Login
- Table of Contents
-
- 04-Policies
- 01-Security policy
- 02-Security policy redundancy analysis
- 03-Security policy hit analysis
- 04-Security policy optimization
- 05-Policy-based NAT
- 06-Interface NAT
- 07-AFT
- 08-QoS
- 09-Bandwidth management
- 10-Application audit
- 11-Application proxy
- 12-IP reputation
- 13-Domain reputation
- 14-Blacklist
- 15-Connection limit
- 16-Server connection detection
- 17-Access rate limit
- 18-DLP
- 19-Server load balancing
- 20-Outbound link load balancing
- 21-Inbound link load balancing
- 22-Transparent DNS proxy
- 23-NetShare control
- 24-Zero trust policy
- 25-Trusted application proxies
- 26-Trusted API proxies
- 27-NAT66
- 28-uRPF
- 29-Load balancing common configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 11-Application proxy | 125.88 KB |
Application proxy
This help contains the following topics:
¡ Filtering criteria in a proxy policy
¡ Matching order of proxy policies
¡ Protection services of the SSL decryption
¡ Import SSL decryption certificate
¡ Import internal server certificates
Introduction
The device supports TCP proxy and SSL proxy functions. You can configure a proxy policy and set the policy action to TCP-proxy or SSL-decryption.
· For traffic matching a proxy policy with the action set to TCP-proxy, the device acts as the TCP proxy and provides TCP-layer isolation for network traffic.
· For traffic matching a proxy policy with the action set to SSL-decryption, the device acts as an SSL proxy to decrypt the SSL traffic and implement deep packet inspection on the traffic.
Filtering criteria in a proxy policy
You can configure the following types of criteria to filter the traffic to which a proxy policy applies:
· Source security zone.
· Destination security zone.
· Source IP address.
· Destinations IP address.
· User.
· Service.
Each filtering criteria type can contain multiple filtering criteria. A packet matches a filtering criteria type if it matches a filtering criterion of the type.
A packet must match all the filtering criteria types in a proxy policy for the policy to apply.
Matching order of proxy policies
The device supports multiple proxy policies.
A packet is matched against the proxy policies in the order they are configured. The match process stops once a matching policy is found.
The more refined the filtering criteria are, the smaller the application range of the proxy policy. Configure the proxy policies in ascending order of their application ranges as a best practice.
Proxy policy actions
The device supports the following actions for traffic matching a proxy policy:
· TCP-proxy—The device acts as a TCP proxy and provides TCP-layer isolation for traffic between the TCP client and TCP server.
· SSL-decryption—The device acts as an SSL proxy to decrypt the SSL traffic and implement deep packet inspection on the traffic.
· No-proxy—The device transmits the traffic transparently.
Whitelist
To disable the proxy function for connections destined for certain servers, add the hostnames of the servers to the whitelist. Connections destined for servers on the whitelist are transmitted transparently.
The device provides a predefined whitelist and allows you to customize the user-defined whitelist.
Predefined whitelist
The predefined whitelist contains the following types of predefined whitelist entries:
· Chrome-HSTS whitelist entries—Hostnames of servers that are accessible through only HTTPS by the Google Chrome browser.
· Non-Chrome-HSTS whitelist entries.
You can enable or disable entries on the predefined whitelist as needed.
User-defined whitelist
For destination servers of connections that need to be transmitted transparently, manually add their hostnames to the user-defined whitelist.
If the DNS Name or Common Name value in a server certificate contains a hostname on the SSL hostname whitelist, the device does not proxy the SSL connections destined for the server.
Protection services of the SSL decryption
The SSL decryption supports the following protection services:
· Internal client protection—Collaborating with deep packet inspection, the device decrypts the packets and performs deep packet inspection on the decrypted packets. It protects the internal clients from being attacked by external malicious websites. In this scenario, the device requires imported SSL decryption certificates to establish SSL connections with the clients.
· Internal server protection—Collaborating with deep packet inspection, the device decrypts the packets and performs deep packet inspection on the packets. It protects the internal servers from being attacked by external malicious websites. In this scenario, the device requires imported internal server certificates to establish SSL connections with the clients.
Select a protection service of the SSL decryption as required and import the corresponding certificates to the device for SSL connection establishment with the clients.
SSL certificates
The SSL certificate types vary by protection service.
SSL decryption certificates
The SSL decryption certificates are required in the scenario of protecting internal clients. When the device acts as an SSL proxy to complete SSL handshakes with the client and server, it must send a certificate to the client to identify itself. The device uses the SSL decryption certificate to issue a new server certificate based on the certificate content of the real server and sends the new certificate to the client.
The device supports a trusted SSL decryption certificate and an untrusted SSL decryption certificate, both of which are CA certificates that must be manually imported to the device. When importing an SSL decryption certificate, you can mark the certificate as Trusted or Untrusted.
When functioning as a proxy client to complete the SSL handshake with the real SSL server, the device uses the CA certificate of the PKI domain to verify if the server certificate is issued by a trusted CA.
· If the server certificate is issued by a trusted CA, the device uses the trusted SSL decryption certificate to issue a new certificate and sends the certificate to the client. A server certificate issued by the trusted SSL decryption certificate is trusted by the client.
· If the server certificate is issued by an untrusted CA, the device uses the untrusted SSL decryption certificate to issue a new certificate and sends the certificate to the client. A security alarm will be generated on the client and users must clear the alarm to continue the access.
For more information about PKI domains, see PKI domain online help.
Internal server certificates
The internal server certificates are required in the scenario of protecting internal servers. With an internal server certificate imported, the device will decrypt the certificate and generate a CER file and a key file. The CER file is used to identify the server and the key file is used to encrypt and decrypt the packets in the subsequent SSL proxy process. The device will calculate the MD5 value of the CER file and use the MD5 value as the unique identifier of the file.
The SSL proxy process is as follows:
1. The device receives an internal server certificate and calculates the MD5 value of the certificate.
2. The device compares the calculated MD5 value with the MD5 value of the imported internal server certificate:
¡ If they are the same, the certificate is trusted and the device will use the certificate to establish an SSL connection with the client.
¡ If they are different, the certificate is untrusted.
You can import multiple internal server certificates. If two certificates have the same MD5 value, the new certificate will overwrite the old certificate.
Restrictions and guidelines
The TCP proxy and SSL proxy functions can degrade the forwarding performance of the device. When configuring a proxy policy, redefine the filtering criteria to restrict the application of the policy to only necessary traffic.
For HTTPS websites to be accessed correctly, you must install and trust the SSL decryption certificate in the client's browsers.
Firefox uses its own CA store by default. To use Firefox for SSL connections, import the SSL decryption certificate for Firefox or configure Firefox to use the system CA store if you have imported the certificate for another browser. To configure Firefox to use the system CA store, enter about:config in the address bar of Firefox, search for security.enterprise_roots.enabled, double-click or right-click the item, and set the boolean value to true.
After the SSL proxy function is enabled, the packet capture action of the intrusion prevention system will be invalid.
In an asymmetric path environment where a packet and the return packet use different paths, TCP proxy and SSL proxy functions will fail.
Configure application proxy
Configure a proxy policy
1. Click the Policies tab.
2. In the navigation pane, select Application Proxy > Proxy Policy.
3. Click Create.
4. Create a proxy policy.
Table 1 Proxy policy configuration items
|
Item |
Description |
|
Policy name |
Enter a name for the proxy policy. |
|
Src security zones |
Specify the source security zones to which the policy applies. |
|
Dst security zones |
Specify the destination security zones to which the policy applies. |
|
Source addresses |
Specify the source IP addresses to which the policy applies. |
|
Destination addresses |
Specify the destination IP addresses to which the policy applies. |
|
User |
Specify the users to whom the policy applies. |
|
Services |
Specify the services to which the policy applies. |
|
Action |
Select the action to take on the matching traffic. Options are: · No-proxy—Transmits the traffic transparently. · TCP-proxy—Implements TCP proxy for the traffic. · SSL-decryption—Implements SSL proxy to decrypt the SSL traffic and implement deep packet inspection on the traffic. |
|
Protection service |
Select a protection service for the SSL decryption. Options are: · Internal client protection. · Internal server protection. This field is available after you select SSL decryption as the action on matching traffic. |
|
Enable policy |
Select Yes to enable the policy, or select No to disable the policy. |
5. Click OK.
Configure the whitelist
Create a user-defined whitelist entry
1. Click the Policies tab.
2. In the navigation pane, select Application Proxy.
3. Click the User-defined Whitelist tab.
4. Click Create.
5. Enter the hostname of a server and click OK.
Enable or disable predefined whitelist entries
1. Click the Policies tab.
2. In the navigation pane, select Application Proxy.
3. Click the Predefined Whitelist tab.
4. To enable a Chrome-HSTS whitelist entry:
a. Click Turn on Chrome-HSTS whitelist switch.
b. Select the Enable option for the Chrome-HSTS whitelist entry you want to enable.
5. To enable a non-Chrome-HSTS whitelist entry, select the Enable option for the entry.
6. To disable all Chrome-HSTS whitelist entries, click Turn off Chrome-HSTS whitelist switch.
7. Click Submit to activate the configuration.
Import SSL decryption certificate
1. Click the Policies tab.
2. In the navigation pane, select Application Proxy.
3. Click the SSL Decryption Certificates tab.
4. Click Import.
5. Configure the items for importing an SSL decryption certificate.
Table 2 Configuration items for importing an SSL decryption certificate
|
Item |
Description |
|
Certificate file |
Click Select file to select a certificate file. |
|
Password |
Enter the password for the SSL decryption certificate. |
|
Certificate type |
Select Trusted or Untrusted. |
6. Click OK.
Import internal server certificates
1. Click the Policies tab.
2. In the navigation pane, select Application Proxy.
3. Click the Internal Server Certificates tab.
4. Click Import.
5. Configure the items for importing an internal server certificate.
Table 3 Configuration items for importing an internal server certificate
|
Item |
Description |
|
Certificate file |
Click Select file to select a certificate file. |
|
Password |
Enter the password for the internal server certificate. |
6. Click OK.
