To configure a transparent proxy in the CLI:

1. Configure a regular firewall policy with HTTP redirect:
   
   config firewall policy
       edit 1
           set srcintf "port2"
           set dstintf "port1"
           set srcaddr "all"
           set dstaddr "all"
           set action accept
           set schedule "always"
           set service "ALL"
           set inspection-mode proxy
           set http-policy-redirect enable  <--
           set fsso disable
           set ssl-ssh-profile "deep-inspection"
           set nat enable
       next
   end
   
   
2. Configure a transparent proxy policy:
   
   config firewall proxy-policy
       edit 0
           set proxy transparent-web
           set srcintf "port2"
           set dstintf "port1"
           set srcaddr "all"
           set dstaddr "all"
           set service "webproxy"
           set action accept
           set schedule "always"
       next
   end

The setting 'HTTP Policy Redirect' affects only web (HTTP and HTTPS) traffic.

HTTP traffic is defined by the port(s) configured in 'Proxy Options' (profile-protocol-options).

Traffic for any other ports will be forwarded to the regular firewall policy.

In general, traffic to the transparent proxy will hit the regular firewall policy first, and then it will be redirected to the transparent proxy policy.

Sometimes, the ports defined under the protocol options might no longer be the default ports.

For example, the port number for HTTP might have been changed to 400; in such cases, it is necessary to create a custom protocol options profile and set the HTTP port to the default port 80 on the regular firewall policy so that the policy redirection will happen properly.

It is possible to create new custom protocol options as given below:

Navigate to regular firewall policy by going to policy and objects, select the Protocol Options -> Create new.

Create a custom protocol options profile (make sure the default port for HTTP is set to 80) and apply it to the firewall policy.

After changing these settings, the traffic hitting the regular firewall policy will be redirected to the transparent proxy policy.

It is possible to verify from the forward traffic logs. To confirm the flow, it is possible to use the debug flow, packet captures with verbose 4 and 6, and the session list.

Note:

In v7.6.3 and above, proxy-policy matching for transparent-proxy HTTPS deep inspection now occurs during the SSL handshake, similar to certificate-inspection. Previously, FortiGate would complete the SSL handshake first and only then re-match the proxy policy when the HTTPS request was decrypted.

The legacy option may lead to inconsistent results. For example, if SSL bypass is configured at the firewall-policy stage, the traffic may never reach proxy-policy matching. This creates potential gaps and makes the configuration less predictable.

Legacy mode can still be enabled in the firewall policy:

config firewall policy

edit <id>
    set http-policy-redirect legacy
next

end

Debugging:

diagnose wad filter src <x.x.x.x>

diagnose wad filter dst <Destination IP> <----- If Destination IP is unknown, then this command can be skipped.

diagnose wad debug enable category all

diagnose wad debug enable level verbose

diagnose debug console timestamp enable

diagnose debug enable