This article explains the default behavior of the explicit web proxy feature in FortiGate, which is used to proxy HTTP and HTTPS traffic. This is accomplished by configuring client browsers to send requests either directly to the FortiGate or through a Proxy Auto-Configuration (PAC) file.

When the explicit web proxy feature is enabled, FortiGate applies a two-tiered policy structure:

1. Primary proxy policies – These are explicitly defined under the firewall proxy policy.
2. Secondary proxy policies – These are implicitly applied when no matching primary policy is found.

By default, the action on the secondary proxy policy is set to 'sec-default-action deny'. This means that if no explicit proxy policy is defined for a particular type of traffic, that traffic will be denied by default. The configuration is applied as follows:

config web-proxy explicit

    set sec-default-action deny

end

This 'sec-default-action' is known as the 'Default Firewall Policy Action' on the GUI.

To verify the current configuration on the device, the following commands can be used:

config web-proxy explicit

show full