Home

FortiGate Proxy Policy Mastery: Configuring Web Traffic Security and Control

.

FortiGate proxy policies represent a critical security layer in modern network architecture, providing granular control over web traffic through either explicit or transparent inspection methods. These policies enable organizations to enforce security protocols, monitor user activity, and protect against web-based threats while complying with organizational internet usage policies. By implementing properly configured proxy policies, network administrators can establish a robust defensive perimeter that integrates seamlessly with Fortinet's Unified Threat Management (UTM) ecosystem, offering comprehensive protection against evolving cyber threats. This guide synthesizes official documentation and expert insights to provide a comprehensive roadmap for implementing effective proxy security in FortiGate environments.

Understanding FortiGate Proxy Policy Fundamentals

FortiGate firewalls offer two primary approaches to proxy-based traffic inspection: explicit proxy and transparent proxy. Each serves distinct use cases and deployment scenarios, with the explicit proxy requiring client-side configuration while transparent proxy operates invisibly to end users. These proxy methods form the foundation of FortiGate's web filtering capabilities, enabling administrators to intercept, analyze, and control HTTP/HTTPS traffic based on organizational security policies.

The explicit proxy approach necessitates client configuration where browsers or system settings must be explicitly directed to forward web traffic to the FortiGate device acting as a proxy server. This method provides superior user authentication capabilities and detailed logging, making it ideal for corporate environments requiring strict browsing controls and user-level visibility. In contrast, transparent proxy (often called "web filtering without user configuration") intercepts web traffic silently without requiring client adjustments, leveraging policy-based routing or VLAN interfaces to redirect traffic automatically.

"Explicit Proxy requires the client (browser or system) to be explicitly configured to forward web traffic to the FortiGate acting as a proxy. This allows FortiGate to intercept, inspect, and control user access based on policies." - Greg, 0nol Technical Article

Configuring Explicit Proxy Policies

Initial Setup and Activation

Before creating explicit proxy policies, administrators must first enable the explicit proxy functionality on the FortiGate device. Navigate to Network > Explicit Proxy in the GUI and enable the proxy service, configuring the HTTP/HTTPS/FTP ports as needed (default port is 8080 for HTTP). For environments requiring restricted access, specify the incoming IP addresses that are permitted to use the proxy service. This granular access control ensures only authorized network segments can utilize the proxy resources.

The CLI equivalent for this foundational configuration is:

config web-proxy explicit     set status enable     set http-port 8080     set incoming-ip 192.168.1.1 255.255.255.0 end

Policy Creation and Security Integration

Once the explicit proxy is enabled, proceed to Policy & Objects > Proxy Policy and select Create New. Configure the following essential parameters:

  • Proxy Type: Select "Explicit Web"
  • Outgoing Interface: Specify the egress interface (e.g., port1 for WAN connectivity)
  • Source/Destination: Define address objects or groups (initially "all" for testing)
  • Service: Set to "webproxy" or "web" depending on FortiOS version
  • Action: Typically "ACCEPT" for permitted traffic
  • Schedule: Define time constraints (use "always" for continuous protection)

The security profiles section represents the core protective capability where administrators attach pre-configured security profiles. According to Fortinet documentation, explicit web proxy policies support comprehensive security integrations including:

  • AntiVirus (av-profile)
  • Web Filter (webfilter-profile)
  • Application Control (application-list)
  • IPS (ips-sensor)
  • DLP Profile (dlp-profile)
  • ICAP (icap-profile)
  • Web Application Firewall (waf-profile)
  • SSL Inspection (ssl-ssh-profile)

The CLI configuration mirrors these selections:

config firewall proxy-policy     edit 1         set proxy explicit-web         set dstintf "port1"         set srcaddr "all"         set dstaddr "all"         set service "web"         set action accept         set schedule "always"         set utm-status enable         set av-profile "av"         set webfilter-profile "urlfilter"         set dlp-profile "dlp"         set ips-sensor "sensor-1"         set application-list "app"         set icap-profile "default"         set waf-profile "default"         set ssl-ssh-profile "deep-inspection"     next end

Client Configuration and Authentication

The final step in explicit proxy deployment involves configuring client devices to use the FortiGate proxy. This requires setting the FortiGate IP address and designated proxy port (typically 8080) in browser or system network settings. For enterprise environments, administrators can push these settings via group policy or mobile device management solutions to ensure consistent deployment.

FortiGate offers multiple authentication options for explicit proxy, each suited to different organizational needs:

  • FSSO (Fortinet Single Sign-On): Recommended for seamless Active Directory integration
  • NTLM: Browser-based authentication with some browser limitations
  • LDAP/Radius: Prompt-based login pages for credential validation
  • Local Users: FortiGate-managed credentials for smaller deployments

Implementing Transparent Proxy Policies

Deployment Methodology

Transparent proxy policies operate fundamentally differently from their explicit counterparts, requiring no client-side configuration while still providing substantial web filtering capabilities. To implement transparent proxy, navigate to Policy & Objects > Proxy Policy, select Create New, and specify "Transparent Web" as the proxy type. Unlike explicit proxy configurations, transparent proxy requires definition of both incoming and outgoing interfaces, as traffic is intercepted between network segments rather than directed by client configuration.

The essential configuration parameters include:

  • Proxy Type: "Transparent Web"
  • Incoming Interface: Internal network interface (e.g., port2)
  • Outgoing Interface: External-facing interface (e.g., port1)
  • Source/Destination: Appropriate address objects
  • Service: Typically "webproxy"
  • Action: "ACCEPT" for permitted traffic

Security Profile Integration

Transparent proxy policies support nearly identical security profile integration as explicit proxies, including AntiVirus, Web Filter, DNS Filter, Application Control, IPS, DLP, ICAP, Web Application Firewall, File Filter, and SSL Inspection capabilities. The configuration process follows the same pattern of attaching pre-configured security profiles to the proxy policy, though with the distinction that traffic is intercepted transparently rather than explicitly directed.

For environments where traditional transparent proxy policies aren't suitable, FortiGate offers alternative approaches to achieve similar outcomes:

  1. Policy-Based Web Filtering: Create standard IPv4 policies from LAN to WAN with SSL Inspection enabled and Web Filter profiles attached
  2. Policy Routing: Route HTTP/HTTPS traffic directly to FortiGate's web filtering engine
  3. Complementary Controls: Implement DNS filtering and application control for additional enforcement layers

Specialized Proxy Policy Types

FTP Proxy Configuration

FortiGate supports dedicated FTP proxy policies for controlling File Transfer Protocol traffic. When creating an FTP proxy policy, administrators specify "FTP" as the proxy type, with outgoing interface, source/destination addresses, and schedule parameters similar to web proxy configurations. Notably, FTP proxy policies support a more limited set of security profiles compared to web proxies, including only:

  • AntiVirus
  • Application Control
  • IPS
  • File Filter
  • DLP Profile

This focused security approach reflects the protocol-specific requirements of FTP traffic while maintaining essential threat protection.

FortiManager Proxy Policy Administration

For organizations utilizing FortiManager for centralized firewall management, proxy policies are created within Policy Packages rather than directly on individual devices. The process begins with enabling proxy policy visibility via Policy & Objects > Tools > Feature Visibility, then navigating to the appropriate policy package and selecting Proxy Policy in the tree menu.

FortiManager introduces additional policy options beyond standalone FortiGate configuration, including:

  • ZTNA Proxy Type: Zero Trust Network Access integration for secure application access
  • Security Posture Tags: Conditional access controls based on device security state
  • Policy Blocks: Modular policy components for reusable security configurations
  • Enhanced Logging Options: Granular control over traffic logging and reporting

Comparative Analysis: Explicit vs. Transparent Proxy

Feature Explicit Proxy Transparent Proxy
Client Configuration Required on each device Not required
Authentication Supports multiple methods (FSSO, NTLM, LDAP) Primarily FSSO-based
Deployment Complexity Higher initial setup Lower initial setup
User Experience Visible to users Transparent to users
Ideal Use Cases Corporate offices with strict policies, compliance environments Schools, public Wi-Fi, BYOD environments
Logging Granularity User-level visibility IP/network-level visibility
SSL Inspection Full support with CA installation Full support with CA installation

Security Profiles and Advanced Considerations

SSL Inspection Requirements

Both explicit and transparent proxy configurations require proper SSL inspection setup to effectively analyze encrypted HTTPS traffic. This involves:

  • Configuring a deep-inspection SSL/SSH profile
  • Installing the FortiGate CA certificate on client devices
  • Ensuring proxy policies reference the correct inspection profile
  • Testing HTTPS connectivity post-deployment to verify proper certificate handling

Profile Integration Strategy

Security profiles must be created and tuned before proxy policy implementation. Administrators should develop a layered security approach that combines:

  • Web filtering for content categorization and access control
  • Application control for visibility into application usage
  • AntiVirus scanning for malware protection
  • IPS signatures for vulnerability exploitation prevention
  • DLP policies for sensitive data protection

Real-World Deployment Scenarios

Different organizational environments benefit from tailored proxy implementations:

  • Corporate Offices: Explicit proxy with authentication, comprehensive logging, and strict access controls
  • Educational Institutions: Transparent proxy with category-based filtering and minimal user disruption
  • Hospitality/Café Environments: Transparent proxy with acceptable use policies and bandwidth management
  • Compliance-Driven Organizations: Explicit proxy with detailed logging forwarded to SIEM systems

Troubleshooting and Optimization

Diagnostic Commands

When proxy policies malfunction, several diagnostic tools can identify issues:

diagnose debug enable diagnose debug application proxy -1 diagnose sniffer packet any 'port 8080' 4

Common Resolution Strategies

  • Proxy Bypass Issues: Implement firewall policies to deny direct internet access, forcing traffic through proxy
  • SSL Errors: Verify CA certificate installation on clients and proper deep inspection configuration
  • Authentication Failures: Check FSSO agent connectivity or alternative auth method configuration
  • Missing Logs: Validate proxy policy logging settings and ensure log disk space is available

Frequently Asked Questions

What's the fundamental difference between explicit and transparent proxy in FortiGate?

Explicit proxy requires client devices to be configured to use the FortiGate as their proxy server, typically through browser or system network settings. This approach provides user-level authentication and detailed logging capabilities. Transparent proxy operates without client configuration by intercepting web traffic at the network layer, making it ideal for environments where configuring individual devices isn't practical, though it offers more limited authentication options primarily through FSSO.

Which authentication methods work with each proxy type?

Explicit proxy supports multiple authentication mechanisms including FSSO (Fortinet Single Sign-On), NTLM, LDAP/Radius, and local user accounts. Transparent proxy primarily relies on FSSO for user identification, as it cannot present authentication prompts to users without breaking the transparent nature of the connection. For transparent proxy deployments requiring user-level controls without FSSO, alternative approaches like captive portals may be necessary.

Can I use the same security profiles for both proxy types?

Yes, both explicit and transparent web proxy policies support largely identical security profiles including AntiVirus, Web Filter, DNS Filter, Application Control, IPS, DLP, ICAP, Web Application Firewall, File Filter, and SSL Inspection. The only specialized proxy type with limited security profile support is FTP proxy, which excludes Web Filter, Application Control, IPS, ICAP, and Web Application Firewall profiles while retaining AntiVirus, DLP, and File Filter capabilities.

How do I force all web traffic through the proxy?

For explicit proxy, you must configure client devices to use the proxy and implement complementary firewall policies that block direct web access (ports 80/443) to ensure compliance. For transparent proxy, traffic is automatically intercepted based on interface configurations, though you may need additional firewall rules to prevent bypass through alternative ports or protocols. Regular monitoring of proxy logs helps identify bypass attempts.

What are common mistakes when implementing FortiGate proxy policies?

Frequent implementation errors include: forgetting to enable SSL inspection for HTTPS traffic, not installing the FortiGate CA certificate on client devices, inadequate security profile configuration, overlooking client configuration for explicit proxy deployments, and failing to create necessary firewall policies to prevent proxy bypass. Additionally, organizations often underestimate the performance impact of comprehensive inspection and should properly size their FortiGate devices accordingly.