- Table of Contents
-
- 03-Policies
- 01-Security policy
- 02-Attack defense
- 03-Connection limit
- 04-uRPF
- 05-NAT
- 06-AFT
- 07-Application audit
- 08-Bandwidth management
- 09-Load balancing common configuration
- 10-Server load balancing
- 11-Outbound link load balancing
- 12-Inbound link load balancing
- 13-Transparent DNS proxy
- 14-Application proxy
- 15-NetShare control
- 16-Security policy hit analysis
- 17-Security policy redundancy analysis
- 18-Global load balancing
- 19-IP reputation
- 20-NAT66
- 21-Server connection detection
- 22-Security policy optimization
- 23-Server load balancing
- 24-Load balancing common configuration
- Related Documents
-
Title | Size | Download |
---|---|---|
14-Application proxy | 116.64 KB |
Application proxy
This help contains the following topics:
¡ Filtering criteria in a proxy policy
¡ Matching order of proxy policies
¡ Import SSL decryption certificate
Introduction
The device supports TCP proxy and SSL proxy functions. You can configure a proxy policy and set the policy action to TCP-proxy or SSL-decryption.
· For traffic matching a proxy policy with the action set to TCP-proxy, the device acts as the TCP proxy and provides TCP-layer isolation for network traffic.
· For traffic matching a proxy policy with the action set to SSL-decryption, the device acts as an SSL proxy to decrypt the SSL traffic and implement deep packet inspection on the traffic.
Filtering criteria in a proxy policy
You can configure the following types of criteria to filter the traffic to which a proxy policy applies:
· Source security zone.
· Destination security zone.
· Source IP address.
· Destinations IP address.
· User.
· Service.
Each filtering criteria type can contain multiple filtering criteria. A packet matches a filtering criteria type if it matches a filtering criterion of the type.
A packet must match all the filtering criteria types in a proxy policy for the policy to apply.
Matching order of proxy policies
The device supports multiple proxy policies.
A packet is matched against the proxy policies in the order they are configured. The match process stops once a matching policy is found.
The more refined the filtering criteria are, the smaller the application range of the proxy policy. Configure the proxy policies in ascending order of their application ranges as a best practice.
Proxy policy actions
The device supports the following actions for traffic matching a proxy policy:
· TCP-proxy—The device acts as a TCP proxy and provides TCP-layer isolation for traffic between the TCP client and TCP server.
· SSL-decryption—The devices acts as an SSL proxy to decrypt the SSL traffic and implement deep packet inspection on the traffic.
· No-proxy—The device transmits the traffic transparently.
Whitelist
To disable the proxy function for connections destined for certain servers, add the hostnames of the servers to the whitelist. Connections destined for servers on the whitelist are transmitted transparently.
The device provides a predefined whitelist and allows you to customize the user-defined whitelist.
Predefined whitelist
The predefined whitelist contains the following types of predefined whitelist entries:
· Chrome-HSTS whitelist entries—Hostnames of servers that are accessible through only HTTPS by the Google Chrome browser.
· Non-Chrome-HSTS whitelist entries.
You can enable or disable entries on the predefined whitelist as needed.
User-defined whitelist
For destination servers of connections that need to be transmitted transparently, manually add their hostnames to the user-defined whitelist.
If the DNS Name or Common Name value in a server certificate contains a hostname on the SSL hostname whitelist, the device does not proxy the SSL connections destined for the server.
SSL decryption certificates
When the device acts as an SSL proxy to complete SSL handshakes with the client and server, it must send a certificate to the client to identify itself. The device uses the SSL decryption certificate to issue a new server certificate based on the certificate content of the real server and sends the new certificate to the client.
The device supports a trusted SSL decryption certificate and an untrusted SSL decryption certificate, both of which are CA certificates that must be manually imported to the device. When importing an SSL decryption certificate, you can mark the certificate as Trusted or Untrusted.
When functioning as a proxy client to complete the SSL handshake with the real SSL server, the device uses the CA certificate of the PKI domain to verify if the server certificate is issued by a trusted CA.
· If the server certificate is issued by a trusted CA, the device uses the trusted SSL decryption certificate to issue a new certificate and sends the certificate to the client. A server certificate issued by the trusted SSL decryption certificate is trusted by the client.
· If the server certificate is issued by an untrusted CA, the device uses the untrusted SSL decryption certificate to issue a new certificate and sends the certificate to the client. A security alarm will be generated on the client and users must clear the alarm to continue the access.
For more information about PKI domains, see PKI domain online help.
Restrictions and guidelines
The TCP proxy and SSL proxy functions can degrade the forwarding performance of the device. When configuring a proxy policy, redefine the filtering criteria to restrict the application of the policy to only necessary traffic.
For HTTPS websites to be accessed correctly, you must install and trust the SSL decryption certificate in the client's browsers.
Firefox uses its own CA store by default. To use Firefox for SSL connections, import the SSL decryption certificate for Firefox or configure Firefox to use the system CA store if you have imported the certificate for another browser. To configure Firefox to use the system CA store, enter about:config in the address bar of Firefox, search for security.enterprise_roots.enabled, double-click or right-click the item, and set the boolean value to true.
After the SSL proxy function is enabled, the packet capture action of the intrusion prevention system will be invalid.
Configure application proxy
Configure a proxy policy
1. Click the Policies tab.
2. In the navigation pane, select Application Proxy > Proxy Policy.
3. Click Create.
1. Create a proxy policy.
Table 1 Proxy policy configuration items
Item |
Description |
Policy name |
Enter a name for the proxy policy. |
Src security zones |
Specify the source security zones to which the policy applies. |
Dst security zones |
Specify the destination security zones to which the policy applies. |
Source addresses |
Specify the source IPv4 addresses to which the policy applies. |
Destination addresses |
Specify the destination IPv4 addresses to which the policy applies. |
User |
Specify the users to whom the policy applies. |
Services |
Specify the services to which the policy applies. |
Action |
Select the action to take on the matching traffic. Options are: · No-proxy—Transmits the traffic transparently. · TCP-proxy—Implements TCP proxy for the traffic. · SSL-decryption—Implements SSL proxy to decrypt the SSL traffic and implement deep packet inspection on the traffic. |
Enable policy |
Select Yes to enable the policy, or select No to disable the policy. |
2. Click OK.
Configure the whitelist
Create a user-defined whitelist entry
1. Click the Policies tab.
2. In the navigation pane, select Application Proxy > Whitelist.
3. Click Create.
4. Enter the hostname of a server and click OK.
Enable or disable predefined whitelist entries
1. Click the Policies tab.
2. In the navigation pane, select Application Proxy > Whitelist.
3. Click Predefined Whitelist.
4. To enable a Chrome-HSTS whitelist entry:
a. Click Turn on Chrome-HSTS whitelist switch.
b. Select the Enable option for the Chrome-HSTS whitelist entry you want to enable.
5. To enable a non-Chrome-HSTS whitelist entry, select the Enable option for the entry.
6. To disable all Chrome-HSTS whitelist entries, click Turn off Chrome-HSTS whitelist switch.
7. Click Submit to activate the configuration.
Import SSL decryption certificate
1. Click the Policies tab.
2. In the navigation pane, select Application Proxy > SSL Decryption Certificate.
3. Click Import.
4. Configure the items for importing an SSL decryption certificate.
Table 2 Configuration items for importing an SSL decryption certificate
Item |
Description |
Certificate file |
Click Select file to select the certificate file. |
Password |
Enter the password for the SSL decryption certificate. |
Certificate type |
Select Trusted or Untrusted. |
5. Click OK.