General configuration steps
You can use the following general steps to configure the explicit web proxy.
To enable the explicit web proxy - web‑based manager
1. Go to System > Network > Explicit Proxy. Select Enable Explicit Web Proxy to turn on the explicit web proxy for HTTP and HTTPS traffic.
You can also select FTP to enable the web proxy for FTP over HTTP sessions in a web browser (not an FTP client) and PAC to enable automatic proxy configuration.
You can also optionally change the HTTP port that the proxy listens on (the default is 8080) and optionally specify different ports for HTTPS, FTP, and PAC.
2. Select Apply.
The default explicit web proxy configuration has Default Firewall Policy Action set to Deny and requires you to add a security policy to allow access to the explicit web proxy. This configuration is recommended as a best practice because you can use security policies to control access to the explicit web proxy and also apply security features such as logging, security profiles, and authentication (by adding identity-based policies).
3. Go to System > Network > Interface and select one or more interfaces for which to enable the explicit web proxy. Edit the interface configuration and select Enable Explicit Web Proxy.
| Enabling the explicit web proxy on an interface connected to the Internet is a security risk because anyone on the Internet who finds the proxy could use it to hide their source address. If you enable the proxy on such an interface make sure authentication is required to use the proxy. |
4. Go to Firewall Objects > Address > Addresses and select Create New to add a firewall address that matches the source address of packets to be accepted by the explicit proxy.
Name | Internal_subnet |
Type | IP Range |
Subnet / IP Range | 10.31.101.1 - 10.31.101.255 |
Source Address | Internal_subnet |
Interface | Any* |
*The Interface must be set to Any.
5. Go to Policy > Policy > Policy and select Create New and set the Incoming Interface to web-proxy. Configure the security policy as required to accept the traffic that you want to be allowed to use the explicit web proxy.
The source address of the policy must match client source IP addresses. The interface of this firewall address must be set to Any.
The destination address of the policy should match the IP addresses of web sites that clients are connecting to. Usually the destination address would be all if proxying Internet web browsing.
If Default Firewall Policy Action is set to Deny, traffic sent to the explicit web proxy that is not accepted by a web-proxy security policy is dropped. If Default Firewall Policy Action is set to Allow then all web-proxy sessions that don’t match with a security policy are allowed.
For example, the following security policy allows users on an internal network to access the Internet through the wan1 interface of a FortiGate unit.
Policy Type | Firewall |
Policy Subtype | Address |
Incoming Interface | web-proxy |
Source Address | Internal_subnet |
Outgoing Interface | wan1 |
Destination Address | all |
Service | webproxy |
Action | ACCEPT |
Set the Policy Subtype to User Identity to require authentication to access the explicit web proxy. For example:
Policy Type | Firewall |
Policy Subtype | User Identity |
Incoming Interface | web-proxy |
Source Address | Internal_subnet |
Outgoing Interface | wan1 |
Destination Address | all |
Service | webproxy |
Select Create New to add an Authentication Rule and configure the rule as follows:
Groups | Proxy-Group |
Users | (optional) |
Schedule | always |
Action | ACCEPT |
Add security profiles as required.
You can add multiple user identity policies to apply different authentication for different user groups and users and also apply different security profile and logging settings for different user groups.
6. Select OK.
To enable the explicit web proxy - CLI
1. Enter the following command to turn on the explicit web proxy for HTTP and HTTPS traffic.
config web-proxy explicit
set status enable
end
You can also enter the following command to enable the web proxy for FTP sessions in a web browser.
config web-proxy explicit
set ftp-over-http enable
end
The default explicit web proxy configuration has sec-default-action set to deny and requires you to add a security policy to allow access to the explicit web proxy.
2. Enter the following command to enable the explicit web proxy for the internal interface.
config system interface
edit internal
set explicit-web-proxy enable
end
end
3. Use the following command to add a firewall address that matches the source address of users who connect to the explicit web proxy.
config firewall address
edit Internal_subnet
set type iprange
set start-ip 10.31.101.1
set end-ip 10.31.101.255
end
The source address for a web-proxy security policy cannot be assigned to a FortiGate interface.
4. Use the following command to add a security policy that allows all users on the 10.31.101.0 subnet to use the explicit web proxy for connections through the wan1 interface to the Internet.
config firewall policy
edit 0
set srcintf web-proxy
set dstintf wan1
set scraddr Internal_subnet
set dstaddr all
set action accept
set service webproxy
set schedule always
end
You can also add authentication to this policy.
config firewall policy
edit 0
set srcintf web-proxy
set dstintf wan1
set scraddr Internal_subnet
set dstaddr all
set action accept
set service webproxy
set identity-based enable
config identity-based-policy
edit 1
set groups Internal_users
set utm-status enable
set profile-protocol-options default
set av-profile default
set logtraffic enable
set schedule always
end
end
5. Use the following command to change global web proxy settings, for example to set the maximum request length for the explicit web proxy to 10:
config web-proxy global
set max-request-length 10
end