Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
scheuri
Contributor

Explicit Proxy on FGT - what does "Default Firewall Policy Action" do?

Hi all

 

I can't wrap my head around this features. I might be misunderstanding everything.

 

In the Explicit Proxy feature of the Fortigate there is a parameter called "Default Firewall Policy Action" which can be set to "Accept" or "Deny".

However, I don't understand what a) it actually does, b) what it does when its on accept or on deny and c) what is being influenced by this setting.

 

Does anyone have any insights for me?

 

Side note:
In the official documentation (https://docs.fortinet.com/document/fortigate/6.4.0/best-practices/997260/explicit-proxy) it says that "Set the explicit web proxy and explicit FTP proxy Default Firewall Policy Action to Deny. This means that a firewall policy is required to use these explicit proxies, allowing you to control access and impose security features".

  • I don't understand how the (regular) firewall policy is affected by this setting. How does the regular firewall policy "know" that it needs to send the traffic to the explicit proxy if it gets hit? And why does a regular firewall policy come into play anyhow when a browser is set to use the explicit proxy with its proxy policies? Does that setting come into play "after" the explicit proxy feature is being hit/used?
  • Or is it the other way around? If I set it to "deny", would I additionally need (regular) firewall policies for sources to access the (ip of the) explicit proxy feature? If I had it on "accept", it is implied everyone can access the explicit proxy feature?

Thanks a lot for your help

1 Solution
hbac
Staff
Staff

Hi @scheuri,

 

A small correction to this. If you set Default Firewall Policy Action to Deny, The implicit Proxy Policy will be 'Deny'. If you set Default Firewall Policy Action to Accept, The implicit Proxy Policy will be 'Accept'. Below is an example of Default Firewall Policy Action set to Accept under 'Explicit Web Proxy'. 

 

proxy.PNG

 

Regards, 

View solution in original post

2 REPLIES 2
hbac
Staff
Staff

Hi @scheuri,

 

A small correction to this. If you set Default Firewall Policy Action to Deny, The implicit Proxy Policy will be 'Deny'. If you set Default Firewall Policy Action to Accept, The implicit Proxy Policy will be 'Accept'. Below is an example of Default Firewall Policy Action set to Accept under 'Explicit Web Proxy'. 

 

proxy.PNG

 

Regards, 

scheuri

Thank you very much for your reply and your explanation.

That makes (partial) sense - unfortunately the name "implicit deny" in the proxy policies confused me.

It isn't an implicit deny after all - as you can switch its behaviour to a implicit accept with the aforementioned parameter.

 

Thanks again for your explanation - much appreciated

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors