General configuration steps

1. Go to System > Network > Explicit Proxy. Select HTTP/HTTPS beside Enable Explicit Web Proxy to turn on the explicit web proxy for IPv4 HTTP and HTTPS traffic.

You can also select FTP to enable the web proxy for FTP over HTTP sessions in a web browser (not an FTP client) and PAC to enable automatic proxy configuration.

You can also optionally change the HTTP port that the proxy listens on (the default is 8080) and optionally specify different ports for HTTPS, FTP, and PAC.

2. Optionally select Enable IPv6 Explicit Proxy to turn on the explicit web proxy for IPv6 traffic.


	If you enable both the IPv4 and the IPv6 explicit web proxy you can combine IPv4 and IPv6 addresses in a single explicit web proxy policy to allow both IPv4 and IPv6 traffic through the proxy.

The default explicit web proxy configuration has Default Firewall Policy Action set to Deny and requires you to add a security policy to allow access to the explicit web proxy. This configuration is recommended as a best practice because you can use security policies to control access to the explicit web proxy and also apply security features such as logging, UTM, and authentication (by adding identity-based policies).

4. Go to System > Network > Interface and select one or more interfaces for which to enable the explicit web proxy. Edit the interface and select Enable Explicit Web Proxy.


	Enabling the explicit web proxy on an interface connected to the Internet is a security risk because anyone on the Internet who finds the proxy could use it to hide their source address. If you enable the proxy on such an interface make sure authentication is required to use the proxy.

5. Go to Policy & Objects > Objects > Addresses and select Create New to add a firewall address that matches the source address of packets to be accepted by the explicit proxy.


Category	Address
Name	Internal_subnet
Type	IP Range
Subnet / IP Range	10.31.101.1 - 10.31.101.255
Interface	any*

*The Interface must be set to Any.

You can also set the Type to URL Pattern (Explicit Proxy) to add a destination URL that is only used by the explicit proxy. For example, to create an explicit policy that only allows access to Fortinet.com:


Category	Address
Name	Fortinet-web-sites
Type	URL Pattern (Explicit Proxy)
URL Pattern	fortinet.com
Interface	any

6. Go to Policy & Objects > Policy > Explicit Proxy and select Create New. Configure the policy as required to accept the traffic that you want to be allowed to use the explicit web proxy.

The source address of the policy must match the client’s source IP addresses. The interface of this firewall address must be set to any.

The destination address of the policy should match the IP addresses of web sites that clients are connecting to. Usually the destination address would be all if proxying Internet web browsing. You could also specify a URL firewall address to limit the policy to allowing access to this URL.

If Default Firewall Policy Action is set to Deny, traffic sent to the explicit web proxy that is not accepted by a web-proxy policy is dropped. If Default Firewall Policy Action is set to Allow then all web-proxy sessions that don’t match with a security policy are allowed.

For example, the following security policy allows users on an internal network to access fortinet.com websites through the wan1 interface of a FortiGate unit.


Explicit Proxy Type	Web
Source Address	Internal_subnet
Outgoing Interface	wan1
Destination Address	Fortinet-web-sites
Schedule	always
Action	ACCEPT

Add security profiles as required.

7. Select Create New to add another explicit web proxy and set the Action to AUTHENTICATE to require authentication to access the explicit web proxy. For example:


Explicit Proxy Type	Web
Source Address	Internal_subnet
Outgoing Interface	wan1
Destination Address	Fortinet-web-sites
Schedule	always
Action	AUTHENTICATE

Select Create New to add an Authentication Rule and configure the rule as follows:

Groups	Proxy-Group
Source User(s)	(optional)
Schedule	always

Add security profiles as required and select OK.

You can add multiple user identity policies to apply different authentication for different user groups and users and also apply different UTM and logging settings for different user groups.

You can change the User Authentication Options if required. In most cases you can accept the defaults.

1. Enter the following command to turn on the IPv4 and IPv6 explicit web proxy for HTTP and HTTPS traffic.

You can also enter the following command to enable the web proxy for FTP sessions in a web browser.

The default explicit web proxy configuration has sec-default-action set to deny and requires you to add a security policy to allow access to the explicit web proxy.

2. Enter the following command to enable the explicit web proxy for the internal interface.

3. Use the following command to add a firewall address that matches the source address of users who connect to the explicit web proxy.

The source address for a web-proxy security policy cannot be assigned to a FortiGate interface.

4. Optionally use the following command to add a destination URL that is only used by the explicit proxy. For example, to create an explicit policy that only allows access to Fortinet.com:

5. Use the following command to add an explicit web proxy policy that allows all users on the internal subnet to use the explicit web proxy for connections through the wan1 interface to the Internet.

6. Use the following command to add an explicit web proxy policy that allows authenticated users on the internal subnet to use the explicit web proxy for connections through the wan1 interface to the Internet.

7. Use the following command to change global web proxy settings, for example to set the maximum request length for the explicit web proxy to 10: