Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nalexiou
Staff & Editor
Staff & Editor

Created on ‎09-06-2021 08:43 AM Edited on ‎06-22-2025 01:35 PM By Moderator

Article Id 198187

Technical Tip: How to configure web proxy forwarding server (proxy chaining)

Description

 

This article describes how to configure web proxy forwarding servers to use proxy chaining.

For the explicit web proxy, it is possible toconfigure web proxy forwarding servers to use proxy chaining to redirect web proxy sessions to other proxy servers.
Proxy chaining can be used to forward web proxy sessions from the FortiGate to one or more other proxy servers on the network or on a remote network.

It is possible to use proxy chaining to integrate the FortiGate explicit web proxy with a web proxy solution that already has in place.

A FortiGate can forward sessions to most web proxy servers including a remote FortiGate with the explicit web proxy enabled.
No special configuration of the explicit web proxy on the remote FortiGate is required.

It is possible to deploy the explicit web proxy with proxy chaining in an enterprise environment consisting of small satellite offices and a main office.
If each office has a FortiGate, users at each of the satellite offices can use their local FortiGate as an explicit web proxy server.

The satellite office FortiGate can forward explicit web proxy sessions to an explicit web proxy server at the central office.
From here the sessions can connect to web servers on the Internet.

FortiGate proxy chaining does not support web proxies in the proxy chain authenticating each other.

Related document:
Proxy chaining (web proxy forwarding servers)

 

Scope

 

FortiGate, FortiProxy.

Solution


To add a forwarding server, select 'Create New' in the Web Proxy Forwarding Servers section of the Explicit Proxy page by going to Network -> Explicit Proxy.

Example configuration of a web proxy forwarding server named fwd-srv at address proxy.example.com and port 8080.

                        



To configure the web proxy forwarding server via CLI:

 

config web-proxy forward-server
    edit fwd-srv
        set addr-type fqdn
        set fqdn proxy.example.com
        set port 8080
end

 

To configure a web proxy forwarding server with health check / monitoring the remote web proxy server in CLI:

 

    config web-proxy forward-server
        edit fwd-srv
            set healthcheck enable
            set monitor <remote proxy server url> <----- Health-check monitor.
            set server-down-option pass <----- Allow the proxy forwarding server to stop forwarding to the web proxy server when considered down.
        next
     end


Then add an explicit web proxy forwarding server in the proxy policy:

This security policy allows all users on the internal subnet to use the explicit web proxy for connections through the PORT1 interface to the Internet.
The policy forwards web proxy sessions to a remote forwarding server named fwd-srv.

 
To add the explicit web proxy forwarding server via CLI:
 
config firewall proxy-policy
    edit 1
        set name "example"
        set proxy explicit-web
        set dstintf "port1"
        set srcaddr "internal subnet"
        set dstaddr "all"
        set service "webproxy"
        set action accept
        set schedule "always"
        set logtraffic all
        set webproxy-forward-server "fwd-srv"
    next
end
 

Note 1:

By default, in an explicit proxy-chain setup, FortiGate as child-proxy will perform DNS lookup for the intercepted client HTTP requests. If, for any reason, DNS resolution is not possible, there is the option to configure the FortiGate to exempt the URL from DNS lookup.

 

This is done under the Explicit Proxy configuration using URL Match:

 

Screenshot 2024-04-05 111604.png

 

The configuration should look like this:

 

Screenshot 2024-04-05 112018.png

 

In this example, all traffic will be exempted. If more granularity is needed, specific URLs can be added.

 

In the newer version (v7.6.1), the following command can be enabled if web proxy forwarding server traffic needs to be sent via a specific VRF or interface.

 

config web-proxy forward-server
    edit < name >
        set interface-select-method specify
        set interface < port >
        set vrf-select < vrf-id >
    next
end

 

Note 2: 

In FortiOS v7.6.3, isolator servers can be configured for explicit and transparent proxy policies in the GUI of the FortiGate. Web proxy isolator servers, such as FortiIsolator, are supported in proxy policies. Isolators are fundamentally the same as web proxy forward servers because both will redirect HTTP and HTTPS requests to an HTTP or HTTPS proxy server. However, isolators have the specific function of isolating potentially unsafe traffic from a user environment. For more information, refer to this document: GUI support of isolator servers for proxy policies v7.6.3.

18606
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.