web-proxy : global
 
global
Configure global web-proxy settings that control how the web proxy functions and handles web traffic. In most cases you should not have to change the default settings of this command. If your FortiGate unit is operating with multiple VDOMS these settings affect all VDOMs.
Syntax
config web-proxy global
set forward-proxy-auth {enable | disable}
set forward-server-affinity-timeout <minutes_int>
set max-message-length <kBytes>
set max-request-length <kBytes>
set proxy-fqdn <fqdn>
set strict-web-check {enable | disable}
set tunnel-non-http {enable | disable}
set unknown-http-version {tunnel | best-effort | reject}
set webproxy-profile <profile_name>
end
 
Variable
Description
Default
forward-proxy-auth {enable | disable}
In explicit mode, enable to forward proxy authentication headers. By default proxy authentication headers are blocked by the explicit web proxy. You can set this option to enable if you need to allow proxy authentication through the explicit web proxy.
This option does not apply to web proxy transparent mode, because in transparent mode, proxy authentication headers are always forwarded by the web proxy.
disable
forward-server-affinity-timeout <minutes_int>
The source-ip's traffic will attach to assigned forward-server until timeout. Range: 6 to 60 minutes.
30
max-message-length <kBytes>
Set the maximum length, in kBytes, of the HTTP message not including body. Range 16 to 256.
32
max-request-length <kBytes>
Set the maximum length, in kBytes, of the HTTP request line. Range 2 to 64.
4
proxy-fqdn <fqdn>
Set the fully qualified domain name (FQDN) for the proxy.
This is the domain that clients connect to.
default.fqdn
strict-web-check {enable | disable}
Enable to block web sites that send incorrect headers that do not conform to HTTP 1.1 as described in RFC 2616.
Disable to allow and cache websites that send incorrect headers that do not conform to the RFC. This option is disabled by default so that web sites are not blocked. You can enable this option if you want to increase security by blocking sites that do not conform. Enabling this option may block some commonly used websites.
disable
tunnel-non-http {enable | disable}
Enable to allow non-HTTP traffic.
enable
unknown-http-version {tunnel | best-effort | reject}
Select how to handle traffic if HTTP version is unknown:
tunnel — tunnel the traffic
best-effort — proceed with best effort
reject — reject the traffic
best-effort
webproxy-profile <profile_name>
 
No default.