Fortinet white logo
Fortinet white logo

Administration Guide

Create or edit a policy

Create or edit a policy

New policies can be created by selecting Create New in the toolbar. By default, the new policy appears at the bottom of the policy list. New policies can also be created above or below an existing policy by right-clicking a policy name and selecting Insert Empty Policy Above or Insert Empty Policy Below or by copying or cutting an existing policy and then selecting Paste Above or Paste Below from the right-click menu.

Editing a policy

Policy information can be edited as required in four ways:

  • By double-clicking on the sequence number of a policy or the policy name in the policy list

  • By selecting a policy and then selecting Edit from the toolbar

  • By hovering over the policy name and then selecting Edit (the pencil icon)

  • By right-clicking on the sequence number of the policy or the policy name and selecting Edit from the right-click menu

The editing window for regular policies contains the same information as when creating new policies.

Policy types

There are six types of policies:

  • Explicit—for an explicit web proxy policy.

    Use an explicit web proxy policy if you want to use the explicit web proxy.

    You can use the FortiProxy explicit web proxy to enable explicit proxying of IPv4 and IPv6 HTTP, and HTTPS traffic on one or more FortiProxy interfaces. The explicit web proxy also supports proxying FTP sessions from a web browser and proxy auto-config (PAC) to provide automatic proxy configurations for explicit web proxy users. From the CLI, you can also configure the explicit web proxy to support SOCKS sessions from a web browser.

    The explicit web and FTP proxies can be operating at the same time on the same or on different FortiProxy interfaces.

    The explicit web proxy receives web browser sessions to be proxied at FortiProxy interfaces with the explicit web proxy enabled. The explicit web proxy uses FortiProxy routing to route sessions through the FortiProxy unit to a destination interface. Before a session leaves the exiting interface, the explicit web proxy changes the source addresses of the session packets to the IP address of the exiting interface. You can configure the explicit web proxy to keep the original client IP address.

  • Transparent—for a transparent firewall policy.

    Use a transparent firewall policy if you want to use the transparent web proxy.

    In addition to the explicit web proxy, the FortiProxy unit supports a transparent web proxy. While it does not have as many features as explicit web proxy, the transparent proxy has the advantage that nothing needs to be done on the userʼs system to forward supported web traffic over to the proxy. There is no need to reconfigure the browser or publish a PAC file. Everything is transparent to the end user, hence the name. This makes it easier to incorporate new users into a proxy deployment.

    You can use the transparent proxy to apply web authentication to HTTP traffic accepted by a firewall policy.

    On networks where authentication based on IP address will not work, you can use the transparent web proxy to apply web authentication that is based on the userʼs browser and not on their IP address. This authentication method allows you to identify individual users even if multiple users on your network are connecting to the FortiProxy unit from the same IP address.

  • FTP—for an explicit FTP proxy policy.

    Use an explicit FTP proxy policy if you want to use the explicit FTP proxy.

    You can use the FortiProxy explicit FTP proxy to enable explicit FTP proxying on one or more FortiProxy interfaces. The explicit web and FTP proxies can be operating at the same time on the same or on different FortiProxy interfaces.

    The FTP proxy receives FTP sessions to be proxied at FortiProxy interfaces with the explicit FTP proxy enabled. The FTP proxy uses FortiProxy routing to route sessions through the FortiProxy unit to a destination interface. Before a session leaves the exiting interface, the explicit FTP proxy changes the source addresses of the session packets to the IP address of the exiting interface.

  • SSH Tunnel—to perform access control for TCP/IP port forwarding traffic that is tunneled through the SSH proxy.

  • SSH Proxy—to apply a proxy firewall policy with user authentication on SSH sessions.

  • Wanopt—for a WAN optimization tunnel.

    All optimized traffic passes between the FortiProxy units or between a FortiClient peer and a FortiProxy unit over a WAN optimization tunnel. Traffic in the tunnel can be sent in plain text or encrypted using AES-128bit-CBC SSL.

    Both plain text and the encrypted tunnels use TCP destination port 7810.

    Before a tunnel can be started, the peers must be configured to authenticate with each other. Then, the clientside peer attempts to start a WAN optimization tunnel with the server-side peer. Once the peers authenticate with each other, they bring up the tunnel and WAN optimization communication over the tunnel starts. After a tunnel has been established, multiple WAN optimization sessions can start and stop between peers without restarting the tunnel.

Configuring a policy

To configure an explicit policy:

Type

Select Explicit. See Policy types.

Name

Enter a unique name for the new policy. Names can be changed later.

Explicit Web Proxy

If you selected Explicit for the policy type, select web-proxy or search for a policy. To create an explicit proxy policy, see Create or edit an explicit proxy.

Outgoing Interface

Click +. A window slides out from the right where you can select from the available interfaces. You can select one or more specific interfaces, or you can select any. Selecting any removes the other interfaces.

Source

Click +. A window slides out from the right where you can select from the available sources.

You can select source proxy addresses, source IPv4 addresses, source IPv6 addresses, source users, or source user groups. NOTE: You can mix IPv4 and IPv6 addresses.

When the field is selected, a window slides out from the right. Address, IPv6 Address, and User tabs categorize the options. Click Create to create a source.

Destination

Click +. A window slides out from the right where you can select from the available destinations.

You can select destination proxy addresses, destination IPv4 addresses, destination IPv6 addresses, and destination Internet services. NOTE: You can mix IPv4 and IPv6 addresses.

Negate Destination

Enable to use all destinations except the ones specified in the Destination field.

Schedule

Select a schedule from the drop-down list. Select Create to create a schedule. For more information, see Schedules.

Service

Select a service or service group that packets must match to trigger this policy. Select Create to create a service list. See Services.

You can add multiple services or service groups.

Action

Select how you want the policy to respond when a packet matches the conditions of the policy. The options available will change depending on this selection.

  • ACCEPT—Accept traffic matched by the policy.

  • DENY—Reject traffic matched by the policy.

  • REDIRECT—Redirect traffic matched by the policy to the URL specified in the Redirect URL field.

  • ISOLATE—Isolate traffic matched by the policy to the isolator server selected in the Isolator Server drop-down list.

Web Cache

Enable or disable web caching.

Reverse Cache

Enable to use reverse proxy web caching.

This option is available only if the Action is Accept and Web Cache is enabled.

Web Cache For HTTPS Traffic

Enable or disable web caching for HTTPS traffic.

Transparent

Enable or disable transparent proxy.

Poolname

If you configured an IP pool, enable this option and then select the IP pool from the drop-down list.

Webproxy Profile

If you configured a web proxy profile, enable this option and then select the web proxy profile from the drop-down list. See Web Proxy Profile.

Web Proxy Forwarding Server

If you configured a web proxy forwarding server, enable this option and then select a server from the drop-down list. See Create or edit a forwarding server.

Protocol Options

Select the proxy options profilefor the policy to use. See Proxy Options.

SSL/SSH Inspection

The SSL/SSH inspection options used by the policy. See SSL/SSH Inspection.

Display Disclaimer

If you want to display a disclaimer about Internet content that is not controlled by the network access provider, select By Domain, By Policy, or By User.

This option is available only if Action is set to ACCEPT.

Customize Messages

Enable and then edit the existing message or create a message.

This option is available only if Display Disclaimer is set to By Domain, By Policy, or By User.

Security Profiles

Select the security profiles to apply to the policy.

These options are available only if Action is set to ACCEPT.

AntiVirus

Enable the antivirus profile and select or create a profile from the drop-down list. See AntiVirus.

Web Filter

Enable the web filter profile and select or create a profile from the drop-down list. See Web Filter.

Application Control

Enable the application sensor and select or create a sensor from the drop-down list. See Create or edit an application sensor.

IPS

Enable the IPS sensor and select or create a sensor from the drop-down list. See Create or edit an IPS sensor.

DLP Sensor

Enable DLP sensors and select or create a sensor from the drop-down list. See Data Leak Prevention.

Content Analysis

Enable the Content Analysis profile and select or create a profile from the drop-down list. See Create or edit an Image Analysis profile.

ICAP

Enable the ICAP profile and select or create a profile from the drop-down list. See Create or edit an ICAP profile.

Log Allowed Traffic

Enable and then select Security Events or All Sessions.

This option is available only if Action is set to ACCEPT, REDIRECT, or ISOLATE.

Generate Logs when Session Starts

Enable or disable logging when the session starts.

Log HTTP Transaction

Configure the logging of HTTP transactions:

  • All—Log all HTTP transactions.

  • Security Profiles (default)—Log HTTP transaction on UTM event.

  • Disable—Disable HTTP transaction log.

When All or Security Profiles is selected, you can find the HTTP transaction logs under Log & Report > HTTP Transaction. See Types of logs.

Comments

Enter a description up to 1,023 characters to describe the policy.

Enable this policy

Enable to use this policy.

Enable Policy Matching Pass Through

Enable to make the policy a pass-through policy. Disabled by default.

When traffic matches a pass-through policy, the firewall continues to the next policy. After FortiProxy tries to match all policies, it will set the last matched pass-through policy as the matched policy.

Enable SSH policy check

Enable or disable whether to redirect SSH traffic to the matching proxy policy. See SSH policy matching.

Extended Log

Enable or disable the recording of extended log for implicit policies. The extended log includes the useragent, referralurl, httpmethod, and statuscode fields.

To configure a transparent policy:

Type

Select Transparent. See Policy types.

Name

Enter a unique name for the new policy. Names can be changed later.

ZTNA

Enable or disable Zero Trust Network Access (ZTNA). If you enable ZTNA, select whether to use Full ZTNA or IP/MAC filtering.

  • Full ZTNA allows users to securely access resources through a SSL encrypted access proxy. This simplifies remote access by eliminating the use of VPNs.

  • IP/MAC filtering uses ZTNA tags to provide an additional factor for identification and security posture check to implement role-based zero trust access.

ZTNA Server

Select one or more ZTNA servers to use.

ZTNA Tag

Select one or more ZTNA tags to use.

Incoming Interface

Click +. A window slides out from the right where you can select from the available interfaces. You can select one or more specific interfaces, or you can select any. Selecting any removes the other interfaces.

Outgoing Interface

Click +. A window slides out from the right where you can select from the available interfaces. You can select one or more specific interfaces, or you can select any. Selecting any removes the other interfaces.

Source

Click +. A window slides out from the right where you can select from the available sources.

You can select source proxy addresses, source IPv4 addresses, source IPv6 addresses, source users, or source user groups. NOTE: You can mix IPv4 and IPv6 addresses.

When the field is selected, a window slides out from the right. Address, IPv6 Address, and User tabs categorize the options. Click Create to create a source.

Destination

Click +. A window slides out from the right where you can select from the available destinations.

You can select destination proxy addresses, destination IPv4 addresses, destination IPv6 addresses, and destination Internet services. NOTE: You can mix IPv4 and IPv6 addresses.

Negate Destination

Enable to use all destinations except the ones specified in the Destination field.

Schedule

Select a schedule from the drop-down list. Click Create to create a schedule. For more information, see Schedules.

Service

Select a service or service group that packets must match to trigger this policy. Click Create to create a service list. See Services.

You can add multiple services or service groups.

Action

Select how you want the policy to respond when a packet matches the conditions of the policy. The options available will change depending on this selection.

  • ACCEPT—Accept traffic matched by the policy.

  • DENY—Reject traffic matched by the policy.

  • REDIRECT—Redirect traffic matched by the policy to the URL specified in the Redirect URL field.

  • ISOLATE—Isolate traffic matched by the policy to the isolator server selected in the Isolator Server drop-down list.

Web Cache

Enable or disable web caching.

Reverse Cache

Enable to use reverse proxy web caching.

This option is available only if the Action is Accept and Web Cache is enabled.

Web Cache For HTTPS Traffic

Enable or disable web caching for HTTPS traffic.

Status

Enable or disable WAN optimization for traffic accepted by the policy. If Status is enabled, select Active, Passive, or Manual.

Profiles

If you enabled Status and selected Active or Manual WAN optimization, select a profile to use for WAN optimization. SeeCreate or edit a WAN optimization profile.

Passive Option

If you enabled Status and selected Passive WAN optimization, select Default, Non-transparent, or Transparent.

Peers

If you enabled Status and selected Manual WAN optimization, select a WAN peer. See Create or edit a WAN optimization peer.

Scan Outgoing Connections to Botnet Sites

Select Disable or Block to protect from botnet and command-and-control traffic.

Webproxy Profile

If you configured a web proxy profile, enable this option and then select the web proxy profile from the drop-down list. See Web Proxy Profile.

Web Proxy Forwarding Server

If you configured a web proxy forwarding server, enable this option and then select a server from the drop-down list. See Create or edit a forwarding server.

Force Proxy

Enable or disable whether proxying will be forced.

Protocol Options

Select the proxy options profilefor the policy to use. See Proxy Options.

SSL/SSH Inspection

The SSL/SSH inspection options used by the policy. See SSL/SSH Inspection.

Display Disclaimer

If you want to display a disclaimer about Internet content that is not controlled by the network access provider, select By Domain, By Policy, or By User.

This option is available only if Action is set to ACCEPT.

Customize Messages

Enable and then edit the existing message or create a message.

This option is available only if Display Disclaimer is set to By Domain, By Policy, or By User.

Security Profiles

Select the security profiles to apply to the policy.

These options are available only if Action is set to ACCEPT.

AntiVirus

Enable the antivirus profile and select or create a profile from the drop-down list. See AntiVirus.

Web Filter

Enable the web filter profile and select or create a profile from the drop-down list. See Web Filter.

DNS Filter

Enable the DNS filter profile and select or create a profile from the drop-down list. See DNS Filter.

Application Control

Enable the application sensor and select or create a sensor from the drop-down list. See Create or edit an application sensor.

IPS

Enable the IPS sensor and select or create a sensor from the drop-down list. See Create or edit an IPS sensor.

DLP Sensor

Enable DLP sensors and select or create a sensor from the drop-down list. See Data Leak Prevention.

Content Analysis

Enable the Content Analysis profile and select or create a profile from the drop-down list. See Create or edit an Image Analysis profile.

ICAP

Enable the ICAP profile and select or create a profile from the drop-down list. See Create or edit an ICAP profile.

Log Allowed Traffic

Enable and then select Security Events or All Sessions.

This option is available only if Action is set to ACCEPT, REDIRECT, or ISOLATE.

Generate Logs when Session Starts

Enable or disable logging when the session starts.

Log HTTP Transaction

Configure the logging of HTTP transactions:

  • All—Log all HTTP transactions.

  • Security Profiles (default)—Log HTTP transaction on UTM event.

  • Disable—Disable HTTP transaction log.

When All or Security Profiles is selected, you can find the HTTP transaction logs under Log & Report > HTTP Transaction. See Types of logs.

Comments

Enter a description up to 1,023 characters to describe the policy.

Enable this policy

Enable to use this policy.

Enable Policy Matching Pass Through

Enable to make the policy a pass-through policy. Disabled by default.

When traffic matches a pass-through policy, the firewall continues to the next policy. After FortiProxy tries to match all policies, it will set the last matched pass-through policy as the matched policy.

Enable SSH policy check

Enable or disable whether to redirect SSH traffic to the matching proxy policy. See SSH policy matching.

Extended Log

Enable or disable the recording of extended log for implicit policies. The extended log includes the useragent, referralurl, httpmethod, and statuscode fields.

To configure an FTP policy:

Type

Select FTP. See Policy types.

Name

Enter a unique name for the new policy. Names can be changed later.

Outgoing Interface

Click +. A window slides out from the right where you can select from the available interfaces. You can select one or more specific interfaces, or you can select any. Selecting any removes the other interfaces.

Source

Click +. A window slides out from the right where you can select from the available sources.

You can select source proxy addresses, source IPv4 addresses, source IPv6 addresses, source users, or source user groups. NOTE: You can mix IPv4 and IPv6 addresses.

When the field is selected, a window slides out from the right. Address, IPv6 Address, and User tabs categorize the options. Click Create to create a source.

Destination

Click +. A window slides out from the right where you can select from the available destinations.

You can select destination proxy addresses, destination IPv4 addresses, destination IPv6 addresses, and destination Internet services. NOTE: You can mix IPv4 and IPv6 addresses.

Negate Destination

Enable to use all destinations except the ones specified in the Destination field.

Schedule

Select a schedule from the drop-down list. Select Create to create a schedule. For more information, see Schedules.

Action

Select how you want the policy to respond when a packet matches the conditions of the policy. The options available will change depending on this selection.

  • ACCEPT—Accept traffic matched by the policy.

  • DENY—Reject traffic matched by the policy.

Security Profiles

Select the security profiles to apply to the policy.

These options are available only if Action is set to ACCEPT.

AntiVirus

Enable the antivirus profile and select or create a profile from the drop-down list. See AntiVirus.

IPS

Enable the IPS sensor and select or create a sensor from the drop-down list. See Create or edit an IPS sensor.

DLP Sensor

Enable DLP sensors and select or create a sensor from the drop-down list. See Data Leak Prevention.

Log Allowed Traffic

Enable and then select Security Events or All Sessions.

This option is available only if Action is set to ACCEPT.

Generate Logs when Session Starts

Enable or disable logging when the session starts.

Comments

Enter a description up to 1,023 characters to describe the policy.

Enable this policy

Enable to use this policy.

Enable Policy Matching Pass Through

Enable to make the policy a pass-through policy. Disabled by default.

When traffic matches a pass-through policy, the firewall continues to the next policy. After FortiProxy tries to match all policies, it will set the last matched pass-through policy as the matched policy.

To configure an SSH tunnel policy:

Type

Select SSH Tunnel. See Policy types.

Name

Enter a unique name for the new policy. Names can be changed later.

Incoming Interface

Click +. A window slides out from the right where you can select from the available interfaces. You can select one or more specific interfaces, or you can select any. Selecting any removes the other interfaces.

Outgoing Interface

Click +. A window slides out from the right where you can select from the available interfaces. You can select one or more specific interfaces, or you can select any. Selecting any removes the other interfaces.

Source

Click +. A window slides out from the right where you can select from the available sources.

You can select source proxy addresses, source IPv4 addresses, source IPv6 addresses, source users, or source user groups. NOTE: You can mix IPv4 and IPv6 addresses.

When the field is selected, a window slides out from the right. Address, IPv6 Address, and User tabs categorize the options. Click Create to create a source.

Destination

Click +. A window slides out from the right where you can select from the available destinations.

You can select destination proxy addresses, destination IPv4 addresses, destination IPv6 addresses, and destination Internet services. NOTE: You can mix IPv4 and IPv6 addresses.

Negate Destination

Enable to use all destinations except the ones specified in the Destination field.

Schedule

Select a schedule from the drop-down list. Click Create to create a schedule. For more information, see Schedules.

Service

Select a service or service group that packets must match to trigger this policy. Click Create to create a service list. See Services.

You can add multiple services or service groups.

Action

Select how you want the policy to respond when a packet matches the conditions of the policy. The options available will change depending on this selection.

  • ACCEPT—Accept traffic matched by the policy.

  • DENY—Reject traffic matched by the policy.

Security Profiles

Select the security profiles to apply to the policy.

These options are available only if Action is set to ACCEPT.

Application Control

Enable the application sensor and select or create a sensor from the drop-down list. See Create or edit an application sensor.

IPS

Enable the IPS sensor and select or create a sensor from the drop-down list. See Create or edit an IPS sensor.

Logging Options

This section is available only if Action is set to ACCEPT.

Log Allowed Traffic

Enable and then select Security Events or All Sessions.

This option is available only if Action is set to ACCEPT.

Generate Logs when Session Starts

Enable or disable logging when the session starts.

Comments

Enter a description up to 1,023 characters to describe the policy.

Enable this policy

Enable to use this policy.

Enable Policy Matching Pass Through

Enable to make the policy a pass-through policy. Disabled by default.

When traffic matches a pass-through policy, the firewall continues to the next policy. After FortiProxy tries to match all policies, it will set the last matched pass-through policy as the matched policy.

To configure an SSH proxy policy:

Type

Select SSH Proxy. See Policy types.

Name

Enter a unique name for the new policy. Names can be changed later.

Outgoing Interface

Click +. A window slides out from the right where you can select from the available interfaces. You can select one or more specific interfaces, or you can select any. Selecting any removes the other interfaces.

Source

Click +. A window slides out from the right where you can select from the available sources.

You can select source proxy addresses, source IPv4 addresses, source IPv6 addresses, source users, or source user groups. NOTE: You can mix IPv4 and IPv6 addresses.

When the field is selected, a window slides out from the right. Address, IPv6 Address, and User tabs categorize the options. Click Create to create a source.

Destination

Click +. A window slides out from the right where you can select from the available destinations.

You can select destination proxy addresses, destination IPv4 addresses, destination IPv6 addresses, and destination Internet services. NOTE: You can mix IPv4 and IPv6 addresses.

Negate Destination

Enable to use all destinations except the ones specified in the Destination field.

Schedule

Select a schedule from the drop-down list. Click Create to create a schedule. For more information, see Schedules.

Action

Select how you want the policy to respond when a packet matches the conditions of the policy. The options available will change depending on this selection.

  • ACCEPT—Accept traffic matched by the policy.

  • DENY—Reject traffic matched by the policy.

Security Profiles

Select the security profiles to apply to the policy.

These options are available only if Action is set to ACCEPT.

Application Control

Enable the application sensor and select or create a sensor from the drop-down list. See Create or edit an application sensor.

IPS

Enable the IPS sensor and select or create a sensor from the drop-down list. See Create or edit an IPS sensor.

Logging Options

This section is available only if Action is set to ACCEPT.

Log Allowed Traffic

Enable and then select Security Events or All Sessions.

This option is available only if Action is set to ACCEPT.

Generate Logs when Session Starts

Enable or disable logging when the session starts.

Comments

Enter a description up to 1,023 characters to describe the policy.

Enable this policy

Enable to use this policy.

Enable Policy Matching Pass Through

Enable to make the policy a pass-through policy. Disabled by default.

When traffic matches a pass-through policy, the firewall continues to the next policy. After FortiProxy tries to match all policies, it will set the last matched pass-through policy as the matched policy.

To configure a WAN-optimization tunnel policy:

Type

Select Wanopt. See Policy types.

Name

Enter a unique name for the new policy. Names can be changed later.

Outgoing Interface

Click +. A window slides out from the right where you can select from the available interfaces. You can select one or more specific interfaces, or you can select any. Selecting any removes the other interfaces.

Source

Click +. A window slides out from the right where you can select from the available sources.

You can select source proxy addresses, source IPv4 addresses, source IPv6 addresses, source users, or source user groups. NOTE: You can mix IPv4 and IPv6 addresses.

When the field is selected, a window slides out from the right. Address, IPv6 Address, and User tabs categorize the options. Click Create to create a source.

Destination

Click +. A window slides out from the right where you can select from the available destinations.

You can select destination proxy addresses, destination IPv4 addresses, destination IPv6 addresses, and destination Internet services. NOTE: You can mix IPv4 and IPv6 addresses.

Negate Destination

Enable to use all destinations except the ones specified in the Destination field.

Schedule

Select a schedule from the drop-down list. Click Create to create a schedule. For more information, see Schedules.

Service

Select a service or service group that packets must match to trigger this policy. Click Create to create a service list. See Services.

You can add multiple services or service groups.

Action

Select how you want the policy to respond when a packet matches the conditions of the policy. The options available will change depending on this selection.

  • ACCEPT—Accept traffic matched by the policy.

  • DENY—Reject traffic matched by the policy.

Web Cache

Enable or disable web caching.

Reverse Cache

Enable to use reverse proxy web caching.

This option is available only if the Action is Accept and Web Cache is enabled.

Web Cache For HTTPS Traffic

Enable or disable web caching for HTTPS traffic.

Security Profiles

Select the security profiles to apply to the policy.

These options are available only if Action is set to ACCEPT.

AntiVirus

Enable the antivirus profile and select or create a profile from the drop-down list. See AntiVirus.

Web Filter

Enable the web filter profile and select or create a profile from the drop-down list. See Web Filter.

Application Control

Enable the application sensor and select or create a sensor from the drop-down list. See Create or edit an application sensor.

IPS

Enable the IPS sensor and select or create a sensor from the drop-down list. See Create or edit an IPS sensor.

DLP Sensor

Enable DLP sensors and select or create a sensor from the drop-down list. See Data Leak Prevention.

Content Analysis

Enable the Content Analysis profile and select or create a profile from the drop-down list. See Create or edit an Image Analysis profile.

Log Allowed Traffic

Enable and then select Security Events or All Sessions.

This option is available only if Action is set to ACCEPT.

Generate Logs when Session Starts

Enable or disable logging when the session starts.

Comments

Enter a description up to 1,023 characters to describe the policy.

Enable this policy

Enable to use this policy.

Enable Policy Matching Pass Through

Enable to make the policy a pass-through policy. Disabled by default.

When traffic matches a pass-through policy, the firewall continues to the next policy. After FortiProxy tries to match all policies, it will set the last matched pass-through policy as the matched policy.

Web cache policy address formats

A source or destination address can contain one or more network addresses. Network addresses can be represented by an IP address with a netmask or an IP address range.

When representing hosts by an IP address with a netmask, the IP address can represent one or more hosts. For example, a source or destination address can be any of the following:

  • a single computer, for example, 192.45.46.45
  • a subnetwork, for example, 192.168.1.* for a class C subnet
  • 0.0.0.0 matches any IP address

The netmask corresponds to the subnet class of the address being added and can be represented in either dotted decimal or CIDR format. The FortiProxy unit automatically converts CIDR-formatted netmasks to dotted decimal format. Example formats:

  • netmask for a single computer: 255.255.255.255 or /32
  • netmask for a class A subnet: 255.0.0.0 or /8
  • netmask for a class B subnet: 255.255.0.0 or /16
  • netmask for a class C subnet: 255.255.255.0 or /24
  • netmask including all IP addresses: 0.0.0.0

Valid IP address and netmask formats include:

  • x.x.x.x/x.x.x.x, such as 192.168.1.0/255.255.255.0
  • x.x.x.x/x, such as 192.168.1.0/24

An IP address 0.0.0.0 with the netmask 255.255.255.255 is not a valid source or destination address.

When representing hosts by an IP address range, the range indicates hosts with continuous IP addresses in a subnet, such as 192.168.1.[2-10], or 192.168.1.*, to indicate the complete range of hosts on that subnet. You can also indicate the complete range of hosts on a subnet by entering 192.168.1.[0-255] or 192.168.1.0-192.168.1.255. Valid IP range formats include:

  • x.x.x.x-x.x.x.x, for example, 192.168.110.100-192.168.110.120
  • x.x.x.[x-x], for example, 192.168.110.[100-120]
  • x.x.x.*, for a complete subnet, for example: 192.168.110.*
  • x.x.x.[0-255] for a complete subnet, such as 192.168.110.[0-255]
  • x.x.x.0 -x.x.x.255 for a complete subnet, such as 192.168.110.0 - 192.168.110.255

You cannot use square brackets [ ] or asterisks * when adding addresses to the CLI. Instead you must enter the start and end addresses of the subnet range separated by a dash -. For example, 192.168.20.0-192.168.20.255 for a complete subnet and 192.168.10.10-192.168.10.100 for a range of addresses.

Device ownership

When device ownership is enabled, ownership enforcement is done at policy level. It is disabled by default.

To enable device ownership:
config firewall policy
    edit 2
        set ztna-status enable
        set ztna-ems-tag "FCTEMS_ALL_FORTICLOUD_SERVERS"
        set device-ownership enable
        ...
    next
end

Create or edit a policy

Create or edit a policy

New policies can be created by selecting Create New in the toolbar. By default, the new policy appears at the bottom of the policy list. New policies can also be created above or below an existing policy by right-clicking a policy name and selecting Insert Empty Policy Above or Insert Empty Policy Below or by copying or cutting an existing policy and then selecting Paste Above or Paste Below from the right-click menu.

Editing a policy

Policy information can be edited as required in four ways:

  • By double-clicking on the sequence number of a policy or the policy name in the policy list

  • By selecting a policy and then selecting Edit from the toolbar

  • By hovering over the policy name and then selecting Edit (the pencil icon)

  • By right-clicking on the sequence number of the policy or the policy name and selecting Edit from the right-click menu

The editing window for regular policies contains the same information as when creating new policies.

Policy types

There are six types of policies:

  • Explicit—for an explicit web proxy policy.

    Use an explicit web proxy policy if you want to use the explicit web proxy.

    You can use the FortiProxy explicit web proxy to enable explicit proxying of IPv4 and IPv6 HTTP, and HTTPS traffic on one or more FortiProxy interfaces. The explicit web proxy also supports proxying FTP sessions from a web browser and proxy auto-config (PAC) to provide automatic proxy configurations for explicit web proxy users. From the CLI, you can also configure the explicit web proxy to support SOCKS sessions from a web browser.

    The explicit web and FTP proxies can be operating at the same time on the same or on different FortiProxy interfaces.

    The explicit web proxy receives web browser sessions to be proxied at FortiProxy interfaces with the explicit web proxy enabled. The explicit web proxy uses FortiProxy routing to route sessions through the FortiProxy unit to a destination interface. Before a session leaves the exiting interface, the explicit web proxy changes the source addresses of the session packets to the IP address of the exiting interface. You can configure the explicit web proxy to keep the original client IP address.

  • Transparent—for a transparent firewall policy.

    Use a transparent firewall policy if you want to use the transparent web proxy.

    In addition to the explicit web proxy, the FortiProxy unit supports a transparent web proxy. While it does not have as many features as explicit web proxy, the transparent proxy has the advantage that nothing needs to be done on the userʼs system to forward supported web traffic over to the proxy. There is no need to reconfigure the browser or publish a PAC file. Everything is transparent to the end user, hence the name. This makes it easier to incorporate new users into a proxy deployment.

    You can use the transparent proxy to apply web authentication to HTTP traffic accepted by a firewall policy.

    On networks where authentication based on IP address will not work, you can use the transparent web proxy to apply web authentication that is based on the userʼs browser and not on their IP address. This authentication method allows you to identify individual users even if multiple users on your network are connecting to the FortiProxy unit from the same IP address.

  • FTP—for an explicit FTP proxy policy.

    Use an explicit FTP proxy policy if you want to use the explicit FTP proxy.

    You can use the FortiProxy explicit FTP proxy to enable explicit FTP proxying on one or more FortiProxy interfaces. The explicit web and FTP proxies can be operating at the same time on the same or on different FortiProxy interfaces.

    The FTP proxy receives FTP sessions to be proxied at FortiProxy interfaces with the explicit FTP proxy enabled. The FTP proxy uses FortiProxy routing to route sessions through the FortiProxy unit to a destination interface. Before a session leaves the exiting interface, the explicit FTP proxy changes the source addresses of the session packets to the IP address of the exiting interface.

  • SSH Tunnel—to perform access control for TCP/IP port forwarding traffic that is tunneled through the SSH proxy.

  • SSH Proxy—to apply a proxy firewall policy with user authentication on SSH sessions.

  • Wanopt—for a WAN optimization tunnel.

    All optimized traffic passes between the FortiProxy units or between a FortiClient peer and a FortiProxy unit over a WAN optimization tunnel. Traffic in the tunnel can be sent in plain text or encrypted using AES-128bit-CBC SSL.

    Both plain text and the encrypted tunnels use TCP destination port 7810.

    Before a tunnel can be started, the peers must be configured to authenticate with each other. Then, the clientside peer attempts to start a WAN optimization tunnel with the server-side peer. Once the peers authenticate with each other, they bring up the tunnel and WAN optimization communication over the tunnel starts. After a tunnel has been established, multiple WAN optimization sessions can start and stop between peers without restarting the tunnel.

Configuring a policy

To configure an explicit policy:

Type

Select Explicit. See Policy types.

Name

Enter a unique name for the new policy. Names can be changed later.

Explicit Web Proxy

If you selected Explicit for the policy type, select web-proxy or search for a policy. To create an explicit proxy policy, see Create or edit an explicit proxy.

Outgoing Interface

Click +. A window slides out from the right where you can select from the available interfaces. You can select one or more specific interfaces, or you can select any. Selecting any removes the other interfaces.

Source

Click +. A window slides out from the right where you can select from the available sources.

You can select source proxy addresses, source IPv4 addresses, source IPv6 addresses, source users, or source user groups. NOTE: You can mix IPv4 and IPv6 addresses.

When the field is selected, a window slides out from the right. Address, IPv6 Address, and User tabs categorize the options. Click Create to create a source.

Destination

Click +. A window slides out from the right where you can select from the available destinations.

You can select destination proxy addresses, destination IPv4 addresses, destination IPv6 addresses, and destination Internet services. NOTE: You can mix IPv4 and IPv6 addresses.

Negate Destination

Enable to use all destinations except the ones specified in the Destination field.

Schedule

Select a schedule from the drop-down list. Select Create to create a schedule. For more information, see Schedules.

Service

Select a service or service group that packets must match to trigger this policy. Select Create to create a service list. See Services.

You can add multiple services or service groups.

Action

Select how you want the policy to respond when a packet matches the conditions of the policy. The options available will change depending on this selection.

  • ACCEPT—Accept traffic matched by the policy.

  • DENY—Reject traffic matched by the policy.

  • REDIRECT—Redirect traffic matched by the policy to the URL specified in the Redirect URL field.

  • ISOLATE—Isolate traffic matched by the policy to the isolator server selected in the Isolator Server drop-down list.

Web Cache

Enable or disable web caching.

Reverse Cache

Enable to use reverse proxy web caching.

This option is available only if the Action is Accept and Web Cache is enabled.

Web Cache For HTTPS Traffic

Enable or disable web caching for HTTPS traffic.

Transparent

Enable or disable transparent proxy.

Poolname

If you configured an IP pool, enable this option and then select the IP pool from the drop-down list.

Webproxy Profile

If you configured a web proxy profile, enable this option and then select the web proxy profile from the drop-down list. See Web Proxy Profile.

Web Proxy Forwarding Server

If you configured a web proxy forwarding server, enable this option and then select a server from the drop-down list. See Create or edit a forwarding server.

Protocol Options

Select the proxy options profilefor the policy to use. See Proxy Options.

SSL/SSH Inspection

The SSL/SSH inspection options used by the policy. See SSL/SSH Inspection.

Display Disclaimer

If you want to display a disclaimer about Internet content that is not controlled by the network access provider, select By Domain, By Policy, or By User.

This option is available only if Action is set to ACCEPT.

Customize Messages

Enable and then edit the existing message or create a message.

This option is available only if Display Disclaimer is set to By Domain, By Policy, or By User.

Security Profiles

Select the security profiles to apply to the policy.

These options are available only if Action is set to ACCEPT.

AntiVirus

Enable the antivirus profile and select or create a profile from the drop-down list. See AntiVirus.

Web Filter

Enable the web filter profile and select or create a profile from the drop-down list. See Web Filter.

Application Control

Enable the application sensor and select or create a sensor from the drop-down list. See Create or edit an application sensor.

IPS

Enable the IPS sensor and select or create a sensor from the drop-down list. See Create or edit an IPS sensor.

DLP Sensor

Enable DLP sensors and select or create a sensor from the drop-down list. See Data Leak Prevention.

Content Analysis

Enable the Content Analysis profile and select or create a profile from the drop-down list. See Create or edit an Image Analysis profile.

ICAP

Enable the ICAP profile and select or create a profile from the drop-down list. See Create or edit an ICAP profile.

Log Allowed Traffic

Enable and then select Security Events or All Sessions.

This option is available only if Action is set to ACCEPT, REDIRECT, or ISOLATE.

Generate Logs when Session Starts

Enable or disable logging when the session starts.

Log HTTP Transaction

Configure the logging of HTTP transactions:

  • All—Log all HTTP transactions.

  • Security Profiles (default)—Log HTTP transaction on UTM event.

  • Disable—Disable HTTP transaction log.

When All or Security Profiles is selected, you can find the HTTP transaction logs under Log & Report > HTTP Transaction. See Types of logs.

Comments

Enter a description up to 1,023 characters to describe the policy.

Enable this policy

Enable to use this policy.

Enable Policy Matching Pass Through

Enable to make the policy a pass-through policy. Disabled by default.

When traffic matches a pass-through policy, the firewall continues to the next policy. After FortiProxy tries to match all policies, it will set the last matched pass-through policy as the matched policy.

Enable SSH policy check

Enable or disable whether to redirect SSH traffic to the matching proxy policy. See SSH policy matching.

Extended Log

Enable or disable the recording of extended log for implicit policies. The extended log includes the useragent, referralurl, httpmethod, and statuscode fields.

To configure a transparent policy:

Type

Select Transparent. See Policy types.

Name

Enter a unique name for the new policy. Names can be changed later.

ZTNA

Enable or disable Zero Trust Network Access (ZTNA). If you enable ZTNA, select whether to use Full ZTNA or IP/MAC filtering.

  • Full ZTNA allows users to securely access resources through a SSL encrypted access proxy. This simplifies remote access by eliminating the use of VPNs.

  • IP/MAC filtering uses ZTNA tags to provide an additional factor for identification and security posture check to implement role-based zero trust access.

ZTNA Server

Select one or more ZTNA servers to use.

ZTNA Tag

Select one or more ZTNA tags to use.

Incoming Interface

Click +. A window slides out from the right where you can select from the available interfaces. You can select one or more specific interfaces, or you can select any. Selecting any removes the other interfaces.

Outgoing Interface

Click +. A window slides out from the right where you can select from the available interfaces. You can select one or more specific interfaces, or you can select any. Selecting any removes the other interfaces.

Source

Click +. A window slides out from the right where you can select from the available sources.

You can select source proxy addresses, source IPv4 addresses, source IPv6 addresses, source users, or source user groups. NOTE: You can mix IPv4 and IPv6 addresses.

When the field is selected, a window slides out from the right. Address, IPv6 Address, and User tabs categorize the options. Click Create to create a source.

Destination

Click +. A window slides out from the right where you can select from the available destinations.

You can select destination proxy addresses, destination IPv4 addresses, destination IPv6 addresses, and destination Internet services. NOTE: You can mix IPv4 and IPv6 addresses.

Negate Destination

Enable to use all destinations except the ones specified in the Destination field.

Schedule

Select a schedule from the drop-down list. Click Create to create a schedule. For more information, see Schedules.

Service

Select a service or service group that packets must match to trigger this policy. Click Create to create a service list. See Services.

You can add multiple services or service groups.

Action

Select how you want the policy to respond when a packet matches the conditions of the policy. The options available will change depending on this selection.

  • ACCEPT—Accept traffic matched by the policy.

  • DENY—Reject traffic matched by the policy.

  • REDIRECT—Redirect traffic matched by the policy to the URL specified in the Redirect URL field.

  • ISOLATE—Isolate traffic matched by the policy to the isolator server selected in the Isolator Server drop-down list.

Web Cache

Enable or disable web caching.

Reverse Cache

Enable to use reverse proxy web caching.

This option is available only if the Action is Accept and Web Cache is enabled.

Web Cache For HTTPS Traffic

Enable or disable web caching for HTTPS traffic.

Status

Enable or disable WAN optimization for traffic accepted by the policy. If Status is enabled, select Active, Passive, or Manual.

Profiles

If you enabled Status and selected Active or Manual WAN optimization, select a profile to use for WAN optimization. SeeCreate or edit a WAN optimization profile.

Passive Option

If you enabled Status and selected Passive WAN optimization, select Default, Non-transparent, or Transparent.

Peers

If you enabled Status and selected Manual WAN optimization, select a WAN peer. See Create or edit a WAN optimization peer.

Scan Outgoing Connections to Botnet Sites

Select Disable or Block to protect from botnet and command-and-control traffic.

Webproxy Profile

If you configured a web proxy profile, enable this option and then select the web proxy profile from the drop-down list. See Web Proxy Profile.

Web Proxy Forwarding Server

If you configured a web proxy forwarding server, enable this option and then select a server from the drop-down list. See Create or edit a forwarding server.

Force Proxy

Enable or disable whether proxying will be forced.

Protocol Options

Select the proxy options profilefor the policy to use. See Proxy Options.

SSL/SSH Inspection

The SSL/SSH inspection options used by the policy. See SSL/SSH Inspection.

Display Disclaimer

If you want to display a disclaimer about Internet content that is not controlled by the network access provider, select By Domain, By Policy, or By User.

This option is available only if Action is set to ACCEPT.

Customize Messages

Enable and then edit the existing message or create a message.

This option is available only if Display Disclaimer is set to By Domain, By Policy, or By User.

Security Profiles

Select the security profiles to apply to the policy.

These options are available only if Action is set to ACCEPT.

AntiVirus

Enable the antivirus profile and select or create a profile from the drop-down list. See AntiVirus.

Web Filter

Enable the web filter profile and select or create a profile from the drop-down list. See Web Filter.

DNS Filter

Enable the DNS filter profile and select or create a profile from the drop-down list. See DNS Filter.

Application Control

Enable the application sensor and select or create a sensor from the drop-down list. See Create or edit an application sensor.

IPS

Enable the IPS sensor and select or create a sensor from the drop-down list. See Create or edit an IPS sensor.

DLP Sensor

Enable DLP sensors and select or create a sensor from the drop-down list. See Data Leak Prevention.

Content Analysis

Enable the Content Analysis profile and select or create a profile from the drop-down list. See Create or edit an Image Analysis profile.

ICAP

Enable the ICAP profile and select or create a profile from the drop-down list. See Create or edit an ICAP profile.

Log Allowed Traffic

Enable and then select Security Events or All Sessions.

This option is available only if Action is set to ACCEPT, REDIRECT, or ISOLATE.

Generate Logs when Session Starts

Enable or disable logging when the session starts.

Log HTTP Transaction

Configure the logging of HTTP transactions:

  • All—Log all HTTP transactions.

  • Security Profiles (default)—Log HTTP transaction on UTM event.

  • Disable—Disable HTTP transaction log.

When All or Security Profiles is selected, you can find the HTTP transaction logs under Log & Report > HTTP Transaction. See Types of logs.

Comments

Enter a description up to 1,023 characters to describe the policy.

Enable this policy

Enable to use this policy.

Enable Policy Matching Pass Through

Enable to make the policy a pass-through policy. Disabled by default.

When traffic matches a pass-through policy, the firewall continues to the next policy. After FortiProxy tries to match all policies, it will set the last matched pass-through policy as the matched policy.

Enable SSH policy check

Enable or disable whether to redirect SSH traffic to the matching proxy policy. See SSH policy matching.

Extended Log

Enable or disable the recording of extended log for implicit policies. The extended log includes the useragent, referralurl, httpmethod, and statuscode fields.

To configure an FTP policy:

Type

Select FTP. See Policy types.

Name

Enter a unique name for the new policy. Names can be changed later.

Outgoing Interface

Click +. A window slides out from the right where you can select from the available interfaces. You can select one or more specific interfaces, or you can select any. Selecting any removes the other interfaces.

Source

Click +. A window slides out from the right where you can select from the available sources.

You can select source proxy addresses, source IPv4 addresses, source IPv6 addresses, source users, or source user groups. NOTE: You can mix IPv4 and IPv6 addresses.

When the field is selected, a window slides out from the right. Address, IPv6 Address, and User tabs categorize the options. Click Create to create a source.

Destination

Click +. A window slides out from the right where you can select from the available destinations.

You can select destination proxy addresses, destination IPv4 addresses, destination IPv6 addresses, and destination Internet services. NOTE: You can mix IPv4 and IPv6 addresses.

Negate Destination

Enable to use all destinations except the ones specified in the Destination field.

Schedule

Select a schedule from the drop-down list. Select Create to create a schedule. For more information, see Schedules.

Action

Select how you want the policy to respond when a packet matches the conditions of the policy. The options available will change depending on this selection.

  • ACCEPT—Accept traffic matched by the policy.

  • DENY—Reject traffic matched by the policy.

Security Profiles

Select the security profiles to apply to the policy.

These options are available only if Action is set to ACCEPT.

AntiVirus

Enable the antivirus profile and select or create a profile from the drop-down list. See AntiVirus.

IPS

Enable the IPS sensor and select or create a sensor from the drop-down list. See Create or edit an IPS sensor.

DLP Sensor

Enable DLP sensors and select or create a sensor from the drop-down list. See Data Leak Prevention.

Log Allowed Traffic

Enable and then select Security Events or All Sessions.

This option is available only if Action is set to ACCEPT.

Generate Logs when Session Starts

Enable or disable logging when the session starts.

Comments

Enter a description up to 1,023 characters to describe the policy.

Enable this policy

Enable to use this policy.

Enable Policy Matching Pass Through

Enable to make the policy a pass-through policy. Disabled by default.

When traffic matches a pass-through policy, the firewall continues to the next policy. After FortiProxy tries to match all policies, it will set the last matched pass-through policy as the matched policy.

To configure an SSH tunnel policy:

Type

Select SSH Tunnel. See Policy types.

Name

Enter a unique name for the new policy. Names can be changed later.

Incoming Interface

Click +. A window slides out from the right where you can select from the available interfaces. You can select one or more specific interfaces, or you can select any. Selecting any removes the other interfaces.

Outgoing Interface

Click +. A window slides out from the right where you can select from the available interfaces. You can select one or more specific interfaces, or you can select any. Selecting any removes the other interfaces.

Source

Click +. A window slides out from the right where you can select from the available sources.

You can select source proxy addresses, source IPv4 addresses, source IPv6 addresses, source users, or source user groups. NOTE: You can mix IPv4 and IPv6 addresses.

When the field is selected, a window slides out from the right. Address, IPv6 Address, and User tabs categorize the options. Click Create to create a source.

Destination

Click +. A window slides out from the right where you can select from the available destinations.

You can select destination proxy addresses, destination IPv4 addresses, destination IPv6 addresses, and destination Internet services. NOTE: You can mix IPv4 and IPv6 addresses.

Negate Destination

Enable to use all destinations except the ones specified in the Destination field.

Schedule

Select a schedule from the drop-down list. Click Create to create a schedule. For more information, see Schedules.

Service

Select a service or service group that packets must match to trigger this policy. Click Create to create a service list. See Services.

You can add multiple services or service groups.

Action

Select how you want the policy to respond when a packet matches the conditions of the policy. The options available will change depending on this selection.

  • ACCEPT—Accept traffic matched by the policy.

  • DENY—Reject traffic matched by the policy.

Security Profiles

Select the security profiles to apply to the policy.

These options are available only if Action is set to ACCEPT.

Application Control

Enable the application sensor and select or create a sensor from the drop-down list. See Create or edit an application sensor.

IPS

Enable the IPS sensor and select or create a sensor from the drop-down list. See Create or edit an IPS sensor.

Logging Options

This section is available only if Action is set to ACCEPT.

Log Allowed Traffic

Enable and then select Security Events or All Sessions.

This option is available only if Action is set to ACCEPT.

Generate Logs when Session Starts

Enable or disable logging when the session starts.

Comments

Enter a description up to 1,023 characters to describe the policy.

Enable this policy

Enable to use this policy.

Enable Policy Matching Pass Through

Enable to make the policy a pass-through policy. Disabled by default.

When traffic matches a pass-through policy, the firewall continues to the next policy. After FortiProxy tries to match all policies, it will set the last matched pass-through policy as the matched policy.

To configure an SSH proxy policy:

Type

Select SSH Proxy. See Policy types.

Name

Enter a unique name for the new policy. Names can be changed later.

Outgoing Interface

Click +. A window slides out from the right where you can select from the available interfaces. You can select one or more specific interfaces, or you can select any. Selecting any removes the other interfaces.

Source

Click +. A window slides out from the right where you can select from the available sources.

You can select source proxy addresses, source IPv4 addresses, source IPv6 addresses, source users, or source user groups. NOTE: You can mix IPv4 and IPv6 addresses.

When the field is selected, a window slides out from the right. Address, IPv6 Address, and User tabs categorize the options. Click Create to create a source.

Destination

Click +. A window slides out from the right where you can select from the available destinations.

You can select destination proxy addresses, destination IPv4 addresses, destination IPv6 addresses, and destination Internet services. NOTE: You can mix IPv4 and IPv6 addresses.

Negate Destination

Enable to use all destinations except the ones specified in the Destination field.

Schedule

Select a schedule from the drop-down list. Click Create to create a schedule. For more information, see Schedules.

Action

Select how you want the policy to respond when a packet matches the conditions of the policy. The options available will change depending on this selection.

  • ACCEPT—Accept traffic matched by the policy.

  • DENY—Reject traffic matched by the policy.

Security Profiles

Select the security profiles to apply to the policy.

These options are available only if Action is set to ACCEPT.

Application Control

Enable the application sensor and select or create a sensor from the drop-down list. See Create or edit an application sensor.

IPS

Enable the IPS sensor and select or create a sensor from the drop-down list. See Create or edit an IPS sensor.

Logging Options

This section is available only if Action is set to ACCEPT.

Log Allowed Traffic

Enable and then select Security Events or All Sessions.

This option is available only if Action is set to ACCEPT.

Generate Logs when Session Starts

Enable or disable logging when the session starts.

Comments

Enter a description up to 1,023 characters to describe the policy.

Enable this policy

Enable to use this policy.

Enable Policy Matching Pass Through

Enable to make the policy a pass-through policy. Disabled by default.

When traffic matches a pass-through policy, the firewall continues to the next policy. After FortiProxy tries to match all policies, it will set the last matched pass-through policy as the matched policy.

To configure a WAN-optimization tunnel policy:

Type

Select Wanopt. See Policy types.

Name

Enter a unique name for the new policy. Names can be changed later.

Outgoing Interface

Click +. A window slides out from the right where you can select from the available interfaces. You can select one or more specific interfaces, or you can select any. Selecting any removes the other interfaces.

Source

Click +. A window slides out from the right where you can select from the available sources.

You can select source proxy addresses, source IPv4 addresses, source IPv6 addresses, source users, or source user groups. NOTE: You can mix IPv4 and IPv6 addresses.

When the field is selected, a window slides out from the right. Address, IPv6 Address, and User tabs categorize the options. Click Create to create a source.

Destination

Click +. A window slides out from the right where you can select from the available destinations.

You can select destination proxy addresses, destination IPv4 addresses, destination IPv6 addresses, and destination Internet services. NOTE: You can mix IPv4 and IPv6 addresses.

Negate Destination

Enable to use all destinations except the ones specified in the Destination field.

Schedule

Select a schedule from the drop-down list. Click Create to create a schedule. For more information, see Schedules.

Service

Select a service or service group that packets must match to trigger this policy. Click Create to create a service list. See Services.

You can add multiple services or service groups.

Action

Select how you want the policy to respond when a packet matches the conditions of the policy. The options available will change depending on this selection.

  • ACCEPT—Accept traffic matched by the policy.

  • DENY—Reject traffic matched by the policy.

Web Cache

Enable or disable web caching.

Reverse Cache

Enable to use reverse proxy web caching.

This option is available only if the Action is Accept and Web Cache is enabled.

Web Cache For HTTPS Traffic

Enable or disable web caching for HTTPS traffic.

Security Profiles

Select the security profiles to apply to the policy.

These options are available only if Action is set to ACCEPT.

AntiVirus

Enable the antivirus profile and select or create a profile from the drop-down list. See AntiVirus.

Web Filter

Enable the web filter profile and select or create a profile from the drop-down list. See Web Filter.

Application Control

Enable the application sensor and select or create a sensor from the drop-down list. See Create or edit an application sensor.

IPS

Enable the IPS sensor and select or create a sensor from the drop-down list. See Create or edit an IPS sensor.

DLP Sensor

Enable DLP sensors and select or create a sensor from the drop-down list. See Data Leak Prevention.

Content Analysis

Enable the Content Analysis profile and select or create a profile from the drop-down list. See Create or edit an Image Analysis profile.

Log Allowed Traffic

Enable and then select Security Events or All Sessions.

This option is available only if Action is set to ACCEPT.

Generate Logs when Session Starts

Enable or disable logging when the session starts.

Comments

Enter a description up to 1,023 characters to describe the policy.

Enable this policy

Enable to use this policy.

Enable Policy Matching Pass Through

Enable to make the policy a pass-through policy. Disabled by default.

When traffic matches a pass-through policy, the firewall continues to the next policy. After FortiProxy tries to match all policies, it will set the last matched pass-through policy as the matched policy.

Web cache policy address formats

A source or destination address can contain one or more network addresses. Network addresses can be represented by an IP address with a netmask or an IP address range.

When representing hosts by an IP address with a netmask, the IP address can represent one or more hosts. For example, a source or destination address can be any of the following:

  • a single computer, for example, 192.45.46.45
  • a subnetwork, for example, 192.168.1.* for a class C subnet
  • 0.0.0.0 matches any IP address

The netmask corresponds to the subnet class of the address being added and can be represented in either dotted decimal or CIDR format. The FortiProxy unit automatically converts CIDR-formatted netmasks to dotted decimal format. Example formats:

  • netmask for a single computer: 255.255.255.255 or /32
  • netmask for a class A subnet: 255.0.0.0 or /8
  • netmask for a class B subnet: 255.255.0.0 or /16
  • netmask for a class C subnet: 255.255.255.0 or /24
  • netmask including all IP addresses: 0.0.0.0

Valid IP address and netmask formats include:

  • x.x.x.x/x.x.x.x, such as 192.168.1.0/255.255.255.0
  • x.x.x.x/x, such as 192.168.1.0/24

An IP address 0.0.0.0 with the netmask 255.255.255.255 is not a valid source or destination address.

When representing hosts by an IP address range, the range indicates hosts with continuous IP addresses in a subnet, such as 192.168.1.[2-10], or 192.168.1.*, to indicate the complete range of hosts on that subnet. You can also indicate the complete range of hosts on a subnet by entering 192.168.1.[0-255] or 192.168.1.0-192.168.1.255. Valid IP range formats include:

  • x.x.x.x-x.x.x.x, for example, 192.168.110.100-192.168.110.120
  • x.x.x.[x-x], for example, 192.168.110.[100-120]
  • x.x.x.*, for a complete subnet, for example: 192.168.110.*
  • x.x.x.[0-255] for a complete subnet, such as 192.168.110.[0-255]
  • x.x.x.0 -x.x.x.255 for a complete subnet, such as 192.168.110.0 - 192.168.110.255

You cannot use square brackets [ ] or asterisks * when adding addresses to the CLI. Instead you must enter the start and end addresses of the subnet range separated by a dash -. For example, 192.168.20.0-192.168.20.255 for a complete subnet and 192.168.10.10-192.168.10.100 for a range of addresses.

Device ownership

When device ownership is enabled, ownership enforcement is done at policy level. It is disabled by default.

To enable device ownership:
config firewall policy
    edit 2
        set ztna-status enable
        set ztna-ems-tag "FCTEMS_ALL_FORTICLOUD_SERVERS"
        set device-ownership enable
        ...
    next
end