Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
scheuri
Contributor

Created on ‎05-03-2024 02:34 AM Edited on ‎05-03-2024 02:34 AM

Explicit Proxy on FGT - what does "Default Firewall Policy Action" do?

Hi all

 

I can't wrap my head around this features. I might be misunderstanding everything.

 

In the Explicit Proxy feature of the Fortigate there is a parameter called "Default Firewall Policy Action" which can be set to "Accept" or "Deny".

However, I don't understand what a) it actually does, b) what it does when its on accept or on deny and c) what is being influenced by this setting.

 

Does anyone have any insights for me?

 

Side note:
In the official documentation (https://docs.fortinet.com/document/fortigate/6.4.0/best-practices/997260/explicit-proxy) it says that "Set the explicit web proxy and explicit FTP proxy Default Firewall Policy Action to Deny. This means that a firewall policy is required to use these explicit proxies, allowing you to control access and impose security features".

  • I don't understand how the (regular) firewall policy is affected by this setting. How does the regular firewall policy "know" that it needs to send the traffic to the explicit proxy if it gets hit? And why does a regular firewall policy come into play anyhow when a browser is set to use the explicit proxy with its proxy policies? Does that setting come into play "after" the explicit proxy feature is being hit/used?
  • Or is it the other way around? If I set it to "deny", would I additionally need (regular) firewall policies for sources to access the (ip of the) explicit proxy feature? If I had it on "accept", it is implied everyone can access the explicit proxy feature?

Thanks a lot for your help

Labels:
852
0 Kudos
1 Solution
hbac
Staff
Staff

Created on ‎05-03-2024 09:08 AM

Hi @scheuri,

 

A small correction to this. If you set Default Firewall Policy Action to Deny, The implicit Proxy Policy will be 'Deny'. If you set Default Firewall Policy Action to Accept, The implicit Proxy Policy will be 'Accept'. Below is an example of Default Firewall Policy Action set to Accept under 'Explicit Web Proxy'. 

 

proxy.PNG

 

Regards, 

View solution in original post

812
2 REPLIES 2
hbac
Staff
Staff

Created on ‎05-03-2024 09:08 AM

Hi @scheuri,

 

A small correction to this. If you set Default Firewall Policy Action to Deny, The implicit Proxy Policy will be 'Deny'. If you set Default Firewall Policy Action to Accept, The implicit Proxy Policy will be 'Accept'. Below is an example of Default Firewall Policy Action set to Accept under 'Explicit Web Proxy'. 

 

proxy.PNG

 

Regards, 

813
scheuri
Contributor
In response to hbac

Created on ‎05-05-2024 11:48 PM

Thank you very much for your reply and your explanation.

That makes (partial) sense - unfortunately the name "implicit deny" in the proxy policies confused me.

It isn't an implicit deny after all - as you can switch its behaviour to a implicit accept with the aforementioned parameter.

 

Thanks again for your explanation - much appreciated

753
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.