The URL match list in FortiProxy is used for two main purposes:

1. Exempting specific URLs from web caching.
2. Forwarding specific URLs to a designated web proxy server.

Example Configuration:

Consider the following firewall policy for explicit web proxy traffic:

config firewall policy
    edit 1
        set type explicit-web
        set uuid 7249f4a6-e86f-51ef-08e4-8a7bddc52d7e
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "*.fortinet.com"
        set action accept
        set schedule "always"
        set service "webproxy"
        set explicit-web-proxy "web-proxy"
        set logtraffic all
        set logtraffic-start enable
        set log-http-transaction enable
        set extended-log enable
    next
end

A corresponding web-proxy URL-match configuration:

config web-proxy url-match
    edit "*.fortinet.com"
        set type wildcard
        set url-pattern "*.fortinet.com"
        set forward-server "Fortinet"
    next
end

Behavior Without Web-Proxy URL-Match

If no URL-match rule is applied, traffic flows normally through the explicit-web firewall policy. The log entry shows that traffic to fortinet.com is processed under the configured policy.

Below is a sample log:

date=2025-02-18 time=14:12:19 eventtime=1739916738215154029 tz="-0800" logid="0000000015" type="traffic" subtype="forward" level="notice" vd="root" srcip=2.2.2.2 srcport=65189 srcintf="port1" dstip=5.5.5.5 clientip=2.2.2.2 dstport=80 dstintf="port1" sessionid=785873094 proto=6 action="start" policyid=1 service="HTTP" trandisp="noop" url="http://fortinet.com/" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:135.0) Gecko/20100101 Firefox/135.0" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned"

Behavior With Web-Proxy URL-Match

Once the URL-match rule is applied, FortiProxy redirects the traffic to the configured forward server. The log reflects that training.fortinet.com is forwarded, with a changed destination IP.

The following log illustrates the change:

date=2025-02-18 time=14:24:01 eventtime=1739917441381530770 tz="-0800" logid="0000000015" type="traffic" subtype="forward" level="notice" vd="root" srcip=2.2.2.2 srcport=49649 srcintf="port1" dstip=1.1.1.1 clientip=2.2.2.2 dstport=443 dstintf="port1" sessionid=785873275 proto=6 action="start" policyid=1 service="HTTPS" trandisp="noop" url="https://training.fortinet.com/" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:135.0) Gecko/20100101 Firefox/135.0" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned"

When a web-proxy URL-match rule is applied, FortiProxy modifies the destination IP of matched traffic to the configured forward server. This means that the original destination IP is replaced with the forward server’s IP, which may impact firewall policy matching.

As a result, firewall policies must be re-evaluated to ensure that the new destination is allowed. If the firewall policy is only configured to allow traffic to the original destination, the forwarded traffic might be blocked.