Web protection - enforce proxy standard mode

Hej,

is it possible to reduce firewall rule or web protection profiles to proxy standard mode and deactivate transparent mode for this rule?

Parents
  • I cannot quite follow your request. Are you talking about the Proxy mode like UTM? 

    So you want only 8080 to allow to communicate to the proxy and all other ports (like 443 and 80) should be blocked? 

    __________________________________________________________________________________________________________________

  • Yes similar to the functionality in the UTM. In SFOS, the proxy default port is 3128. I would like the clients to communicate only through this port and not directly. I hope it's a little more understandable now.

    With best regards,

    Steppenwolf

  • Should be possible in V17.5 and V18.

    Simply put a firewall rule for your users with Port 3128. Do not create a firewall rule for Port 80/443. (or create a block rule below for 443/80). 

    If no rule is in place, XG will simply block the Port 443 and 80 traffic. 

    __________________________________________________________________________________________________________________

  • I'll give it a try.

    With best regards,

    Steppenwolf

  • You may already have discovered this, but it is actually not possible to allow access via direct proxy without also allowing access transparently, unless knows something that I've missed.

    If you create a firewall rule that only allows the configured proxy port as a destination service, the client devices are able to connect to the proxy, but the proxy is blocked from creating the outbound connections on behalf of the client device.

    In order to allow the proxy to make the upstream connections, there must also be firewall rules allowing the original client devices to connect directly to the web ports on the WAN.

    Obviously, this means that any application on the client device that doesn't respect direct proxy settings will still be able to connect, and will still have its traffic inspected by the proxy. What's the use case for wanting to force only direct proxy access?

  • We must comply with requirements that prohibit a transparent/direct connection. So I can't switch from the UTM to the XG until then.

    With best regards,

    Steppenwolf

  • Hello Steppenwolf,

    You can prevent transparent access to the internet on 80/443. I'm not sure where the miscommunication has occurred but if you only want proxied access to the internet you only need a firewall rule (LAN to WAN) with the Proxy port found under Web Protection > General Setting. Default is 3128 but i like to change it to 8080. The allowed destination services are are also enabled in the same place as the port. I have several deployments where this is being done. So to summarise:

    • Source Zone: LAN
    • Destination Zone: WAN
    • Service: Proxy port service definition
    • Enable a Web Policy of choice
    • Enable MASQ

    By doing this, the XG will allow access to the internet if you proxy via it but will not allow general access to the internet via 80/443 transparently.

    I have selected the appropriate answer in this thread.

    Emile

Reply
  • Hello Steppenwolf,

    You can prevent transparent access to the internet on 80/443. I'm not sure where the miscommunication has occurred but if you only want proxied access to the internet you only need a firewall rule (LAN to WAN) with the Proxy port found under Web Protection > General Setting. Default is 3128 but i like to change it to 8080. The allowed destination services are are also enabled in the same place as the port. I have several deployments where this is being done. So to summarise:

    • Source Zone: LAN
    • Destination Zone: WAN
    • Service: Proxy port service definition
    • Enable a Web Policy of choice
    • Enable MASQ

    By doing this, the XG will allow access to the internet if you proxy via it but will not allow general access to the internet via 80/443 transparently.

    I have selected the appropriate answer in this thread.

    Emile

Children
No Data