Protect a Private HTTPS Server

To provide a better end-user experience, the HTTPS proxy does not do certificate validation for inbound requests to a private HTTPS server on your network. Client browsers see the configured Proxy Server certificate after content inspection is performed.

For additional security, we recommend that you import the CA certificate used to sign the HTTPS server certificate, and then import the HTTPS server certificate with its associated private key. If the CA certificate used to sign the HTTPS server certificate is not automatically trusted itself, you must import each trusted certificate in sequence for this feature to operate correctly. After you have imported all of the certificates, configure the HTTPS Proxy.

In Fireware v12.2 and higher, when you configure Domain Name rules for content inspection in the inbound HTTPS Proxy, you can choose the proxy server certificate to use for that domain or use the default Proxy Server certificate. This enables you to host several different public-facing web servers and applications behind one Firebox and allow different applications to use different certificates for inbound HTTPS traffic.

  1. Click the Add Policy icon.
    Or, select Edit > Add Policy.
    The Add Policies dialog box opens.
  2. Select HTTPS-proxy. Click Add Policy.
    The New Policy Properties dialog box opens with the Policy tab selected.
  3. From the Proxy action drop-down list, select HTTPS-Server.Standard.
  4. Adjacent to the Proxy action drop-down list, click View/Edit Proxy button.
    The HTTPS Proxy Action Configuration dialog box opens, with the Content Inspection category selected.
  5. Configure domain name rules with the Inspect action. You must select the HTTP proxy action or content action to use for inspection, and select the certificate to use for this domain rule. This can be the default Proxy Server certificate or another certificate.
    For more information, see HTTPS-Proxy: Domain Name Rules.
  6. Click OK to close the HTTPS Proxy Action Configuration dialog box.
    The Clone Predefined or DVCP-created Object dialog box opens.
  7. In the Name text box, type a name for the proxy action.
    For example, type HTTPS-Server-Inspect.
  8. Click OK.
  9. Click OK to close the New Policy Properties dialog box.
  10. In the Add Policy dialog box, click Close.
  1. Select Firewall > Firewall Policies.
    The Firewall Policies page opens.
  2. Click Add Policy.
    The Add Firewall Policy page opens.
  3. Select the Proxies policy type.
  4. From the Proxies drop-down list, select HTTPS-proxy and the HTTPS-Server.Standard proxy action.
  5. Click Add Policy.
    The Add page appears for the HTTPS-proxy.
  6. Select the Proxy Action tab.
  7. From the Proxy Action drop-down list, select Clone the current proxy action.
  8. In the Name text box, type a name for this proxy action.
    For example, type HTTPS-Server-Inspect.
  9. Configure domain name rules with the Inspect action. You must select the HTTP proxy action or content action to use for inspection, and select the certificate to use for this domain rule. This can be the default Proxy Server certificate or another certificate.
    For more information, see HTTPS-Proxy: Domain Name Rules.
  10. Click Save.

Related Topics

About Certificates

About the HTTPS-Proxy

Use Certificates with Outbound HTTPS Proxy Content Inspection

Troubleshoot Problems with HTTPS Content Inspection

Manage Device Certificates (WSM)

Manage Device Certificates (Web UI)