config firewall proxy-policy
Configure proxy policies.
config firewall proxy-policy
Description: Configure proxy policies.
edit <policyid>
set access-proxy <name1>, <name2>, ...
set access-proxy6 <name1>, <name2>, ...
set action [accept|deny|...]
set application-list {string}
set av-profile {string}
set block-notification [enable|disable]
set casb-profile {string}
set comments {var-string}
set decrypted-traffic-mirror {string}
set detect-https-in-http-request [enable|disable]
set device-ownership [enable|disable]
set disclaimer [disable|domain|...]
set dlp-profile {string}
set dnsfilter-profile {string}
set dstaddr <name1>, <name2>, ...
set dstaddr-negate [enable|disable]
set dstaddr6 <name1>, <name2>, ...
set dstintf <name1>, <name2>, ...
set emailfilter-profile {string}
set file-filter-profile {string}
set groups <name1>, <name2>, ...
set http-tunnel-auth [enable|disable]
set icap-profile {string}
set internet-service [enable|disable]
set internet-service-custom <name1>, <name2>, ...
set internet-service-custom-group <name1>, <name2>, ...
set internet-service-group <name1>, <name2>, ...
set internet-service-name <name1>, <name2>, ...
set internet-service-negate [enable|disable]
set internet-service6 [enable|disable]
set internet-service6-custom <name1>, <name2>, ...
set internet-service6-custom-group <name1>, <name2>, ...
set internet-service6-group <name1>, <name2>, ...
set internet-service6-name <name1>, <name2>, ...
set internet-service6-negate [enable|disable]
set ips-sensor {string}
set ips-voip-filter {string}
set log-http-transaction [enable|disable]
set logtraffic [all|utm|...]
set logtraffic-start [enable|disable]
set name {string}
set poolname <name1>, <name2>, ...
set profile-group {string}
set profile-protocol-options {string}
set profile-type [single|group]
set proxy [explicit-web|transparent-web|...]
set redirect-url {var-string}
set replacemsg-override-group {string}
set schedule {string}
set service <name1>, <name2>, ...
set service-negate [enable|disable]
set session-ttl {integer}
set srcaddr <name1>, <name2>, ...
set srcaddr-negate [enable|disable]
set srcaddr6 <name1>, <name2>, ...
set srcintf <name1>, <name2>, ...
set ssh-filter-profile {string}
set ssh-policy-redirect [enable|disable]
set ssl-ssh-profile {string}
set status [enable|disable]
set transparent [enable|disable]
set users <name1>, <name2>, ...
set utm-status [enable|disable]
set uuid {uuid}
set videofilter-profile {string}
set waf-profile {string}
set webcache [enable|disable]
set webcache-https [disable|enable]
set webfilter-profile {string}
set webproxy-forward-server {string}
set webproxy-profile {string}
set ztna-ems-tag <name1>, <name2>, ...
set ztna-proxy <name1>, <name2>, ...
set ztna-tags-match-logic [or|and]
next
end
config firewall proxy-policy
|
Parameter |
Description |
Type |
Size |
Default |
||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
access-proxy |
IPv4 access proxy. Access Proxy name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
|
access-proxy6 |
IPv6 access proxy. Access proxy name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
|
action |
Accept or deny traffic matching the policy parameters. |
option |
- |
deny |
||||||||||||||||||
|
|
|
|||||||||||||||||||||
|
application-list |
Name of an existing Application list. |
string |
Maximum length: 35 |
|
||||||||||||||||||
|
av-profile |
Name of an existing Antivirus profile. |
string |
Maximum length: 35 |
|
||||||||||||||||||
|
block-notification |
Enable/disable block notification. |
option |
- |
disable |
||||||||||||||||||
|
|
|
|||||||||||||||||||||
|
casb-profile |
Name of an existing CASB profile. |
string |
Maximum length: 35 |
|
||||||||||||||||||
|
comments |
Optional comments. |
var-string |
Maximum length: 1023 |
|
||||||||||||||||||
|
decrypted-traffic-mirror |
Decrypted traffic mirror. |
string |
Maximum length: 35 |
|
||||||||||||||||||
|
detect-https-in-http-request |
Enable/disable detection of HTTPS in HTTP request. |
option |
- |
disable |
||||||||||||||||||
|
|
|
|||||||||||||||||||||
|
device-ownership |
When enabled, the ownership enforcement will be done at policy level. |
option |
- |
disable |
||||||||||||||||||
|
|
|
|||||||||||||||||||||
|
disclaimer |
Web proxy disclaimer setting: by domain, policy, or user. |
option |
- |
disable |
||||||||||||||||||
|
|
|
|||||||||||||||||||||
|
dlp-profile |
Name of an existing DLP profile. |
string |
Maximum length: 35 |
|
||||||||||||||||||
|
dnsfilter-profile |
Name of an existing DNS filter profile. |
string |
Maximum length: 35 |
|
||||||||||||||||||
|
dstaddr |
Destination address objects. Address name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
|
dstaddr-negate |
When enabled, destination addresses match against any address EXCEPT the specified destination addresses. |
option |
- |
disable |
||||||||||||||||||
|
|
|
|||||||||||||||||||||
|
dstaddr6 |
IPv6 destination address objects. Address name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
|
dstintf |
Destination interface names. Interface name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
|
emailfilter-profile |
Name of an existing email filter profile. |
string |
Maximum length: 35 |
|
||||||||||||||||||
|
file-filter-profile |
Name of an existing file-filter profile. |
string |
Maximum length: 35 |
|
||||||||||||||||||
|
groups |
Names of group objects. Group name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
|
http-tunnel-auth |
Enable/disable HTTP tunnel authentication. |
option |
- |
disable |
||||||||||||||||||
|
|
|
|||||||||||||||||||||
|
icap-profile |
Name of an existing ICAP profile. |
string |
Maximum length: 35 |
|
||||||||||||||||||
|
internet-service |
Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. |
option |
- |
disable |
||||||||||||||||||
|
|
|
|||||||||||||||||||||
|
internet-service-custom |
Custom Internet Service name. Custom Internet Service name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
|
internet-service-custom-group |
Custom Internet Service group name. Custom Internet Service group name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
|
internet-service-group |
Internet Service group name. Internet Service group name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
|
internet-service-name |
Internet Service name. Internet Service name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
|
internet-service-negate |
When enabled, Internet Services match against any internet service EXCEPT the selected Internet Service. |
option |
- |
disable |
||||||||||||||||||
|
|
|
|||||||||||||||||||||
|
internet-service6 |
Enable/disable use of Internet Services IPv6 for this policy. If enabled, destination IPv6 address and service are not used. |
option |
- |
disable |
||||||||||||||||||
|
|
|
|||||||||||||||||||||
|
internet-service6-custom |
Custom Internet Service IPv6 name. Custom Internet Service IPv6 name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
|
internet-service6-custom-group |
Custom Internet Service IPv6 group name. Custom Internet Service IPv6 group name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
|
internet-service6-group |
Internet Service IPv6 group name. Internet Service IPv6 group name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
|
internet-service6-name |
Internet Service IPv6 name. Internet Service IPv6 name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
|
internet-service6-negate |
When enabled, Internet Services match against any internet service IPv6 EXCEPT the selected Internet Service IPv6. |
option |
- |
disable |
||||||||||||||||||
|
|
|
|||||||||||||||||||||
|
ips-sensor |
Name of an existing IPS sensor. |
string |
Maximum length: 35 |
|
||||||||||||||||||
|
ips-voip-filter |
Name of an existing VoIP (ips) profile. |
string |
Maximum length: 35 |
|
||||||||||||||||||
|
log-http-transaction |
Enable/disable HTTP transaction log. |
option |
- |
disable |
||||||||||||||||||
|
|
|
|||||||||||||||||||||
|
logtraffic |
Enable/disable logging traffic through the policy. |
option |
- |
utm |
||||||||||||||||||
|
|
|
|||||||||||||||||||||
|
logtraffic-start |
Enable/disable policy log traffic start. |
option |
- |
disable |
||||||||||||||||||
|
|
|
|||||||||||||||||||||
|
name |
Policy name. |
string |
Maximum length: 35 |
|
||||||||||||||||||
|
policyid |
Policy ID. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
0 |
||||||||||||||||||
|
poolname |
Name of IP pool object. IP pool name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
|
profile-group |
Name of profile group. |
string |
Maximum length: 35 |
|
||||||||||||||||||
|
profile-protocol-options |
Name of an existing Protocol options profile. |
string |
Maximum length: 35 |
default |
||||||||||||||||||
|
profile-type |
Determine whether the firewall policy allows security profile groups or single profiles only. |
option |
- |
single |
||||||||||||||||||
|
|
|
|||||||||||||||||||||
|
proxy |
Type of explicit proxy. |
option |
- |
|
||||||||||||||||||
|
|
|
|||||||||||||||||||||
|
redirect-url |
Redirect URL for further explicit web proxy processing. |
var-string |
Maximum length: 1023 |
|
||||||||||||||||||
|
replacemsg-override-group |
Authentication replacement message override group. |
string |
Maximum length: 35 |
|
||||||||||||||||||
|
schedule |
Name of schedule object. |
string |
Maximum length: 35 |
|
||||||||||||||||||
|
service |
Name of service objects. Service name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
|
service-negate |
When enabled, services match against any service EXCEPT the specified destination services. |
option |
- |
disable |
||||||||||||||||||
|
|
|
|||||||||||||||||||||
|
session-ttl |
TTL in seconds for sessions accepted by this policy. |
integer |
Minimum value: 300 Maximum value: 2764800 |
0 |
||||||||||||||||||
|
srcaddr |
Source address objects. Address name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
|
srcaddr-negate |
When enabled, source addresses match against any address EXCEPT the specified source addresses. |
option |
- |
disable |
||||||||||||||||||
|
|
|
|||||||||||||||||||||
|
srcaddr6 |
IPv6 source address objects. Address name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
|
srcintf |
Source interface names. Interface name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
|
ssh-filter-profile |
Name of an existing SSH filter profile. |
string |
Maximum length: 35 |
|
||||||||||||||||||
|
ssh-policy-redirect |
Redirect SSH traffic to matching transparent proxy policy. |
option |
- |
disable |
||||||||||||||||||
|
|
|
|||||||||||||||||||||
|
ssl-ssh-profile |
Name of an existing SSL SSH profile. |
string |
Maximum length: 35 |
no-inspection |
||||||||||||||||||
|
status |
Enable/disable the active status of the policy. |
option |
- |
enable |
||||||||||||||||||
|
|
|
|||||||||||||||||||||
|
transparent |
Enable to use the IP address of the client to connect to the server. |
option |
- |
disable |
||||||||||||||||||
|
|
|
|||||||||||||||||||||
|
users |
Names of user objects. Group name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
|
utm-status |
Enable the use of UTM profiles/sensors/lists. |
option |
- |
disable |
||||||||||||||||||
|
|
|
|||||||||||||||||||||
|
uuid |
Universally Unique Identifier (UUID; automatically assigned but can be manually reset). |
uuid |
Not Specified |
00000000-0000-0000-0000-000000000000 |
||||||||||||||||||
|
videofilter-profile |
Name of an existing VideoFilter profile. |
string |
Maximum length: 35 |
|
||||||||||||||||||
|
waf-profile |
Name of an existing Web application firewall profile. |
string |
Maximum length: 35 |
|
||||||||||||||||||
|
webcache * |
Enable/disable web caching. |
option |
- |
disable |
||||||||||||||||||
|
|
|
|||||||||||||||||||||
|
webcache-https * |
Enable/disable web caching for HTTPS (Requires deep-inspection enabled in ssl-ssh-profile). |
option |
- |
disable |
||||||||||||||||||
|
|
|
|||||||||||||||||||||
|
webfilter-profile |
Name of an existing Web filter profile. |
string |
Maximum length: 35 |
|
||||||||||||||||||
|
webproxy-forward-server |
Web proxy forward server name. |
string |
Maximum length: 63 |
|
||||||||||||||||||
|
webproxy-profile |
Name of web proxy profile. |
string |
Maximum length: 63 |
|
||||||||||||||||||
|
ztna-ems-tag |
ZTNA EMS Tag names. EMS Tag name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
|
ztna-proxy |
IPv4 ZTNA traffic forward proxy. ZTNA Traffic Forward Proxy name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
|
ztna-tags-match-logic |
ZTNA tag matching logic. |
option |
- |
or |
||||||||||||||||||
|
|
|
|||||||||||||||||||||
* This parameter may not exist in some models.