To enable the explicit web proxy – CLI:
1. Enter the following command to turn on the IPv4 and IPv6 explicit web proxy for HTTP and HTTPS traffic.
config web-proxy explicit set status enable
set ipv6-status enable end
You can also enter the following command to enable the web proxy for FTP sessions in a web browser.
config web-proxy explicit set ftp-over-http enable
end
The default explicit web proxy configuration has sec-default-action set to deny and requires you to add a security policy to allow access to the explicit web proxy.
2. Enter the following command to enable the explicit web proxy for the internal interface.
config system interface edit internal
set explicit-web-proxy enable end
end
3. Use the following command to add a firewall address that matches the source address of users who connect to the explicit web proxy.
config firewall address edit Internal_subnet
set type iprange
set start-ip 10.31.101.1 set end-ip 10.31.101.255
end
The source address for a web-proxy security policy cannot be assigned to a FortiGate interface.
4. Optionally use the following command to add a destination URL that is only used by the explicit proxy. For example, to create an explicit policy that only allows access to Fortinecom:
config firewall address edit Fortinet-web-sites
set type url
set url fortinet.com end
5. Use the following command to add an explicit web proxy policy that allows all users on the internal subnet to use the explicit web proxy for connections through the wan1 interface to the Internet.
config firewall explicit-proxy-policy edit 0
set proxy web
set dstintf wan1
set scraddr Internal_subnet set dstaddr all
set action accept
set service webproxy set schedule always
end
6. Use the following command to add an explicit web proxy policy that allows authenticated users on the internal subnet to use the explicit web proxy for connections through the wan1 interface to the Internet.
config firewall explicit-proxy-policy edit 0
set proxy web
set dstintf wan1
set scraddr Internal_subnet
set dstaddr Fortinet-web-sites set action accept
set service webproxy set schedule always
set identity-based enable config identity-based-policy
edit 1
set groups Proxy-group set schedule always
end
end
7. Use the following command to change global web proxy settings, for example to set the maximum request length for the explicit web proxy to 10:
config web-proxy global
set max-request-length 10 end
When you are authenticating to the explicit proxy, are your credentials passing in clear text from your browser to the proxy?
I believe it does. I will confirm just to be certain.