Fortinet white logo
Fortinet white logo

CLI Reference

config web-proxy explicit-proxy

config web-proxy explicit-proxy

Configure explicit Web proxy settings.

config web-proxy explicit-proxy
    Description: Configure explicit Web proxy settings.
    edit <name>
        set status [enable|disable]
        set interface {string}
        set http [enable|disable]
        set ftp-over-http [enable|disable]
        set socks [enable|disable]
        set http-incoming-port {user}
        set https-incoming-port {user}
        set ftp-incoming-port {user}
        set socks-incoming-port {user}
        set incoming-ip {ipv4-address-any}
        set ipv6-status [enable|disable]
        set incoming-ip6 {ipv6-address}
        set pref-dns-result [ipv4|ipv6]
        set unknown-http-version [reject|best-effort]
        set realm {string}
        set sec-default-action [accept|deny]
        set pac-file-server-status [enable|disable]
        set pac-file-url {user}
        set pac-file-server-port {user}
        set pac-file-name {string}
        set pac-file-data {user}
        set ssl-algorithm [high|medium|...]
        set return-to-sender [enable|disable]
        set detect-https-in-http-request [enable|disable]
        set learn-dst-from-sni [enable|disable]
        set dstport-from-incoming [enable|disable]
    next
end

config web-proxy explicit-proxy

Parameter

Description

Type

Size

Default

name

object name

string

Maximum length: 35

status

Enable/disable the explicit Web proxy for HTTP and HTTPS session.

option

-

disable

Option

Description

enable

Enable the explicit web proxy.

disable

Disable the explicit web proxy.

interface

interface name

string

Maximum length: 15

http

Enable/disable the HTTP & HTTPS proxy.

option

-

enable

Option

Description

enable

Enable the HTTP & HTTPS proxy.

disable

Disable the HTTP & HTTPS proxy.

ftp-over-http

Enable to proxy FTP-over-HTTP sessions sent from a web browser.

option

-

disable

Option

Description

enable

Enable FTP-over-HTTP sessions.

disable

Disable FTP-over-HTTP sessions.

socks

Enable/disable the SOCKS proxy.

option

-

disable

Option

Description

enable

Enable the SOCKS proxy.

disable

Disable the SOCKS proxy.

http-incoming-port

Accept incoming HTTP requests on one or more ports.

user

Not Specified

https-incoming-port

Accept incoming HTTPS requests on one or more ports.

user

Not Specified

ftp-incoming-port

Accept incoming FTP-over-HTTP requests on one or more ports.

user

Not Specified

socks-incoming-port

Accept incoming SOCKS proxy requests on one or more ports.

user

Not Specified

incoming-ip

Restrict the explicit HTTP proxy to only accept sessions from this IP address. An interface must have this IP address.

ipv4-address-any

Not Specified

0.0.0.0

ipv6-status

Enable/disable allowing an IPv6 web proxy destination in policies and all IPv6 related entries in this command.

option

-

disable

Option

Description

enable

Enable allowing an IPv6 web proxy destination.

disable

Disable allowing an IPv6 web proxy destination.

incoming-ip6

Restrict the explicit web proxy to only accept sessions from this IPv6 address. An interface must have this IPv6 address.

ipv6-address

Not Specified

::

pref-dns-result

Prefer resolving addresses using the configured IPv4 or IPv6 DNS server.

option

-

ipv4

Option

Description

ipv4

Prefer the IPv4 DNS server.

ipv6

Prefer the IPv6 DNS server.

unknown-http-version

How to handle HTTP sessions that do not comply with HTTP 0.9, 1.0, or 1.1.

option

-

reject

Option

Description

reject

Reject or tear down HTTP sessions that do not use HTTP 0.9, 1.0, or 1.1.

best-effort

Assume all HTTP sessions comply with HTTP 0.9, 1.0, or 1.1. If a session uses a different HTTP version, it may not parse correctly and the connection may be lost.

realm

Authentication realm used to identify the explicit web proxy (maximum of 63 characters).

string

Maximum length: 63

default

sec-default-action

Accept or deny explicit web proxy sessions when no web proxy firewall policy exists.

option

-

deny

Option

Description

accept

Accept requests. All explicit web proxy traffic is accepted whether there is an explicit web proxy policy or not.

deny

Deny requests unless there is a matching explicit web proxy policy.

pac-file-server-status

Enable/disable Proxy Auto-Configuration (PAC) for users of this explicit proxy profile.

option

-

disable

Option

Description

enable

Enable Proxy Auto-Configuration (PAC).

disable

Disable Proxy Auto-Configuration (PAC).

pac-file-url

PAC file access URL.

user

Not Specified

pac-file-server-port

Port number that PAC traffic from client web browsers uses to connect to the explicit web proxy.

user

Not Specified

pac-file-name

Pac file name.

string

Maximum length: 63

proxy.pac

pac-file-data

PAC file contents enclosed in quotes (maximum of 256K bytes).

user

Not Specified

ssl-algorithm

Relative strength of encryption algorithms accepted in HTTPS deep scan: high, medium, or low.

option

-

low

Option

Description

high

High encrption. Allow only AES and ChaCha.

medium

Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low

Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

return-to-sender

Enable/disable return-to-sender.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

detect-https-in-http-request

Enable/disable detecting SSL in HTTP request line.

option

-

disable

Option

Description

enable

Enable detecting SSL in HTTP request line.

disable

Disable detecting SSL in HTTP request line.

learn-dst-from-sni

Enable/disable learning destination from SNI in client hello.

option

-

disable

Option

Description

enable

Enable learning destination from SNI in client hello.

disable

Disable learning destination from SNI in client hello.

dstport-from-incoming

Enable/disable reusing incoming port to connect to server.

option

-

disable

Option

Description

enable

Enable reusing incoming port to connect to server.

disable

Disable reusing incoming port to connect to server.

config web-proxy explicit-proxy

config web-proxy explicit-proxy

Configure explicit Web proxy settings.

config web-proxy explicit-proxy
    Description: Configure explicit Web proxy settings.
    edit <name>
        set status [enable|disable]
        set interface {string}
        set http [enable|disable]
        set ftp-over-http [enable|disable]
        set socks [enable|disable]
        set http-incoming-port {user}
        set https-incoming-port {user}
        set ftp-incoming-port {user}
        set socks-incoming-port {user}
        set incoming-ip {ipv4-address-any}
        set ipv6-status [enable|disable]
        set incoming-ip6 {ipv6-address}
        set pref-dns-result [ipv4|ipv6]
        set unknown-http-version [reject|best-effort]
        set realm {string}
        set sec-default-action [accept|deny]
        set pac-file-server-status [enable|disable]
        set pac-file-url {user}
        set pac-file-server-port {user}
        set pac-file-name {string}
        set pac-file-data {user}
        set ssl-algorithm [high|medium|...]
        set return-to-sender [enable|disable]
        set detect-https-in-http-request [enable|disable]
        set learn-dst-from-sni [enable|disable]
        set dstport-from-incoming [enable|disable]
    next
end

config web-proxy explicit-proxy

Parameter

Description

Type

Size

Default

name

object name

string

Maximum length: 35

status

Enable/disable the explicit Web proxy for HTTP and HTTPS session.

option

-

disable

Option

Description

enable

Enable the explicit web proxy.

disable

Disable the explicit web proxy.

interface

interface name

string

Maximum length: 15

http

Enable/disable the HTTP & HTTPS proxy.

option

-

enable

Option

Description

enable

Enable the HTTP & HTTPS proxy.

disable

Disable the HTTP & HTTPS proxy.

ftp-over-http

Enable to proxy FTP-over-HTTP sessions sent from a web browser.

option

-

disable

Option

Description

enable

Enable FTP-over-HTTP sessions.

disable

Disable FTP-over-HTTP sessions.

socks

Enable/disable the SOCKS proxy.

option

-

disable

Option

Description

enable

Enable the SOCKS proxy.

disable

Disable the SOCKS proxy.

http-incoming-port

Accept incoming HTTP requests on one or more ports.

user

Not Specified

https-incoming-port

Accept incoming HTTPS requests on one or more ports.

user

Not Specified

ftp-incoming-port

Accept incoming FTP-over-HTTP requests on one or more ports.

user

Not Specified

socks-incoming-port

Accept incoming SOCKS proxy requests on one or more ports.

user

Not Specified

incoming-ip

Restrict the explicit HTTP proxy to only accept sessions from this IP address. An interface must have this IP address.

ipv4-address-any

Not Specified

0.0.0.0

ipv6-status

Enable/disable allowing an IPv6 web proxy destination in policies and all IPv6 related entries in this command.

option

-

disable

Option

Description

enable

Enable allowing an IPv6 web proxy destination.

disable

Disable allowing an IPv6 web proxy destination.

incoming-ip6

Restrict the explicit web proxy to only accept sessions from this IPv6 address. An interface must have this IPv6 address.

ipv6-address

Not Specified

::

pref-dns-result

Prefer resolving addresses using the configured IPv4 or IPv6 DNS server.

option

-

ipv4

Option

Description

ipv4

Prefer the IPv4 DNS server.

ipv6

Prefer the IPv6 DNS server.

unknown-http-version

How to handle HTTP sessions that do not comply with HTTP 0.9, 1.0, or 1.1.

option

-

reject

Option

Description

reject

Reject or tear down HTTP sessions that do not use HTTP 0.9, 1.0, or 1.1.

best-effort

Assume all HTTP sessions comply with HTTP 0.9, 1.0, or 1.1. If a session uses a different HTTP version, it may not parse correctly and the connection may be lost.

realm

Authentication realm used to identify the explicit web proxy (maximum of 63 characters).

string

Maximum length: 63

default

sec-default-action

Accept or deny explicit web proxy sessions when no web proxy firewall policy exists.

option

-

deny

Option

Description

accept

Accept requests. All explicit web proxy traffic is accepted whether there is an explicit web proxy policy or not.

deny

Deny requests unless there is a matching explicit web proxy policy.

pac-file-server-status

Enable/disable Proxy Auto-Configuration (PAC) for users of this explicit proxy profile.

option

-

disable

Option

Description

enable

Enable Proxy Auto-Configuration (PAC).

disable

Disable Proxy Auto-Configuration (PAC).

pac-file-url

PAC file access URL.

user

Not Specified

pac-file-server-port

Port number that PAC traffic from client web browsers uses to connect to the explicit web proxy.

user

Not Specified

pac-file-name

Pac file name.

string

Maximum length: 63

proxy.pac

pac-file-data

PAC file contents enclosed in quotes (maximum of 256K bytes).

user

Not Specified

ssl-algorithm

Relative strength of encryption algorithms accepted in HTTPS deep scan: high, medium, or low.

option

-

low

Option

Description

high

High encrption. Allow only AES and ChaCha.

medium

Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low

Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

return-to-sender

Enable/disable return-to-sender.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

detect-https-in-http-request

Enable/disable detecting SSL in HTTP request line.

option

-

disable

Option

Description

enable

Enable detecting SSL in HTTP request line.

disable

Disable detecting SSL in HTTP request line.

learn-dst-from-sni

Enable/disable learning destination from SNI in client hello.

option

-

disable

Option

Description

enable

Enable learning destination from SNI in client hello.

disable

Disable learning destination from SNI in client hello.

dstport-from-incoming

Enable/disable reusing incoming port to connect to server.

option

-

disable

Option

Description

enable

Enable reusing incoming port to connect to server.

disable

Disable reusing incoming port to connect to server.