About the Explicit Proxy
In a standard proxy configuration, the Firebox transparently proxies and inspects client connections to servers. In an Explicit Proxy configuration, the Firebox accepts direct requests from clients, completes a DNS lookup, connects to specified servers, and then gets the information on behalf of the client. In this configuration, the client is specifically configured to use the Firebox as a proxy server.
If your current network environment uses an explicit web proxy server for HTTP traffic, you can replace your current proxy server with a Firebox without infrastructure reconfiguration.
You can use the Explicit Proxy to support these primary proxy configurations:
The Explicit Proxy on the Firebox sends traffic over TCP port 3128.
You can use the Explicit Proxy to monitor and control connections from Chromebooks. For more information, go to the Chromebook with WatchGuard Explicit Proxy Integration Guide on the WatchGuard Technology Partners page.
Client Configuration and Proxy Automatic Configuration Files (PAC)
When you use the Explicit Proxy for web traffic, you must configure your client web browsers to use the Firebox address as the proxy server. You can manually configure your client web browser with the address of the Firebox or use proxy automatic configuration (PAC) methods to distribute the proxy configuration to all your clients.
For more information about PAC files and client configuration, go to Explicit Proxy: PAC Files and Client Web Browser Configuration.
Explicit Proxy Log Messages and Dimension
Log messages for the Explicit Proxy are included with the other HTTP proxy traffic log messages in Dimension Log Manager and reports.
Configure the Explicit Proxy
Settings Tab
On the Settings tab, you can set basic information about a proxy policy, such as whether it allows or denies traffic, create access rules for a policy, enable bandwidth and time quotas, or configure static NAT or server load balancing. The Settings tab also shows the port and protocol for the policy, as well as an optional description of the policy. You can use the settings on this tab to set logging, notification, automatic blocking, and timeout preferences.
- Connections are — Specify whether connections are Allowed, Denied, or Denied (send reset) and define who appears in the From and To list (on the Policy tab of the proxy definition).
For more information, go to Set Access Rules for a Policy. - You can also configure static NAT or configure server load balancing.
For more information, go to Configure Static NAT (SNAT) and Configure Server Load Balancing. - To define the logging settings for the policy, configure the settings in the Logging section.
For more information, go to Set Logging and Notification Preferences. - If you set the Connections are drop-down list to Denied or Denied (send reset), you can block sites that try to use HTTP.
For more information, go to Block Sites Temporarily with Policy Settings. - You can change the idle timeout that is set by the Firebox or authentication server.
For more information, go to Set a Custom Idle Timeout. - You can enable bandwidth and time quotas.
For more information, go to About Quotas.
SD-WAN Tab
On the SD-WAN tab, you can select to apply an SD-WAN action to the policy. You can also add a new SD-WAN action. For more information about SD-WAN routing, go to About SD-WAN.
SD-WAN replaces policy-based routing in Fireware v12.3 or higher.
Application Control Tab
If Application Control is enabled on your Firebox, you can set the action this proxy uses for Application Control.
- Select the Application Control tab.
- From the Application Control Action drop-down list, select an application control action to use for this policy, or create a new action.
- (Optional) Edit the Application Control settings for the selected action.
- Click Save.
For more information, go to Enable Application Control in a Policy.
Geolocation Tab
If Geolocation is enabled on your Firebox, on the Geolocation tab, you can select the Geolocation action for this proxy. You can also add a new Geolocation action. For more information about Geolocation, go to Configure Geolocation.
To apply a Geolocation action in a policy:
- Select the Geolocation tab.
- From the Geolocation Control Action drop-down list, select a Geolocation action.
Or, to create a new Traffic Management action, click Add. - Click Save.
The Geolocation tab is available in Fireware 12.3 or higher.
Traffic Management Tab
On the Traffic Management tab, you can select the Traffic Management action for the policy. You can also create a new Traffic Management action. For more information about Traffic Management actions, go toDefine a Traffic Management Action and Add Traffic Management Actions to a Policy.
To apply a Traffic Management action in a policy:
- Select the Traffic Management tab.
- From the Traffic Management Action drop-down list, select a Traffic Management action.
Or, to create a new Geolocation action, select Create new and configure the settings as described in the topic Define a Traffic Management Action. - Click Save.
Proxy Action Tab
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For more information about how to configure proxy actions, go to About Proxy Actions.
To configure the proxy action:
- Select the Proxy Action tab.
- From the Proxy Action drop-down list, select the proxy action to use for this policy.
For information about proxy actions, go to About Proxy Actions. - Click Save.
You can configure these categories of settings for a proxy action:
- Explicit Proxy: HTTP Web Proxy
- Explicit Proxy: FTP over HTTP
- Explicit Proxy: HTTP CONNECT Tunneling
- HTTP Request: General Settings
- HTTP Request: Request Methods
- HTTP Request: URL Paths
- HTTP Request: Header Fields
- HTTP Request: Authorization
- HTTP Response: General Settings
- HTTP Response: Header Fields
- HTTP Response: Content Types
- HTTP Response: Cookies
- HTTP Response: Body Content Types
- HTTP-Proxy: Exceptions
- HTTP-Proxy: Data Loss Prevention
- HTTP-Proxy: WebBlocker
- HTTP-Proxy: AntiVirus
- HTTP-Proxy: Reputation Enabled Defense
- HTTP-Proxy: Deny Message
- HTTP-Proxy: Proxy and AV Alarms
- HTTP-Proxy: APT Blocker
Scheduling Tab
On the Scheduling tab, you can specify an operating schedule for the policy. You can select a schedule that already exists or create a new schedule.
- Select the Scheduling tab.
- From the Schedule Action drop-down list, select a schedule.
Or, to create a new schedule, select Create New and configure the settings as described in the topics Create Schedules for Firebox Actions and Set an Operating Schedule. - Click Save.
Advanced Tab
The Advanced tab includes settings for NAT, QoS, multi-WAN, and ICMP options.
To edit or add a comment to this proxy policy configuration, type the comment in the Comment text box.
For more information about the options for this tab, go to:
- Apply NAT Rules (NAT rules do not apply to the Explicit Proxy)
- Set the Sticky Connection Duration for a Policy
- Set ICMP Error Handling
- Set Connection Rate Limits
- Enable QoS Marking and Prioritization in a Policy
Policy Tab
To set access rules and other options, select the Policy tab.
- HTTP-proxy connections are — Specify whether connections are Allowed, Denied, or Denied (send reset) and define who appears in the From and To list (on the Policy tab of the proxy definition).
For more information, go to Set Access Rules for a Policy. - Route outbound traffic using > SD-WAN — For information, go to About SD-WAN. Tip!
- You can also configure static NAT or configure server load balancing.
For more information, go to Configure Static NAT (SNAT) and Configure Server Load Balancing. - Enable Application Control — Enable Application Control and select the Application Control action to use for this policy. For more information, go to Enable Application Control in a Policy.
- Enable Geolocation — Enable Geolocation and select the Geolocation action to use for this policy. For more information, go to Configure Geolocation.
- Enable IPS — Enable IPS for this policy. For more information, go to Enable or Disable IPS for a Policy.
- Proxy action — Select the proxy action to use for this policy. You can also edit the rulesets for proxy actions.
- You can also enable bandwidth and time quotas.
For more information, go to About Quotas.
Properties Tab
On the Properties tab, you can configure these options:
- To edit or add a comment to this policy configuration, type the comment in the Comment text box.
- To define the logging settings for the policy, click Logging.
For more information, go toSet Logging and Notification Preferences. - If you set the HTTP-proxy connections are drop-down list (on the Policy tab) to Denied or Denied (send reset), you can block sites that try to use HTTP.
For more information, go to Block Sites Temporarily with Policy Settings. - You can also change the idle timeout that is set by the Firebox or authentication server.
For more information, go to Set a Custom Idle Timeout.
Advanced Tab
You can also configure these options in your proxy definition:
- Set an Operating Schedule
- Add Traffic Management Actions to a Policy
- Set ICMP Error Handling
- Apply NAT Rules (NAT rules do not apply to the Explicit Proxy)
- Set Connection Rate Limits
- Enable QoS Marking and Prioritization in a Policy
- Set the Sticky Connection Duration for a Policy
Configure the Proxy Action
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For more information about how to configure proxy actions, go to About Proxy Actions.
You can configure these categories of settings for a proxy action:
- Explicit Proxy: HTTP Web Proxy
- Explicit Proxy: FTP over HTTP
- Explicit Proxy: HTTP CONNECT Tunneling
- HTTP Request: General Settings
- HTTP Request: Request Methods
- HTTP Request: URL Paths
- HTTP Request: Header Fields
- HTTP Request: Authorization
- HTTP Response: General Settings
- HTTP Response: Header Fields
- HTTP Response: Content Types
- HTTP Response: Cookies
- HTTP Response: Body Content Types
- HTTP-Proxy: Exceptions
- HTTP-Proxy: Data Loss Prevention
- HTTP-Proxy: WebBlocker
- HTTP-Proxy: AntiVirus
- HTTP-Proxy: Reputation Enabled Defense
- HTTP-Proxy: Deny Message
- Proxy and AV Alarms
- HTTP-Proxy: APT Blocker