CLI Reference

FortiProxy CLI Interface
alertemail
- config alertemail setting
antivirus
- config antivirus exempt-list
- config antivirus profile
- config antivirus quarantine
- config antivirus settings
application
- config application custom
- config application group
- config application list
- config application name
- config application rule-settings
authentication
- config authentication rule
- config authentication scheme
- config authentication setting
automation
- config automation setting
casb
- config casb profile
- config casb saas-application
- config casb user-activity
certificate
- config certificate ca
- config certificate crl
- config certificate local
- config certificate remote
diameter-filter
- config diameter-filter profile
dlp
- config dlp data-type
- config dlp dictionary
- config dlp exact-data-match
- config dlp filepattern
- config dlp fp-doc-source
- config dlp profile
- config dlp sensitivity
- config dlp sensor
- config dlp settings
dnsfilter
- config dnsfilter domain-filter
- config dnsfilter profile
emailfilter
- config emailfilter block-allow-list
- config emailfilter bword
- config emailfilter dnsbl
- config emailfilter fortishield
- config emailfilter iptrust
- config emailfilter mheader
- config emailfilter options
- config emailfilter profile
endpoint-control
- config endpoint-control fctems-override
- config endpoint-control fctems
- config endpoint-control settings
file-filter
- config file-filter profile
firewall
- config firewall access-proxy-ssh-client-cert
- config firewall access-proxy-virtual-host
- config firewall access-proxy
- config firewall access-proxy6
- config firewall address
- config firewall address6-template
- config firewall address6
- config firewall addrgrp
- config firewall addrgrp6
- config firewall auth-portal
- config firewall central-snat-map
- config firewall city
- config firewall country
- config firewall decrypted-traffic-mirror
- config firewall global
- config firewall identity-based-route
- config firewall internet-service-addition
- config firewall internet-service-append
- config firewall internet-service-botnet
- config firewall internet-service-custom-group
- config firewall internet-service-custom
- config firewall internet-service-definition
- config firewall internet-service-extension
- config firewall internet-service-group
- config firewall internet-service-ipbl-reason
- config firewall internet-service-ipbl-vendor
- config firewall internet-service-list
- config firewall internet-service-name
- config firewall internet-service-owner
- config firewall internet-service-reputation
- config firewall internet-service-sld
- config firewall internet-service-subapp
- config firewall internet-service
- config firewall ippool
- config firewall ippool6
- config firewall network-service-dynamic
- config firewall on-demand-sniffer
- config firewall policy
- config firewall profile-group
- config firewall profile-protocol-options
- config firewall proxy-address
- config firewall proxy-address6
- config firewall proxy-addrgrp
- config firewall proxy-addrgrp6
- config firewall region
- config firewall schedule group
- config firewall schedule onetime
- config firewall schedule recurring
- config firewall service category
- config firewall service custom
- config firewall service group
- config firewall shaper per-ip-shaper
- config firewall shaper traffic-shaper
- config firewall shaping-policy
- config firewall shaping-profile
- config firewall sniffer
- config firewall ssh host-key
- config firewall ssh local-ca
- config firewall ssh local-key
- config firewall ssh setting
- config firewall ssl-server
- config firewall ssl-ssh-profile
- config firewall ssl default-certificate
- config firewall ssl keyring-list
- config firewall ssl setting
- config firewall traffic-class
- config firewall ttl-policy
- config firewall vendor-mac-summary
- config firewall vendor-mac
- config firewall vip
- config firewall vipgrp
- config firewall wildcard-fqdn custom
- config firewall wildcard-fqdn group
ftp-proxy
- config ftp-proxy explicit
hardware
- config hardware cpu
- config hardware memory
- config hardware nic
- config hardware status
icap
- config icap local-server
- config icap profile
- config icap remote-server-group
- config icap remote-server
image-analyzer
- config image-analyzer profile
ips
- config ips custom
- config ips decoder
- config ips global
- config ips rule-settings
- config ips rule
- config ips sensor
- config ips session
- config ips settings
- config ips view-map
ipsec
- config ipsec tunnel
isolator
- config isolator profile
- config isolator setting
l2vpn
- config l2vpn evpn instance
- config l2vpn evpn table
log
- config log custom-field
- config log disk filter
- config log disk setting
- config log eventfilter
- config log fortianalyzer-cloud filter
- config log fortianalyzer-cloud override-filter
- config log fortianalyzer-cloud override-setting
- config log fortianalyzer-cloud setting
- config log fortianalyzer2 filter
- config log fortianalyzer2 override-filter
- config log fortianalyzer2 override-setting
- config log fortianalyzer2 setting
- config log fortianalyzer3 filter
- config log fortianalyzer3 override-filter
- config log fortianalyzer3 override-setting
- config log fortianalyzer3 setting
- config log fortianalyzer filter
- config log fortianalyzer override-filter
- config log fortianalyzer override-setting
- config log fortianalyzer setting
- config log fortiguard filter
- config log fortiguard override-filter
- config log fortiguard override-setting
- config log fortiguard setting
- config log gui-display
- config log memory filter
- config log memory global-setting
- config log memory setting
- config log null-device filter
- config log null-device setting
- config log setting
- config log syslogd2 filter
- config log syslogd2 override-filter
- config log syslogd2 override-setting
- config log syslogd2 setting
- config log syslogd3 filter
- config log syslogd3 override-filter
- config log syslogd3 override-setting
- config log syslogd3 setting
- config log syslogd4 filter
- config log syslogd4 override-filter
- config log syslogd4 override-setting
- config log syslogd4 setting
- config log syslogd filter
- config log syslogd override-filter
- config log syslogd override-setting
- config log syslogd setting
- config log tacacs+accounting2 filter
- config log tacacs+accounting2 setting
- config log tacacs+accounting3 filter
- config log tacacs+accounting3 setting
- config log tacacs+accounting filter
- config log tacacs+accounting setting
- config log threat-weight
- config log webtrends filter
- config log webtrends setting
mgmt-data
- config mgmt-data status
oaas
- config oaas status
report
- config report layout
- config report setting
- config report sql status
router
- config router policy
- config router static
- config router static6
rule
- config rule fmwp
- config rule otdt
- config rule otvp
ssh-filter
- config ssh-filter profile
system
- config system accprofile
- config system acme
- config system admin
- config system affinity-interrupt
- config system affinity-packet-redistribution
- config system alarm
- config system alias
- config system api-user
- config system arp-table
- config system arp
- config system auto-install
- config system auto-script
- config system auto-update status
- config system auto-update versions
- config system automation-action
- config system automation-destination
- config system automation-stitch
- config system automation-trigger
- config system autoupdate schedule
- config system autoupdate tunneling
- config system central-management
- config system central-mgmt
- config system checksum status
- config system cmdb
- config system console
- config system csf
- config system custom-language
- config system ddns
- config system device-upgrade
- config system dhcp6 server
- config system dhcp server
- config system dns-database
- config system dns-server
- config system dns
- config system dscp-based-priority
- config system email-server
- config system external-resource
- config system fabric-vpn
- config system federated-upgrade
- config system fips-cc
- config system fortianalyzer-connectivity
- config system fortiguard-log-service
- config system fortiguard-service
- config system fortiguard
- config system fortindr
- config system fortisandbox
- config system fsso-polling
- config system ftm-push
- config system geoip-country
- config system geoip-override
- config system global
- config system gre-tunnel
- config system ha-lic
- config system ha-monitor
- config system ha-nonsync-csum
- config system ha
- config system info admin ssh
- config system info admin status
- config system interface
- config system ip-conflict status
- config system ipam
- config system ips-urlfilter-dns
- config system ips-urlfilter-dns6
- config system ips
- config system ipv6-neighbor-cache
- config system link-monitor
- config system management-tunnel
- config system mgmt-csum
- config system nethsm
- config system network-visibility
- config system ntp
- config system object-tagging
- config system password-policy-guest-admin
- config system password-policy
- config system performance status
- config system performance top
- config system probe-response
- config system proxy-arp
- config system ptp
- config system replacemsg-group
- config system replacemsg-image
- config system replacemsg admin
- config system replacemsg alertmail
- config system replacemsg auth
- config system replacemsg automation
- config system replacemsg custom-message
- config system replacemsg fortiguard-wf
- config system replacemsg ftp
- config system replacemsg http
- config system replacemsg icap
- config system replacemsg mail
- config system replacemsg nac-quar
- config system replacemsg spam
- config system replacemsg sslvpn
- config system replacemsg traffic-quota
- config system replacemsg utm
- config system replacemsg webproxy
- config system resource-limits
- config system saml
- config system sdn-connector
- config system sdn-proxy
- config system session-ttl
- config system session
- config system session6
- config system settings
- config system sms-server
- config system snmp community
- config system snmp mib-view
- config system snmp sysinfo
- config system snmp user
- config system source-ip status
- config system span-port
- config system speed-test-schedule
- config system speed-test-server
- config system speed-test-setting
- config system ssh-config
- config system sso-admin
- config system sso-forticloud-admin
- config system sso-fortigate-cloud-admin
- config system startup-error-log
- config system status
- config system storage
- config system timezone
- config system vdom-dns
- config system vdom-exception
- config system vdom-link
- config system vdom-property
- config system vdom-radius-server
- config system vdom
- config system vne-tunnel
- config system vxlan
- config system wccp
- config system zone
test
- config test acd
- config test acsd
- config test autod
- config test awsd
- config test azd
- config test bfd
- config test cloudapid
- config test csfd
- config test ddnscd
- config test dhcp6c
- config test dhcp6r
- config test dhcprelay
- config test dlpfingerprint
- config test dlpfpcache
- config test dnsproxy
- config test dsd
- config test eap_supp
- config test evpn
- config test fas
- config test fcnacd
- config test fds_notify
- config test fgtlogd
- config test fnbamd
- config test forticldd
- config test forticron
- config test fsd
- config test fsvrd
- config test gcpd
- config test harelay
- config test hasync
- config test hatalk
- config test ibmd
- config test imap
- config test init
- config test iotd
- config test ipamd
- config test ipamsd
- config test ipldbd
- config test ipsengine
- config test ipsmonitor
- config test ipsufd
- config test kmipd
- config test kubed
- config test l2tpcd
- config test lnkmtd
- config test locallogd
- config test miglogd
- config test mrd
- config test netxd
- config test nntp
- config test ocid
- config test openstackd
- config test ovrd
- config test pcpd
- config test pop3
- config test pptpcd
- config test quarantined
- config test radius-das
- config test radiusd
- config test radvd
- config test reportd
- config test sdncd
- config test sdnd
- config test sepmd
- config test sessionsync
- config test sfupgraded
- config test smtp
- config test snmpd
- config test syslogd
- config test updated
- config test uploadd
- config test urlfilter
- config test vned
- config test wad
- config test wccpd
- config test wf_monitor
- config test wiredapd
user
- config user adgrp
- config user certificate
- config user domain-controller
- config user exchange
- config user external-identity-provider
- config user fortitoken
- config user fsso-polling
- config user fsso
- config user group
- config user krb-keytab
- config user ldap
- config user local
- config user password-policy
- config user peer
- config user peergrp
- config user pop3
- config user radius
- config user saml
- config user security-exempt-list
- config user setting
- config user tacacs+
videofilter
- config videofilter keyword
- config videofilter profile
- config videofilter youtube-key
virtual-patch
- config virtual-patch profile
vpn
- config vpn certificate ca
- config vpn certificate crl
- config vpn certificate local
- config vpn certificate ocsp-server
- config vpn certificate remote
- config vpn certificate setting
- config vpn ipsec phase1-interface
- config vpn ipsec phase2-interface
- config vpn qkd
waf
- config waf main-class
- config waf profile
- config waf signature
- config waf sub-class
wanopt
- config wanopt auth-group
- config wanopt cache-service
- config wanopt content-delivery-network-rule
- config wanopt peer
- config wanopt profile
- config wanopt remote-storage
- config wanopt settings
web-proxy
- config web-proxy debug-url
- config web-proxy dynamic-bypass
- config web-proxy explicit-proxy
- config web-proxy fast-fallback
- config web-proxy forward-server-group
- config web-proxy forward-server
- config web-proxy global
- config web-proxy implicit-proxy-rule
- config web-proxy implicit-proxy-setting
- config web-proxy isolator-server
- config web-proxy pac-policy
- config web-proxy profile
- config web-proxy redirect-profile
- config web-proxy url-list
- config web-proxy url-match
- config web-proxy wisp
webcache
- config webcache prefetch
- config webcache reverse-cache-server
- config webcache settings
- config webcache user-agent
webfilter
- config webfilter categories
- config webfilter content-header
- config webfilter content
- config webfilter domain-list
- config webfilter fortiguard
- config webfilter ftgd-local-cat
- config webfilter ftgd-local-rating
- config webfilter ftgd-local-risk
- config webfilter ftgd-risk-level
- config webfilter ftgd-statistics
- config webfilter ips-urlfilter-cache-setting
- config webfilter ips-urlfilter-setting
- config webfilter ips-urlfilter-setting6
- config webfilter override-usr
- config webfilter override
- config webfilter profile
- config webfilter search-engine
- config webfilter status
- config webfilter url-list
- config webfilter urlfilter
ztna
- config ztna connector-service-edge
- config ztna reverse-connector
- config ztna service-connector
- config ztna traffic-forward-proxy
Change log

Home FortiProxy 7.6.0 CLI Reference

7.6.0

config web-proxy explicit-proxy

Configure explicit Web proxy settings.

config web-proxy explicit-proxy
    Description: Configure explicit Web proxy settings.
    edit <name>
        set status [enable|disable]
        set interface {string}
        set secure-web-proxy [disable|enable|...]
        set http [enable|disable]
        set ftp-over-http [enable|disable]
        set socks [enable|disable]
        set http-incoming-port {user}
        set http-connection-mode [static|multiplex|...]
        set https-incoming-port {user}
        set ftp-incoming-port {user}
        set socks-incoming-port {user}
        set secure-web-proxy-cert <name1>, <name2>, ...
        set client-cert [disable|enable]
        set user-agent-detect [disable|enable]
        set empty-cert-action [accept|block|...]
        set ssl-dh-bits [768|1024|...]
        set incoming-ip {ipv4-address-any}
        set ipv6-status [enable|disable]
        set incoming-ip6 {ipv6-address}
        set pref-dns-result [ipv4|ipv6|...]
        set unknown-http-version [reject|best-effort]
        set realm {string}
        set sec-default-action [accept|deny]
        set pac-file-server-status [enable|disable]
        set pac-file-url {user}
        set pac-file-server-port {user}
        set pac-file-through-https [enable|disable]
        set pac-file-name {string}
        set pac-file-data {user}
        set ssl-algorithm [high|medium|...]
        set return-to-sender [enable|disable]
        set learn-dst-from-sni [enable|disable]
        set dstport-from-incoming [enable|disable]
        set header-proxy-agent [enable|disable]
        set dns-mode [recursive|non-recursive|...]
    next
end

config web-proxy explicit-proxy

Parameter

Description

Type

Size

Default

name

object name

string

Maximum length: 35

status

Enable/disable the explicit Web proxy for HTTP and HTTPS session.

option

disable

Option	Description
enable	Enable the explicit web proxy.
disable	Disable the explicit web proxy.

interface

interface name

string

Maximum length: 15

secure-web-proxy

Enable/disable/require the secure web proxy for HTTP and HTTPS session.

option

disable

Option	Description
disable	Disable secure webproxy.
enable	Enable secure webproxy access.
secure	Require secure webproxy access.

http

Enable/disable the HTTP & HTTPS proxy.

option

enable

Option	Description
enable	Enable the HTTP & HTTPS proxy.
disable	Disable the HTTP & HTTPS proxy.

ftp-over-http

Enable to proxy FTP-over-HTTP sessions sent from a web browser.

option

disable

Option	Description
enable	Enable FTP-over-HTTP sessions.
disable	Disable FTP-over-HTTP sessions.

socks

Enable/disable the SOCKS proxy.

option

disable

Option	Description
enable	Enable the SOCKS proxy.
disable	Disable the SOCKS proxy.

http-incoming-port

Accept incoming HTTP requests on one or more ports.

user

Not Specified

http-connection-mode

HTTP connection mode.

option

static

Option	Description
static	Only one server connection exists during the proxy session.
multiplex	Established connections are held until the proxy session ends.
serverpool	Established connections are shared with other proxy sessions.

https-incoming-port

Accept incoming HTTPS requests on one or more ports.

user

Not Specified

ftp-incoming-port

Accept incoming FTP-over-HTTP requests on one or more ports.

user

Not Specified

socks-incoming-port

Accept incoming SOCKS proxy requests on one or more ports.

user

Not Specified

secure-web-proxy-cert <name>

Name of certificates for secure web proxy.

Certificate list.

string

Maximum length: 79

client-cert

Enable/disable to request client certificate.

option

disable

Option	Description
disable	Disable client certificate request.
enable	Enable client certificate request.

user-agent-detect

Enable/disable to detect device type by HTTP user-agent if no client certificate provided.

option

enable

Option	Description
disable	Disable to detect unknown device by HTTP user-agent if no client certificate provided.
enable	Enable to detect unknown device by HTTP user-agent if no client certificate provided.

empty-cert-action

Action of an empty client certificate.

option

block

Option	Description
accept	Accept the SSL handshake if the client certificate is empty.
block	Block the SSL handshake if the client certificate is empty.
accept-unmanageable	Accept the SSL handshake only if the end-point is unmanageable.

ssl-dh-bits

Bit-size of Diffie-Hellman.

option

2048

Option	Description
768	768-bit Diffie-Hellman prime.
1024	1024-bit Diffie-Hellman prime.
1536	1536-bit Diffie-Hellman prime.
2048	2048-bit Diffie-Hellman prime.

incoming-ip

Restrict the explicit HTTP proxy to only accept sessions from this IP address. An interface must have this IP address.

ipv4-address-any

Not Specified

0.0.0.0

ipv6-status

Enable/disable allowing an IPv6 web proxy destination in policies and all IPv6 related entries in this command.

option

disable

Option	Description
enable	Enable allowing an IPv6 web proxy destination.
disable	Disable allowing an IPv6 web proxy destination.

incoming-ip6

Restrict the explicit web proxy to only accept sessions from this IPv6 address. An interface must have this IPv6 address.

ipv6-address

Not Specified

pref-dns-result

Prefer resolving addresses using the configured IPv4 or IPv6 DNS server.

option

ipv4

Option	Description
ipv4	Send the IPv4 request first and then the IPv6 request. Use the DNS response that returns to the FortiGate first.
ipv6	Send the IPv6 request first and then the IPv4 request. Use the DNS response that returns to the FortiGate first.
ipv4-strict	Use the IPv4 DNS response. If the IPv6 DNS response arrives first, wait 50ms for the IPv4 response and then use the IPv4 response, otherwise the IPv6.
ipv6-strict	Use the IPv6 DNS response. If the IPv4 DNS response arrives first, wait 50ms for the IPv6 response and then use the IPv6 response, otherwise the IPv4.

unknown-http-version

How to handle HTTP sessions that do not comply with HTTP 0.9, 1.0, or 1.1.

option

reject

Option	Description
reject	Reject or tear down HTTP sessions that do not use HTTP 0.9, 1.0, or 1.1.
best-effort	Assume all HTTP sessions comply with HTTP 0.9, 1.0, or 1.1. If a session uses a different HTTP version, it may not parse correctly and the connection may be lost.

realm

Authentication realm used to identify the explicit web proxy (maximum of 63 characters).

string

Maximum length: 63

default

sec-default-action

Accept or deny explicit web proxy sessions when no web proxy firewall policy exists.

option

deny

Option	Description
accept	Accept requests. All explicit web proxy traffic is accepted whether there is an explicit web proxy policy or not.
deny	Deny requests unless there is a matching explicit web proxy policy.

pac-file-server-status

Enable/disable Proxy Auto-Configuration (PAC) for users of this explicit proxy profile.

option

disable

Option	Description
enable	Enable Proxy Auto-Configuration (PAC).
disable	Disable Proxy Auto-Configuration (PAC).

pac-file-url

PAC file access URL.

user

Not Specified

pac-file-server-port

Port number that PAC traffic from client web browsers uses to connect to the explicit web proxy.

user

Not Specified

pac-file-through-https

Enable/disable to get Proxy Auto-Configuration (PAC) through HTTPS.

option

disable

Option	Description
enable	Enable to get Proxy Auto-Configuration (PAC) through HTTPS.
disable	Disable to get Proxy Auto-Configuration (PAC) through HTTPS.

pac-file-name

Pac file name.

string

Maximum length: 63

proxy.pac

pac-file-data

PAC file contents enclosed in quotes (maximum of 256K bytes).

user

Not Specified

ssl-algorithm

Relative strength of encryption algorithms accepted in HTTPS deep scan: high, medium, or low.

option

low

Option	Description
high	High encrption. Allow only AES and ChaCha.
medium	Medium encryption. Allow AES, ChaCha, 3DES, and RC4.
low	Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

return-to-sender

Enable/disable return-to-sender.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

learn-dst-from-sni

Enable/disable learning destination from SNI in client hello.

option

disable

Option	Description
enable	Enable learning destination from SNI in client hello.
disable	Disable learning destination from SNI in client hello.

dstport-from-incoming

Enable/disable reusing incoming port to connect to server.

option

disable

Option	Description
enable	Enable reusing incoming port to connect to server.
disable	Disable reusing incoming port to connect to server.

header-proxy-agent

Enable/disable HTTP CONNECT response header Proxy-Agent.

option

enable

Option	Description
enable	Enable HTTP CONNECT response header Proxy-Agent.
disable	Disable HTTP CONNECT response header Proxy-Agent.

dns-mode

DNS lookup mode.

option

recursive

Option	Description
recursive	Shadow DNS database and forward.
non-recursive	Public DNS database only.
forward-only	Forward only.

config web-proxy explicit-proxy

Configure explicit Web proxy settings.

config web-proxy explicit-proxy
    Description: Configure explicit Web proxy settings.
    edit <name>
        set status [enable|disable]
        set interface {string}
        set secure-web-proxy [disable|enable|...]
        set http [enable|disable]
        set ftp-over-http [enable|disable]
        set socks [enable|disable]
        set http-incoming-port {user}
        set http-connection-mode [static|multiplex|...]
        set https-incoming-port {user}
        set ftp-incoming-port {user}
        set socks-incoming-port {user}
        set secure-web-proxy-cert <name1>, <name2>, ...
        set client-cert [disable|enable]
        set user-agent-detect [disable|enable]
        set empty-cert-action [accept|block|...]
        set ssl-dh-bits [768|1024|...]
        set incoming-ip {ipv4-address-any}
        set ipv6-status [enable|disable]
        set incoming-ip6 {ipv6-address}
        set pref-dns-result [ipv4|ipv6|...]
        set unknown-http-version [reject|best-effort]
        set realm {string}
        set sec-default-action [accept|deny]
        set pac-file-server-status [enable|disable]
        set pac-file-url {user}
        set pac-file-server-port {user}
        set pac-file-through-https [enable|disable]
        set pac-file-name {string}
        set pac-file-data {user}
        set ssl-algorithm [high|medium|...]
        set return-to-sender [enable|disable]
        set learn-dst-from-sni [enable|disable]
        set dstport-from-incoming [enable|disable]
        set header-proxy-agent [enable|disable]
        set dns-mode [recursive|non-recursive|...]
    next
end

config web-proxy explicit-proxy

Parameter

Description

Type

Size

Default

name

object name

string

Maximum length: 35

status

Enable/disable the explicit Web proxy for HTTP and HTTPS session.

option

disable

Option	Description
enable	Enable the explicit web proxy.
disable	Disable the explicit web proxy.

interface

interface name

string

Maximum length: 15

secure-web-proxy

Enable/disable/require the secure web proxy for HTTP and HTTPS session.

option

disable

Option	Description
disable	Disable secure webproxy.
enable	Enable secure webproxy access.
secure	Require secure webproxy access.

http

Enable/disable the HTTP & HTTPS proxy.

option

enable

Option	Description
enable	Enable the HTTP & HTTPS proxy.
disable	Disable the HTTP & HTTPS proxy.

ftp-over-http

Enable to proxy FTP-over-HTTP sessions sent from a web browser.

option

disable

Option	Description
enable	Enable FTP-over-HTTP sessions.
disable	Disable FTP-over-HTTP sessions.

socks

Enable/disable the SOCKS proxy.

option

disable

Option	Description
enable	Enable the SOCKS proxy.
disable	Disable the SOCKS proxy.

http-incoming-port

Accept incoming HTTP requests on one or more ports.

user

Not Specified

http-connection-mode

HTTP connection mode.

option

static

Option	Description
static	Only one server connection exists during the proxy session.
multiplex	Established connections are held until the proxy session ends.
serverpool	Established connections are shared with other proxy sessions.

https-incoming-port

Accept incoming HTTPS requests on one or more ports.

user

Not Specified

ftp-incoming-port

Accept incoming FTP-over-HTTP requests on one or more ports.

user

Not Specified

socks-incoming-port

Accept incoming SOCKS proxy requests on one or more ports.

user

Not Specified

secure-web-proxy-cert <name>

Name of certificates for secure web proxy.

Certificate list.

string

Maximum length: 79

client-cert

Enable/disable to request client certificate.

option

disable

Option	Description
disable	Disable client certificate request.
enable	Enable client certificate request.

user-agent-detect

Enable/disable to detect device type by HTTP user-agent if no client certificate provided.

option

enable

Option	Description
disable	Disable to detect unknown device by HTTP user-agent if no client certificate provided.
enable	Enable to detect unknown device by HTTP user-agent if no client certificate provided.

empty-cert-action

Action of an empty client certificate.

option

block

Option	Description
accept	Accept the SSL handshake if the client certificate is empty.
block	Block the SSL handshake if the client certificate is empty.
accept-unmanageable	Accept the SSL handshake only if the end-point is unmanageable.

ssl-dh-bits

Bit-size of Diffie-Hellman.

option

2048

Option	Description
768	768-bit Diffie-Hellman prime.
1024	1024-bit Diffie-Hellman prime.
1536	1536-bit Diffie-Hellman prime.
2048	2048-bit Diffie-Hellman prime.

incoming-ip

Restrict the explicit HTTP proxy to only accept sessions from this IP address. An interface must have this IP address.

ipv4-address-any

Not Specified

0.0.0.0

ipv6-status

Enable/disable allowing an IPv6 web proxy destination in policies and all IPv6 related entries in this command.

option

disable

Option	Description
enable	Enable allowing an IPv6 web proxy destination.
disable	Disable allowing an IPv6 web proxy destination.

incoming-ip6

Restrict the explicit web proxy to only accept sessions from this IPv6 address. An interface must have this IPv6 address.

ipv6-address

Not Specified

pref-dns-result

Prefer resolving addresses using the configured IPv4 or IPv6 DNS server.

option

ipv4

Option	Description
ipv4	Send the IPv4 request first and then the IPv6 request. Use the DNS response that returns to the FortiGate first.
ipv6	Send the IPv6 request first and then the IPv4 request. Use the DNS response that returns to the FortiGate first.
ipv4-strict	Use the IPv4 DNS response. If the IPv6 DNS response arrives first, wait 50ms for the IPv4 response and then use the IPv4 response, otherwise the IPv6.
ipv6-strict	Use the IPv6 DNS response. If the IPv4 DNS response arrives first, wait 50ms for the IPv6 response and then use the IPv6 response, otherwise the IPv4.

unknown-http-version

How to handle HTTP sessions that do not comply with HTTP 0.9, 1.0, or 1.1.

option

reject

Option	Description
reject	Reject or tear down HTTP sessions that do not use HTTP 0.9, 1.0, or 1.1.
best-effort	Assume all HTTP sessions comply with HTTP 0.9, 1.0, or 1.1. If a session uses a different HTTP version, it may not parse correctly and the connection may be lost.

realm

Authentication realm used to identify the explicit web proxy (maximum of 63 characters).

string

Maximum length: 63

default

sec-default-action

Accept or deny explicit web proxy sessions when no web proxy firewall policy exists.

option

deny

Option	Description
accept	Accept requests. All explicit web proxy traffic is accepted whether there is an explicit web proxy policy or not.
deny	Deny requests unless there is a matching explicit web proxy policy.

pac-file-server-status

Enable/disable Proxy Auto-Configuration (PAC) for users of this explicit proxy profile.

option

disable

Option	Description
enable	Enable Proxy Auto-Configuration (PAC).
disable	Disable Proxy Auto-Configuration (PAC).

pac-file-url

PAC file access URL.

user

Not Specified

pac-file-server-port

Port number that PAC traffic from client web browsers uses to connect to the explicit web proxy.

user

Not Specified

pac-file-through-https

Enable/disable to get Proxy Auto-Configuration (PAC) through HTTPS.

option

disable

Option	Description
enable	Enable to get Proxy Auto-Configuration (PAC) through HTTPS.
disable	Disable to get Proxy Auto-Configuration (PAC) through HTTPS.

pac-file-name

Pac file name.

string

Maximum length: 63

proxy.pac

pac-file-data

PAC file contents enclosed in quotes (maximum of 256K bytes).

user

Not Specified

ssl-algorithm

Relative strength of encryption algorithms accepted in HTTPS deep scan: high, medium, or low.

option

low

Option	Description
high	High encrption. Allow only AES and ChaCha.
medium	Medium encryption. Allow AES, ChaCha, 3DES, and RC4.
low	Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

return-to-sender

Enable/disable return-to-sender.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

learn-dst-from-sni

Enable/disable learning destination from SNI in client hello.

option

disable

Option	Description
enable	Enable learning destination from SNI in client hello.
disable	Disable learning destination from SNI in client hello.

dstport-from-incoming

Enable/disable reusing incoming port to connect to server.

option

disable

Option	Description
enable	Enable reusing incoming port to connect to server.
disable	Disable reusing incoming port to connect to server.

header-proxy-agent

Enable/disable HTTP CONNECT response header Proxy-Agent.

option

enable

Option	Description
enable	Enable HTTP CONNECT response header Proxy-Agent.
disable	Disable HTTP CONNECT response header Proxy-Agent.

dns-mode

DNS lookup mode.

option

recursive

Option	Description
recursive	Shadow DNS database and forward.
non-recursive	Public DNS database only.
forward-only	Forward only.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

CLI Reference

config web-proxy explicit-proxy

config web-proxy explicit-proxy

config web-proxy explicit-proxy

config web-proxy explicit-proxy

config web-proxy explicit-proxy

config web-proxy explicit-proxy