firewall : explicit-proxy-policy
 
explicit-proxy-policy
Use this command to configure explicit proxy policies.
Syntax
config firewall explicit-proxy-policy
edit <index_int>
set action {accept | deny}
set active-auth-method {basic | digest | ntlm | none}
set application-list <name_str>
set av-profile <name_str>
set comments <comment_str>
set dlp-sensor <name_str>
set dstaddr <name_str>
set dstaddr6 <name_str>
set dstaddr-negate {enable | disable}
set dstintf <name_str>
set global-label <label_str>
set icap-profile <icap_pr_name>
set identity-based {enable | disable}
set ip-based {enable | disable}
set ips-sensor <name_str>
set label <label_string>
set logtraffic {all | utm | disable}
set logtraffic-start {enable | disable}
set profile-group <name_str>
set profile-protocol-options <name_str>
set profile-type {group | single}
set proxy {web | ftp | wanopt}
set replacemsg-override-group <group_string>
set require-tfa {enable | disable}
set schedule <name_str>
set service <name_str>
set service-negate {enable | disable}
set spamfilter-profile <name_str>
set srcaddr <name_str>
set srcaddr6 <name_str>
set srcaddr-negate {enable | disable}
set ssl-ssh-profile <profile_name>
set sso-auth-method {fsso | rsso}
set status {enable | disable}
set tags <tags_str>
set transaction-based {enable | disable}
set transparent {enable | disable}
set utm-status {disable | enable}
set voip-profile <name_str>
set web-auth-cookie {enable | disable}
set webcache {disable | enable}
set webcache-https {disable | any| ssl‑server}
set webfilter-profile <name_str>
set webproxy-forward-server <fwd_srv_name_string>
set webproxy-profile <profile_name>
config identity-based-policy
edit <id>
set application-list <name_str>
set av-profile <name_str>
set dlp-sensor <name_str>
set groups <group_name>
set icap-profile <icap_pr_name>
set ips-sensor <name_str>
set logtraffic {all | utm | disable}
set logtraffic-start {enable | disable}
set profile-group <name_str>
set profile-protocol-options <name_str>
set profile-type {group | single}
set schedule <name_str>
set spamfilter-profile <name_str>
set ssl-ssh-profile <profile_name>
set users <user_name_list>
set utm-status {disable | enable}
set voip-profile <name_str>
set webfilter-profile <name_str>
end
end
Variable
Description
Default
<index_int>
Enter the unique ID number of this policy.
No default.
action {accept | deny}
Select the action that the FortiGate unit will perform on traffic matching this firewall policy.
accept Allow packets that match the firewall policy.
deny Deny packets that match the firewall policy.
deny
active-auth-method {basic | digest | ntlm | none}
Select the active authentication method to use. This is available if identity-based is enabled. If sso‑auth-method is set, it is tried first.
basic — client must authenticate with a user-ID and password for each realm. User name and password are sent unencrypted
digest — a nonce value is sent to client in the challenge and is included when the client sends a response of an MD5 checksum for the combination of their user-ID, password, nonce, and URI requested. The FortiOS unit has all this information and can confirm the MD5 checksum is correct. The digest method applies only to local users.
ntlm — NT Lan manager (ntlm) - ntlm uses Windows AD and Internet Explorer to authenticate through the browser. Useful when FSSO client cannot be installed on Windows AD server.
none — no authentication
null
application-list <name_str>
Enter the name of the application list to add to the firewall policy.
This option appears only if identity-based is disable and utm-status is enable.
(null)
av-profile <name_str>
Enter the name of the antivirus profile to add to the firewall policy.
This option appears only if identity-based is disable and utm-status is enable. To add an av-profile, you must obtain an adequate profile name in profile-protection-options.
(null)
comments <comment_str>
Enter a description or other information about the policy. (Optional)
comment_str is limited to 63 characters. Enclose the string in single quotes to enter special characters or spaces.
No default.
dlp-sensor <name_str>
Enter the name of the DLP sensor to add to the firewall policy.
This option appears only if identity-based is disable and utm-status is enable.
(null)
dstaddr <name_str>
dstaddr6 <name_str>
Enter one or more destination firewall addresses, or a virtual IP, if creating a NAT policy. Separate multiple firewall addresses with a space.
Use dstaddr6 for IPv6 addresses.
If action is set to ipsec, enter the name of the IP address to which IP packets may be delivered at the remote end of the IPSec VPN tunnel.
If action is set to ssl-vpn, enter the name of the IP address that corresponds to the host, server, or network that remote clients need to access behind the FortiGate unit.
For details on configuring virtual IPs, see “vip”.
No default.
dstaddr-negate {enable | disable}
Enable to negate dstaddr match. This causes dstaddr to specify what the destination address must not be.
disable
dstintf <name_str>
Enter the destination interface(s) for the policy. Separate interface names with spaces.
The interface can be a physical interface, a VLAN subinterface, or a zone.
If action is set to ipsec, enter the name of the interface to the external (public) network.
If action is set to ssl-vpn, enter the name of the interface to the local (private) network.
Note: If a interface or VLAN subinterface has been added to a zone, the interface or VLAN subinterface cannot be used for dstintf.
No default.
global-label <label_str>
Put policy in the named subsection in the web-based manager. Subsection is created if it does not already exist.
No default.
groups <group_name>
Enter the user group name for the identity-based policy.
No default.
icap-profile <icap_pr_name>
Optionally, enter the name of an Internet Content Adaptation Protocol (ICAP) profile. This is available if utm-status is enable.
null
identity-based {enable | disable}
Enable or disable identity-based policy. This is available when proxy is web or ftp.
disable
ip-based {enable | disable}
If identity-based is enabled, enable ip-based to handle FSSO authentication.
Will cause an error if disabled when the firewall policy refers to directory based user groups such as FSSO.
disable
ips-sensor <name_str>
Enter the name of the IPS sensor to add to the firewall policy.
This option appears only if identity-based is disable and utm-status is enable.
(null)
label <label_string>
Optionally, enter a label for this policy. The label is visible in the web-based manager.
No default.
logtraffic {all | utm | disable}
Choose which traffic logs will be recorded:
all
utm - only UTM-relatedlogs
disable - no logging
utm
logtraffic-start {enable | disable}
Enable to log session starts and ends.
disable
mms-profile <name_str>
For FortiOS Carrier, enter the name of the MMS profile to add to the firewall policy.
This option appears only if identity-based is disable and utm-status is enable.
(null)
profile-group <name_str>
Enter the name of a UTM profile group to add to the firewall policy. This option is available if profile-type is set to group.
This option is available in this context level only if, at this context level the identity-based option is set to disable and utm-status is set to enable. If identity-based is set to enable this option may be available within Authentication rules in the config identity-based-policy sub section.
(null)
profile-protocol-options <name_str>
Enter the name of the protocol options profile to add to the firewall policy.
This option is available in this context level only if, at this context level the identity-based option is set to disable and utm-status is set to enable. If identity-based is set to enable this option may be available within Authentication rules in the config identity-based-policy sub section.
(null)
profile-type {group | single}
Select whether to add individual UTM profiles or a UTM profile group to the firewall policy.
This option is available in this context level only if the identity-based option is set to disable. If identity-based is set to enable this option will instead be available in each Authentication Rule in the config identity-based-policy sub section.
single
proxy {web | ftp | wanopt}
Select the type of proxy to configure.
No default.
replacemsg-group <name_str>
For FortiOS Carrier, enter the name of the replacement message group to add to the firewall policy.
This option appears only if identity-based is disable and utm-status is enable.
default
replacemsg-override-group <group_string>
Select a replacement message override group from the available configured groups.This will override the default replacement message for this policy.
 
require-tfa {enable | disable}
Enable to require two-factor authentication.
disable
schedule <name_str>
Enter the name of the one-time or recurring schedule or schedule group to use for the policy.
No default.
service <name_str>
Enter the name of one or more services, or a service group, to match with the firewall policy. Separate multiple services with a space.
No default.
service-negate {enable | disable}
Enable to negate service match. This causes service to specify what the service must not be.
disable
spamfilter-profile <name_str>
Enter the name of the email filter profile to add to the firewall policy.
This option appears only if identity-based is disable and utm-status is enable.To add a spamfilter-profile, you must obtain an adequate profile name in profile-protection-options.
(null)
srcaddr <name_str>
srcaddr6 <name_str>
Enter one or more source firewall addresses for the policy. Separate multiple firewall addresses with a space.
Use srcaddr6 for IPv6 addresses.
If action is set to ipsec, enter the private IP address of the host, server, or network behind the FortiGate unit.
If action is set to ssl-vpn and the firewall encryption policy is for web-only mode clients, type all.
If action is set to ssl-vpn and the firewall encryption policy is for tunnel mode clients, enter the name of the IP address range that you reserved for tunnel mode clients. To define an address range for tunnel mode clients, see “ssl settings”.
No default.
srcaddr-negate {enable | disable}
Enable to negate srcaddr match. This causes srcaddr to specify what the source address must not be.
disable
ssl-ssh-profile <profile_name>
Enter the SSL-SSH profile to apply. See firewall ssl-ssh-profile.
No default.
sso-auth-method {fsso | rsso}
Select the passive authentication method to use with FSSO/RSSO. If it fails, active-auth-method is used, if set.
null
status {enable | disable}
Enable or disable the policy.
enable
tags <tags_str>
Enter object tags applied to this policy. Separate tag names with spaces.
null
transaction-based {enable | disable}
 
disable
transparent {enable | disable}
Enable or disable transparent web-proxy operation, in which the source IP address is IP address of the client. Available when srcintf is web-proxy.
disable
users <user_name_list>
Enter the users to whom this policy applies. Separate names with spaces.
No default.
utm-status {disable | enable}
Enable or disable UTM for the firewall policy. If you enable UTM you must add one or more UTM profiles and sensors (or a group profile) to the firewall policy.
This option is available in this context level only if the identity-based option is set to disable. If identity-based is set to enable this option will instead be available in each Authentication Rule in the config identity-based-policy sub section.
disable
uuid <uuid_str>
The Universally Unique IDentifier (UUID) for this policy. This value cannot be set. It is assigned automatically and is used in logs.
auto-assigned
voip-profile <name_str>
Enter the name of the VoIP profile to add to the firewall policy.
This option appears only if identity-based is disable and utm-status is enable.
(null)
web-auth-cookie {enable | disable}
Enable to reduce the number of authentication requests to the authentication server when session-based authentication is applied using explicit web proxy. This is only available when session based authentication is enabled.
disable
webcache {disable | enable}
Enable or disable WAN optimization web caching for HTTP traffic accepted by the firewall policy. This option is available only on FortiGate units that support WAN Optimization and web caching.
disable
webcache-https {disable | any| ssl‑server}
Enable the level of webcaching for HTTPS traffic.
disable — no caching of HTTPS traffic
any — use SSL offload for traffic of matched SSL server. For other HTTPS traffic, it intercepts in the same way as HTTPS deep scan.
ssl-server — cache only traffic of matched SSL server whose port matches the HTTPS port in the protocol option or 443 if protocol option is not defined.
This field is not available if srcintf is ftp-proxy or wanopt.
disable
webfilter-profile <name_str>
Enter the name of the web filtering profile to add to the firewall policy.
This option appears only if identity-based is disable and utm-status is enable.To add a webfilter-profile, you must obtain an adequate profile name in profile-protection-options.
 
(null)
webproxy-forward-server <fwd_srv_name_string>
Enter the name of the web-proxy forward server.
Available if srcintf is web-proxy.
No default.
webproxy-profile <profile_name>
 
No default.