Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akanibek
Staff
Staff

Created on ‎10-29-2025 02:14 AM

Article Id 416714

Technical Tip: FortiGate secure-explicit-proxy modes behavior

Description This article describes FortiGate’s default behavior when it is operating in a different secure-explicit-proxy mode.
Scope

FortiOS v7.4.0 and above, FortiOS v7.6.0 and above.
Solution

A secure-web-proxy option is available starting 7.4.0: New features or enhancements (ID - 829476).

This article explains the behavior of FortiGate while different options are adjusted. As per the description, there are three options to set up:

 

config web-proxy explicit

    set secure-web-proxy ?

disable    Disable secure webproxy.

enable     Enable secure webproxy access.

secure     Require secure webproxy access.

 

Meanings:

  1. disable: HTTPS proxy connections between the client and the FortiGate proxy are disabled. All proxy traffic uses the HTTP protocol only.
  2. enable: FortiGate supports both HTTP and HTTPS proxy connections, allowing clients to establish either type of connection with the proxy server.
  3. secure: FortiGate allows only HTTPS connections between the client and the proxy server. HTTP connections are not permitted.

 

There are outputs for two different modes: secure and enabled only.

 

There are several browsers (for instance, Edge (some versions), and Firefox Mozilla) using an ‘HTTP CONNECT' to establish a proxy connection, which could be rejected by FortiGate configured with the ‘secure’ mode.

 

Test 1. FortiGate's explicit-proxy settings:

 

config web-proxy explicit

    set status enable

    set secure-web-proxy secure    <---

    set http-incoming-port 8080

    set https-incoming-port 8081

    set secure-web-proxy-cert "mu.fgt-nonCA"

end

 

Proxy client system settings:

 

client-proxy-settings.png

 

Firefox Mozilla settings on the same host:

 

client-mozilla-settings.png

 

Results:

Client tried to connect to a 'https://www.ifconfig.me'. As per Wireshark outputs captured in the proxy client, Mozilla tried to establish a proxy connection with the 'HTTP CONNECT' message:

 

browser-output.png

  

Outputs while using Chrome browser:

 

chrome-encrypted-8081port.png

 

Test 2. Behavior of Firefox Mozilla when the 'secure-proxy-mode enable' is applied.

 

config web-proxy explicit

    set status enable

    set secure-web-proxy enable

    set http-incoming-port 8080

    set https-incoming-port 8081

    set secure-web-proxy-cert "mu.fgt-nonCA"

end

 

Firefox Mozilla outputs while connecting to 'amazon.fr':

 

mozilla_secure-proxy_enabled.png

 

Related documents:

Configuring a secure explicit proxy

Technical Tip: Enhancing explicit Web proxy Security through SSL/TLS channel

 

235
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.