The FortiGate explicit web proxy

To enable the explicit web proxy – CLI:

1. Enter the following command to turn on the IPv4 and IPv6 explicit web proxy for HTTP and HTTPS traffic.

config web-proxy explicit set status enable

set ipv6-status enable end

 

You can also enter the following command to enable the web proxy for FTP sessions in a web browser.

config web-proxy explicit set ftp-over-http enable

end

 

The default explicit web proxy configuration has sec-default-action set to deny and requires you to add a security policy to allow access to the explicit web proxy.

 

2. Enter the following command to enable the explicit web proxy for the internal interface.

config system interface edit internal

set explicit-web-proxy enable end

end

 

3. Use the following command to add a firewall address that matches the source address of users who connect to the explicit web proxy.

config firewall address edit Internal_subnet

set type iprange

set start-ip 10.31.101.1 set end-ip 10.31.101.255

end

 

The source address for a web-proxy security policy cannot be assigned to a FortiGate interface.

 

4. Optionally use the following command to add a destination URL that is only used by the explicit proxy. For example, to create an explicit policy that only allows access to Fortinecom:

config firewall address edit Fortinet-web-sites

set type url

set url fortinet.com end

 

5. Use the following command to add an explicit web proxy policy that allows all users on the internal subnet to use the explicit web proxy for connections through the wan1 interface to the Internet.

config firewall explicit-proxy-policy edit 0

set proxy web

set dstintf wan1

set scraddr Internal_subnet set dstaddr all

set action accept

set service webproxy set schedule always

end

 

6. Use the following command to add an explicit web proxy policy that allows authenticated users on the internal subnet to use the explicit web proxy for connections through the wan1 interface to the Internet.

config firewall explicit-proxy-policy edit 0

set proxy web

set dstintf wan1

set scraddr Internal_subnet

set dstaddr Fortinet-web-sites set action accept

set service webproxy set schedule always

set identity-based enable config identity-based-policy

edit 1

set groups Proxy-group set schedule always

end

end

 

7. Use the following command to change global web proxy settings, for example to set the maximum request length for the explicit web proxy to 10:

config web-proxy global

set max-request-length 10 end

2 thoughts on “The FortiGate explicit web proxy

  1. Tom

    When you are authenticating to the explicit proxy, are your credentials passing in clear text from your browser to the proxy?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.