxy > Address.

  2. Click Create new.

  3. Set the following:

    • Name to method_get,

    • Type to HTTP Method,

    • Host to all, and

    • Request Method to GET.

  4. Click OK.

To create a HTTP method address in the CLI:
config firewall proxy-address
    edit "method_get"
        set type method
        set host "all"
        set method get
    next
end

HTTP header

In this address type, a user can create a HTTP header as a regular expression. Once created, the header address can be selected as a source of a proxy policy. This means that a policy will only allow or block requests where the HTTP header matches the regular expression.

This example creates a HTTP header address with the pattern Q[A-B].

To create a HTTP header address in the GUI:
  1. Go to Policy & Objects > Addresses and select Proxy > Address.

  2. Click Create new.

  3. Set the following:

    • Name to HTTP-header,

    • Type to HTTP Header,

    • Host to all,

    • Header Name to Header_Test, and

    • Header Regex to Q[A-B].

  4. Click OK.

To create a HTTP header address in the CLI:
config firewall proxy-address
    edit "method_get"
        set type header
        set host "all"
        set header-name "Header_Test"
        set header "Q[A-B]"
    next
end

User agent

In this address type, a user can create an address based on the names of the browsers that are used as user agents. Multiple browsers are supported, such as Chrome, Firefox, Internet Explorer, and others. Once created, the address can be selected as a source of a proxy policy. This means that a policy will only allow or block requests from the specified user agent.

This example creates a user agent address for Google Chrome.

To create a user agent address in the GUI:
  1. Go to Policy & Objects > Addresses and select Proxy > Address.

  2. Click Create new.

  3. Set the following:

    • Name to UA-Chrome,

    • Type to User Agent,

    • Host to all, and

    • User Agent to Google Chrome.

  4. Click OK.

To create a user agent address in the CLI:
config firewall proxy-address
    edit "UA-Chrome"
        set type ua
        set host "all"
        set ua chrome
    next
end

Browser version control

For security reasons, the user can restrict the browser version by specifying a range of the supported versions which can be set from the CLI using set ua-min-ver and set ua-max-ver. This option is available when the address Type is either User Agent or Advanced (Source).

To restrict the browser version:
config firewall proxy-address
    edit "ua-ver"
        set type ua
        set ua firefox
        set ua-min-ver "100.0.1"
        set ua-max-ver "160"
    next
end

Advanced (source)

In this address type, a user can create an address based on multiple parameters, including HTTP method, User Agent, and HTTP header. Once created, the address can be selected as a source of a proxy policy. This means that a policy will only allow or block requests that match the selected address.

This example creates an address that uses the get method, a user agent for Google Chrome, and an HTTP header with the pattern Q[A-B].

To create an advanced (source) address in the GUI:
  1. Go to Policy & Objects > Addresses and select Proxy > Address.

  2. Click Create new.

  3. Set the following:

    • Name to advanced_src,

    • Type to Advanced (Source),

    • Host to all,

    • Request Method to GET,

    • User Agent to Google Chrome, and

    • HTTP header to Header_Test : Q[A-B].

  4. Click OK.

To create an advanced (source) address in the CLI:
config firewall proxy-address
    edit "advance_src"
        set type src-advanced
        set host "all"
        set method get
        set ua chrome
        config header-group
            edit 1
                set header-name "Header_Test"
                set header "Q[A-B]"
            next
        end
    next
end

Advanced (destination)

In this address type, a user can create an address based on URL pattern and URL category parameters. Once created, the address can be selected as a destination of a proxy policy. This means that a policy will only allow or block requests that match the selected address.

This example creates an address with the URL pattern /about that are in the Education category. For more information about categories, see https://fortiguard.com/webfilter/categories.

To create an advanced (destination) address in the GUI:
  1. Go to Policy & Objects > Addresses and select Proxy > Address.

  2. Click Create new.

  3. Set the following:

    • Name to Advanced-dst,

    • Type to Advanced (Destination),

    • Host to all,

    • URL Path Regex to /about, and

    • URL Category to Education.

  4. Click OK.

To create an advanced (destination) address in the CLI:
config firewall proxy-address
    edit "Advanced-dst"
        set type dst-advanced
        set host "ubc"
        set path "/about"
        set category 30
    next
end