web-proxy : explicit
 
explicit
Use this command to enable the explicit web proxy, and configure the TCP port used by the explicit proxy.
Syntax
config web-proxy explicit
set status {enable | disable}
set ftp-over-http {enable | disable}
set socks {enable | disable}
set http-incoming-port <http_port_int>
set https-incoming-port <https_port_int>
set ftp-incoming-port <ftp_port_int>
set socks-incoming-port <socks_port_int>
set incoming-ip <incoming_interface_ipv4>
set incoming-ip6 <incoming_interface_ipv6>
set ipv6-status {enable | disable}
set outgoing-ip <outgoing_interface_ipv4> [<outgoing_interface_ipv4> ... <outgoing_interface_ipv4>]
set outgoing-ip6 <outgoing_interface_ipv6> [<outgoing_interface_ipv6> ... <outgoing_interface_ipv6>]
set unknown-http-version {best‑effort | reject}
set realm <realm_str>
set sec-default-action {accept | deny}
set pac-file-server-status {enable | disable}
set pac-file-server-port <pac_port_int>
set pac-file-name <pac_file_str>
set pac-file-data <pac_file_str>
set pac-file-url <url_str>
set ssl-algorithm {low | medium | high}
end
Variable
Description
Default
status {enable | disable}
Enable the explicit web proxy for HTTP and HTTPS sessions.
disable
ftp-over-http {enable | disable}
Configure the explicit proxy to proxy FTP sessions sent from a web browser.
The explicit proxy only supports FTP with a web browser and not with a standalone FTP client.
disable
socks {enable | disable}
Configure the explicit proxy to proxy SOCKS sessions sent from a web browser. For information about SOCKS, see RFC 1928. The explicit web proxy supports SOCKs 4 and 5.
disable
http-incoming-port <http_port_int>
Enter the port number that HTTP traffic from client web browsers use to connect to the explicit proxy. The range is 0 to 65535. Explicit proxy users must configure their web browser’s HTTP proxy settings to use this port.
8080
https-incoming-port <https_port_int>
Enter the port number that HTTPS traffic from client web browsers use to connect to the explicit proxy. The range is 0 to 65535. Explicit proxy users must configure their web browser’s HTTPS proxy settings to use this port.
The default value of 0 means use the same port as HTTP.
0
ftp-incoming-port <ftp_port_int>
Enter the port number that FTP traffic from client web browsers use to connect to the explicit proxy. The range is 0 to 65535. Explicit proxy users must configure their web browser’s FTP proxy settings to use this port.
The default value of 0 means use the same port as HTTP.
0
socks-incoming-port <socks_port_int>
Enter the port number that SOCKS traffic from client web browsers use to connect to the explicit proxy. The range is 0 to 65535. Explicit proxy users must configure their web browser’s SOCKS proxy settings to use this port.
The default value of 0 means use the same port as HTTP.
0
incoming-ip <incoming_interface_ipv4>
Enter the IP address of a FortiGate unit interface that should accept sessions for the explicit web proxy. Use this command to restrict the explicit web proxy to only accepting sessions from one FortiGate interface.
The destination IP address of explicit web proxy sessions should match this IP address.
This field is not available in Transparent mode.
0.0.0.0
incoming-ip6 <incoming_interface_ipv6>
Enter the IPv6 address of a FortiGate unit interface that should accept sessions for the explicit web proxy. Use this command to restrict the explicit web proxy to only accepting sessions from one FortiGate interface.
This is available when ipv6-status is enable.
::0
ipv6-status {enable | disable}
Enable or disable IPv6 web-proxy operation.
disable
outgoing-ip <outgoing_interface_ipv4> [<outgoing_interface_ipv4> ... <outgoing_interface_ipv4>]
Enter the IP address of a FortiGate unit interface that explicit web proxy sessions should exit the FortiGate unit from. Multiple interfaces can be specified. Use this command to restrict the explicit web proxy to only allowing sessions to exit from one FortiGate interface.
This IP address becomes the source address of web proxy sessions exiting the FortiGate unit.
This field is not available in Transparent mode.
0.0.0.0
outgoing-ip6 <outgoing_interface_ipv6> [<outgoing_interface_ipv6> ... <outgoing_interface_ipv6>]
Enter the IPv6 address of a FortiGate unit interface that explicit web proxy sessions should exit the FortiGate unit from. Multiple interfaces can be specified. Use this command to restrict the explicit web proxy to only allowing sessions to exit from one FortiGate interface.
This IP address becomes the source address of web proxy sessions exiting the FortiGate unit.
This field is not available in Transparent mode.
::0
unknown-http-version {best‑effort | reject}
Select the action to take when the proxy server must handle an unknown HTTP version request or message. Choose from either Reject or Best Effort.
Best Effort attempts to handle the HTTP traffic as best as it can. Reject treats unknown HTTP traffic as malformed and drops it. The Reject option is more secure.
reject
realm <realm_str>
Enter an authentication realm to identify the explicit web proxy. The realm is a text string of up to 63 characters. If the realm includes spaces enclose it in quotes. Only alphanumeric characters are permitted. FortiOS rejects the string if it contains special characters.
When a user authenticates with the explicit proxy the HTTP authentication dialog includes the realm so you can use the realm to identify the explicit web proxy for your users.
default
sec-default-action {accept | deny}
Configure the explicit web proxy to block (deny) or accept sessions if firewall policies have not been added for the explicit web proxy. To add firewall policies for the explicit web proxy add a firewall policy and set the source interface to web-proxy.
The default setting denies access to the explicit web proxy before adding a firewall policy. If you set this option to accept the explicit web proxy server accepts sessions even if you haven’t defined a firewall policy.
deny
pac-file-server-status {enable | disable}
Enable support for proxy auto-config (PAC). With PAC support enabled you can configure a PAC file on the FortiGate unit and distribute the URL of this file to your web browser users. These users can enter this URL as an automatic proxy configuration URL and their browsers will automatically download proxy configuration settings.
You can use PAC to provide access to multiple proxy servers and access methods as well as other features.
To enable PAC you must edit or replace (by importing) the default PAC file installed in your FortiGate unit.
disable
pac-file-server-port <pac_port_int>
Select the port that PAC traffic from client web browsers use to connect to the explicit proxy. The range is 0 to 65535. Explicit proxy users must configure their web browser’s PAC proxy settings to use this port.
The default value of 0 means use the same port as HTTP.
0
pac-file-name <pac_file_str>
Change the name of the PAC file. In most cases you could keep the default name.
proxy.pac
pac-file-data <pac_file_str>
Enter the contents of the PAC file made available from the explicit proxy server for PAC support. Enclose the PAC file text in quotes. You can also copy the contents of a PAC text file and paste the contents into the CLI using this option. Enter the command followed by two sets of quotes then place the cursor between the quotes and paste the file content.
The maximum PAC file size is 8192 bytes.
You can use any PAC file syntax that is supported by your users’s browsers. The FortiGate unit does not parse the PAC file.
 
pac-file-url <url_str>
Displays the PAC file URL in the format:
http://<interface_ip>:<PAC_port_int>/<pac_file_str>
For example, if the interface with the explicit web proxy has IP address 172.20.120.122, the PAC port is the same as the default HTTP explicit proxy port (8080) and the PAC file name is proxy.pac the PAC file URL would be:
http://172.20.120.122:8080/proxy.pac
If the explicit web proxy is enabled on multiple interfaces there will be multiple PAC URLs. If you have configured an incoming‑ip only one PAC file URL is listed that includes the incoming-ip.
Distribute this URL to PAC users.
You cannot use the pac-file-url option to edit the PAC file URL.
 
ssl-algorithm {low | medium | high}
Select the strength of encryption algorithms accepted for deep scan:
high:        AES, 3DES
low:         AES, 3DES, RC4, DES
medium:  AES, 3DES, RC4
medium