Contents

Related Topics

Use Certificates with HTTPS Proxy Content Inspection

Many websites use both the HTTP and HTTPS protocols to send information to users. While HTTP traffic can be examined easily, HTTPS traffic is encrypted. To examine HTTPS traffic requested by a user on your network, you must configure your Firebox to decrypt the information and then encrypt it with a certificate signed by a CA that each network client trusts.

For more detailed information about content inspection for the HTTPS Proxy, see HTTPS-Proxy: Content Inspection.

HTTPS Proxy Certificates

When your Firebox scans an HTTPS connection, the HTTPS Proxy intercepts the HTTPS request and initiates its own connection to the destination HTTPS server on the client's behalf. After the Firebox receives a reply and a copy of the remote server certificate from the destination HTTPS server, the Firebox presents its own resigning certificate to the originating client. The CN, SAN, and other values are maintained for identity validation. The resigning certificate can be either the Default Proxy Authority Certificate or an imported CA Certificate.

Default Proxy Authority Certificate

You can use the default self-signed Proxy Authority CA certificate on the Firebox for use with the HTTPS Proxy content inspection features. Your device re-encrypts the content it has inspected with this Proxy Authority self-signed certificate. When you use this default certificate, end users without a copy of this certificate see a warning in their web browser when they connect to a secure website with HTTPS. To avoid these warnings, you can export the Proxy Authority certificate from the Firebox and import the certificate on your client devices.

For information on how to export the default Proxy Authority CA certificate from your device, see Export a Certificate from Your Firebox.

For information on how to import this certificate on your client devices, see Import a Certificate on a Client Device.

A client can also download and install the root CA certificate that signed the Proxy Authority certificate from the Certificate Portal on the Firebox at http://<Firebox IP address>:4126/certportal. For more information, see Certificate Portal.

CA Certificate

If your organization already has a PKI (Public Key Infrastructure) set up with a trusted CA, you can import a certificate that is signed by your organization's internal CA to your Firebox. If the CA certificate is not automatically trusted, you must import each previous certificate in the chain of trust for this feature to operate correctly.

Public CA providers will not provide a CA certificate with permission to sign other certificates. As a result, if you attempt to use a certificate signed by a public third-party CA, your users receive a certificate warning in their browsers. We recommend that you use a certificate signed by your own internal CA.

For example, if your organization uses Microsoft Active Directory Certificate services, you can:

You must create a CA certificate that can re-sign other certificates. If you create a CSR with Firebox System Manager and have it signed by a prominent CA, it cannot be used as a CA certificate. If the remote website uses an expired certificate, or if that certificate is signed by a CA (Certificate Authority) that your device does not recognize, the device re-signs the content as Fireware HTTPS Proxy: Unrecognized Certificate or simply Invalid Certificate.

Examine Content from External HTTPS Servers

Before you enable this feature, we recommend that you provide the certificate(s) used to sign HTTPS traffic to all of the clients on your network. You can attach the certificates to an email with instructions, or use network management software to install the certificates automatically. Also, we recommend that you test the HTTPS Proxy with a small number of users to make sure that it operates correctly before you apply the HTTPS Proxy to traffic on a large network.

For more detailed information on how to import certificates to clients, see Import a Certificate on a Client Device.

If you have other traffic that uses the HTTPS port, such as SSL VPN traffic, we recommend that you evaluate the content inspection feature carefully. To make sure that other traffic sources operate correctly, we recommend that you add domain name rules with the Allow action to bypass inspection for those IP addresses.
For more information, see HTTPS-Proxy: Domain Name Rules.

To add a proxy policy to examine content from external HTTPS servers, from Policy Manager:Closed
  1. Click the Add Policy icon.
    Or, select Edit > Add Policy.
    The Add Policy dialog box appears.
  2. Select the HTTPS-proxy. Click Add Policy.
    The New Policy Properties dialog box appears, with the Policy tab selected.
  3. Adjacent to the Proxy action drop-down list, click View/Edit Proxy button.
    The HTTPS Proxy Action Configuration dialog box appears, with the Content Inspection category selected.
  4. In the Content Inspection Summary section, click Edit.
  5. Select the Enable Content Inspection check box.
  6. Select the options for OCSP certificate validation.
  7. Click OK to close the Content Inspection Settings dialog box.
  8. Configure domain name rules with the Inspect action and select the HTTP proxy action to use for inspection.
    For more information, see HTTPS-Proxy: Domain Name Rules.
  9. Click OK to close the HTTPS Proxy Action Configuration dialog box.
    The Clone Predefined or DVCP-created Object dialog box appears.
  10. In the Name text box, type a name for the proxy action.
    For example, type HTTPS-Client-Inspect.
  11. Click OK.
  12. Click OK to close the New Policy Properties dialog box.
  13. In the Add Policy dialog box, click Close.
To add a proxy policy to examine content from external HTTPS servers, from Fireware Web UI:Closed
  1. Select Firewall > Firewall Policies.
    The Firewall Policies page appears.
  2. Click Add Policy.
    The Add Firewall Policy page appears.
  3. Select the Proxies policy type.
  4. From the Proxies drop-down list, select HTTPS-proxy and the HTTPS-Client.Standard proxy action.
  5. Click Add Policy.
    The Add page appears for the HTTPS-proxy.
  6. Select the Proxy Action tab.
  7. From the Proxy Action drop-down list, select Clone the current proxy action.
  8. In the Name text box, type a name for this proxy action.
    For example, type HTTPS-Client-Inspect.
  9. In the Content Inspection Summary section, click Edit.
  10. Select the Enable Content Inspection check box.
  11. Select the options for OCSP certificate validation.
  12. Click OK.
  13. Configure domain name rules with the Inspect action and select the HTTP proxy action to use for inspection.
    For more information, see HTTPS-Proxy: Domain Name Rules.
  14. Click Save.

When you enable content inspection and select the Inspect action in the HTTPS proxy action, you select an HTTP proxy action to use for inspection. You can select the Inspect action in domain name rules and you can enable inspection of allowed WebBlocker categories in the HTTPS proxy action.

For more information about WebBlocker configuration in the HTTPS proxy, see HTTPS-Proxy: WebBlocker.

Protect a Private HTTPS Server

To provide a better end-user experience, the HTTPS proxy does not do certificate validation for inbound requests to a private HTTPS server on your network. Client browsers see the Proxy Server certificate after content inspection is performed.

For additional security, we recommend you import the CA certificate used to sign the HTTPS server certificate, and then import the HTTPS server certificate with its associated private key. If the CA certificate used to sign the HTTPS server certificate is not automatically trusted itself, you must import each trusted certificate in sequence for this feature to operate correctly. After you have imported all of the certificates, configure the HTTPS Proxy.

To add a policy to inspect requests to a private HTTPS server, from Policy Manager:Closed
  1. Click the Add Policy icon.
    Or, select Edit > Add Policy.
    The Add Policies dialog box appears.
  2. Select HTTPS-proxy. Click Add Policy.
    The New Policy Properties dialog box appears with the Policy tab selected.
  3. From the Proxy action drop-down list, select HTTPS-Server.Standard.
  4. Adjacent to the Proxy action drop-down list, click View/Edit Proxy button.
    The HTTPS Proxy Action Configuration dialog box appears, with the Content Inspection category selected.
  5. In the Content Inspection Summary section, click Edit.
  6. Select the Enable Content Inspection check box.
  7. Click OK to close the Content Inspection Settings dialog box.
  8. Configure domain name rules with the Inspect action and select the HTTP proxy action to use for inspection.
    For more information, see HTTPS-Proxy: Domain Name Rules.
  9. Click OK to close the HTTPS Proxy Action Configuration dialog box.
    The Clone Predefined or DVCP-created Object dialog box appears.
  10. In the Name text box, type a name for the proxy action.
    For example, type HTTPS-Server-Inspect.
  11. Click OK.
  12. Click OK to close the New Policy Properties dialog box.
  13. In the Add Policy dialog box, click Close.
To add a policy to inspect requests to a private HTTPS server, from Fireware Web UI:Closed
  1. Select Firewall > Firewall Policies.
    The Firewall Policies page appears.
  2. Click Add Policy.
    The Add Firewall Policy page appears.
  3. Select the Proxies policy type.
  4. From the Proxies drop-down list, select HTTPS-proxy and the HTTPS-Server.Standard proxy action.
  5. Click Add Policy.
    The Add page appears for the HTTPS-proxy.
  6. Select the Proxy Action tab.
  7. From the Proxy Action drop-down list, select Clone the current proxy action.
  8. In the Name text box, type a name for this proxy action.
    For example, type HTTPS-Server-Inspect.
  9. In the Content Inspection Summary section, click Edit.
  10. Select the Enable Content Inspection check box.
  11. Click OK.
  12. Configure domain name rules with the Inspect action and select the HTTP proxy action to use for inspection.
    For more information, see HTTPS-Proxy: Domain Name Rules.
  13. Click Save.

Troubleshoot Problems with HTTPS Content Inspection

Your device creates traffic log messages when there is a problem with a certificate used for HTTPS content inspection. We recommend that you check these log messages for more information.

If connections to remote web servers are often interrupted, make sure you have imported all of the certificates necessary to trust the CA certificate used to re-encrypt the HTTPS content, as well as the certificates necessary to trust the certificate from the original web server. You must import all of these certificates on your device and each client device for connections to be successful.

See Also

About Certificates

About the HTTPS-Proxy

Manage Device Certificates (WSM)

Manage Device Certificates (Web UI)

Give Us Feedback     Get Support     All Product Documentation     Technical Search

© 2018 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, WatchGuard Dimension, Firebox, Core, Fireware, and LiveSecurity are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.