About the HTTP-Proxy

Hyper Text Transfer Protocol (HTTP) is a request/response protocol between clients and servers. The HTTP client is usually a web browser. The HTTP server is a remote resource that stores HTML files, images, and other content. When the HTTP client starts a request, it establishes a TCP (Transmission Control Protocol) connection on Port 80. An HTTP server listens for requests on Port 80. When it receives the request from the client, the server replies with the requested file, an error message, or some other information.

The HTTP-proxy is a high-performance content filter. It examines Web traffic to identify suspicious content that can be a virus or other type of intrusion. It can also protect your HTTP server from attacks. WatchGuard recommends you use HTTP Proxy policies for any HTTP traffic between your network and external hosts.

With an HTTP-proxy filter, you can:

Adjust timeout and length limits of HTTP requests and responses to prevent poor network performance, as well as several attacks.
Customize the deny message that users see when they try to connect to a website blocked by the HTTP-proxy.
Filter web content MIME types.
Block specified path patterns and URLs.
Deny cookies from specified websites.

You can also use the HTTP-proxy with the WebBlocker security subscription. For more information, see About WebBlocker.

To enable your users to downloads Windows updates through the HTTP-proxy, you must change your HTTP-proxy settings. For more information, see Enable Windows Updates Through the HTTP-Proxy.

The TCP/UDP proxy is available for protocols on non-standard ports. When HTTP uses a port other than Port 80, the TCP/UDP proxy sends the traffic to the HTTP-proxy. For more information on the TCP/UDP proxy, see About the TCP-UDP-Proxy.

To add the HTTP-proxy to your Firebox configuration, see Add a Proxy Policy to Your Configuration.

Which Proxy Action To Use

When you configure a proxy policy, you must select a proxy action appropriate to the policy. For a proxy policy that allows connections from your internal clients to the internet, use the Client proxy action. For a proxy policy that allows connections to your internal servers from the internet, use the Server proxy action.

Predefined proxy actions with Standard appended to the proxy action name include recommended standard settings that reflect the latest Internet network traffic trends.

In Fireware v11.12 and higher, the Web Setup Wizard and WSM Quick Setup Wizard automatically adds an HTTP-proxy policy that uses the Default-HTTP-Client proxy action. The Default-HTTP-Client proxy action is based on the HTTP-Client.Standard proxy action and enables subscription services that were licensed in the feature key when the setup wizard was run. If you add a new HTTP-proxy policy, the Default-HTTP-Client proxy action could be a better choice than the HTTP-Client.Standard proxy action. For more information about the Default-HTTP-Client proxy action, see Setup Wizard Default Policies and Settings.

About Content Actions

In the HTTP proxy, you can select an HTTP content action instead of a proxy action. A content action enables the Firebox to route inbound HTTP requests to different internal web servers and use different HTTP server proxy actions based on the content of the HTTP host header. Use a content action instead of an HTTP server proxy action when you want to reduce the number of public IP addresses required for connections to public web servers behind the Firebox. For more information, see About Content Actions.

For an example of how to configure an HTTP proxy policy with an HTTP content action, see Example: HTTP Proxy with an HTTP Content Action.

Configure an HTTP Proxy Action

These sections describe the HTTP-Proxy action configuration tabs in Fireware Web UI.

Settings Tab

On the Settings tab, you can set basic information about a proxy policy, such as whether it allows or denies traffic, create access rules for a policy, configure policy-based routing, enable bandwidth and time quotas, static NAT, or server load balancing. The Settings tab also shows the port and protocol for the policy, as well as an optional description of the policy. You can use the settings on this tab to set logging, notification, automatic blocking, and timeout preferences.

Connections are — Specify whether connections are Allowed, Denied, or Denied (send reset) and define who appears in the From and To list (on the Policy tab of the proxy definition). See Set Access Rules for a Policy.
Use policy-based routing — See Configure Policy-Based Routing.
You can also configure static NAT or configure server load balancing. See Configure Static NAT and Configure Server Load Balancing.
To define the logging settings for the policy, configure the settings in the Logging section.
For more information, see Set Logging and Notification Preferences.
If you set the Connections are drop-down list to Denied or Denied (send reset), you can block sites that try to use HTTP.
For more information, see Block Sites Temporarily with Policy Settings.
To change the idle timeout that is set by the Firebox or authentication server, see Set a Custom Idle Timeout.
To enable bandwidth and time quotas, see About Quotas.

Application Control Tab

If Application Control is enabled on your Firebox, you can set the action this proxy uses for Application Control.

Select the Application Control tab.
From the Application Control Action drop-down list, select an application control action to use for this policy, or create a new action.
(Optional) Edit the Application Control settings for the selected action.
Click Save.

For more information, see Enable Application Control in a Policy.

Traffic Management Tab

On the Traffic Management tab, you can select the Traffic Management action for the policy. You can also create a new Traffic Management action. For more information about Traffic Management actions, see Define a Traffic Management Action in v11.8.x and Lower and Add a Traffic Management Action to a Policy.

To apply a Traffic Management action in a policy:

Select the Traffic Management tab.
From the Traffic Management Action drop-down list, select a Traffic Management action.
Or, to create a new Traffic Management action, select Create new and configure the settings as described in the topic Define a Traffic Management Action in v11.8.x and Lower.
Click Save.

Proxy Action Tab

You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For more information about how to configure proxy actions, see About Proxy Actions.

To configure the proxy action:

Select the Proxy Action tab.
From the Proxy Action drop-down list, select the proxy action to use for this policy.
For information about proxy actions, see About Proxy Actions.
Click Save.

For the HTTP-proxy, you can configure these categories of settings for a proxy action:

Scheduling Tab

On the Scheduling tab, you can specify an operating schedule for the policy. You can select an existing schedule or create a new schedule.

Select the Scheduling tab.
From the Schedule Action drop-down list, select a schedule.
Or, to create a new schedule, select Create New and configure the settings as described in the topics Create Schedules for Firebox Actions and Set an Operating Schedule.
Click Save.

Advanced Tab

The Advanced tab includes settings for NAT, QoS, multi-WAN, and ICMP options.

To edit or add a comment to this proxy policy configuration, type the comment in the Comment text box.

For more information on the options for this tab, see:

About the HTTP-Proxy

Which Proxy Action To Use

About Content Actions

Configure an HTTP Proxy Action

Settings Tab

Application Control Tab

Traffic Management Tab

Proxy Action Tab

Scheduling Tab

Advanced Tab

Policy Tab

Properties Tab

Advanced Tab

Configure the Proxy Action

See Also