There is an option to specify different listening proxy ports on FortiOS for HTTP and HTTPS traffic. While there are two different ports, FortiOS will be listening only that specified protocol traffic on configured port, and all other traffic will be denied. There is no option on Windows to specify two different ports for two different protocols. However, settings can be adjusted in the Mozilla Firefox web browser.

Tests were performed while these settings are set up on FortiGate:

config web-proxy explicit

    set status enable

    set http-incoming-port 8080

    set https-incoming-port 8081

end

For troubleshooting purposes, the following debug processes were enabled:

diagnose debug console timestamp enable 

diagnose wad debug enable category http

diagnose wad debug enable category policy

diagnose wad debug enable level verbose 

diagnose wad debug display pid enable 

diagnose wad filter src x.x.x.x

diagnose wad filter dst y.y.y.y

diagnose debug enable

The following two websites were used:

• HTTP: httpforever.com;
• HTTPS: cheese.com

1. The client's system proxy setting is below - the HTTP port is specified:

The following was the output while the client tried to establish a connection to https://www.cheese.com:

FortiGate debug snippet:

[I]2025-12-17 15:30:11.662783 [p:2182][s:77][r:143]  wad_http_parse_host               :1681  host=[14]www.cheese.com

[I]2025-12-17 15:30:11.662787 [p:2182][s:77][r:143]  wad_http_str_canonicalize         :2196  enc=0 path=/favicon.ico len=12 changes=0

[I]2025-12-17 15:30:11.662794 [p:2182][s:77][r:143]  wad_http_req_detect_special       :16102 captive_portal detected: false, preflight=(null)

[I]2025-12-17 15:30:11.662800 [p:2182][s:77][r:143]  __wad_http_build_replmsg_resp     :789   Generating replacement message. incorrect service repmsg_id 12

..

..

hreq=0x7f5f194e88e8 Forward response from Internal:

HTTP/1.1 403 Forbidden

Connection: close

The following output was observed while the client tried to establish a connection to http://www.httpforever.com:

FortiGate debug snippet:

[I]2025-12-17 15:33:14.864760 [p:2182][s:85][r:161]  wad_http_req_policy_set           :11318 match policy-id=1(pol_ctx:xhf|Ad|7|=d) vd=0(ses_ctx:x|Ph|Me|Hh|C|A7|O) (192.168.42.2:57947@5 -> 146.190.62.39:80@4)

...

...

Forward response from Internal:

HTTP/1.1 200 Connection established 

2. The client's system proxy settings are as follows - the HTTPS port is specified:

The following output was observed while the client tried to establish a connection to https://www.cheese.com:

FortiGate debug snippet:

[I][p:2182][s:1822][r:1125] wad_http_req_policy_set :11318 match policy-id=1(pol_ctx:xhcf|Ad|7?|=d) vd=0(ses_ctx:x|Ph|Me|H|C|A7|O) (192.168.42.2:53026@5 -> 195.149.84.43:443@4)

..

..

[I][p:2182][s:1822][r:1125] wad_dump_fwd_http_resp            :2936  hreq=0x7f5f194e6f68 Forward response from Internal:

HTTP/1.1 200 Connection established

There is an option to specify two different ports in the Mozilla Firefox web browser:

It allows using specified ports for the specific protocol. The first screenshot is a connection to httpforever.com, and the second screenshot is a connection to cheese.com:

Related documents:

Technical Tip: FortiGate secure-explicit-proxy modes behavior

FortiGate - Administrator Guide - Create or edit an explicit proxy