HTTP Request: General Settings
In the HTTP Proxy Action HTTP Request General Settings configuration, you can set basic HTTP parameters, such as idle time out and URL length.
- Select Firewall > Proxy Actions.
The Proxy Action page opens. - Select the proxy action to edit.
- Click Edit.
- Select Proxy Action > HTTP Request.
- Select Setup > Actions > Proxies.
The Proxy Action dialog box opens. - Select the proxy action to edit.
- Click Edit.
- Select HTTP Request > General Settings.
Settings
HTTP Proxy Action HTTP Request General Settings configuration from Policy Manager
Set the connection idle timeout to
This option controls performance.
To close the TCP socket for the HTTP connection when no packets have passed through the TCP socket in the amount of time you specify, select the Set the connection idle timeout to check box. In the adjacent text box, type or select the number of minutes before the proxy times out.
Because every open TCP session uses a small amount of memory on the Firebox, and browsers and servers do not always close HTTP sessions cleanly, we recommend that you keep this check box selected. This makes sure that stale TCP connections are closed and helps the Firebox save memory. You can lower the timeout to five minutes and not reduce performance standards.
Set the maximum URL path length to
To set the maximum number of bytes allowed in a URL, select the Set the maximum URL path length to check box.
In this area of the proxy, URL includes anything in the web address after the top-level-domain. This includes the slash character but not the domain name (www.myexample.com or myexample.com). For example, the URL www.myexample.com/products counts nine characters toward this limit because /products has nine characters.
The default value of 4096 is usually enough for any URL requested by a computer behind your Firebox. Characters in the URL are encoded by the Firebox and usually take 1 byte each. For example, the URL www.myexample.com/products counts nine bytes toward this limit because /products has nine characters. A URL that is very long can indicate an attempt to compromise a web server. The minimum length is 15 bytes. We recommend that you keep this setting enabled with the default settings. This helps protect against infected web clients on the networks that the HTTP-proxy protects.
Allow range requests through unmodified
This option allows HTTP range requests through the Firebox, and is selected by default.
Range requests enable a client to request subsets of the bytes in a web resource instead of the full content. For example, you could use a range request to pause and resume website video playback. When you request only the content you need, a download is faster because it does not include unnecessary data.
Range requests enable mobile devices to download or stream content from websites more reliably.
To enable you to view how often your client devices perform HTTP range requests, the Log this action check box is selected by default. If you do not want to view individual HTTP range requests through the proxy, clear the Log this action check box.
Allow WebSocket Connections
WebSocket connections allow bidirectional communication between a client and server over a single TCP connection, which enables more efficient data transfer. You can specify whether HTTP proxy actions allow connections that use WebSocket protocol. WebSocket connections are disabled by default for all HTTP proxy actions.
To allow WebSocket connections in the HTTP proxy action, select the Allow WebSocket Connections check box.
WebSocket connections are supported in Fireware v12.10 and higher.
For more information about the WebSocket Protocol, go to RFC 6455.
SafeSearch
SafeSearch is a feature included in web browser search engines that enables users to specify what level of potentially inappropriate content can be returned in search results.
To enable SafeSearch in the HTTP-Client proxy action, select the Enforce SafeSearch check box. When you enable SafeSearch, the strictest level of SafeSearch rules are enforced regardless of the settings configured in the client web browser search engines.
To enforce SafeSearch for some sites that require HTTPS connections (such as Google and YouTube), you must use an HTTPS Proxy policy with content inspection enabled. To enable SafeSearch for decrypted HTTPS content, in the proxy action for the HTTPS-Client Proxy policy, select an HTTP-Client proxy action with SafeSearch enabled. For more information on HTTPS and content inspection, go to HTTPS-Proxy: Content Inspection.
When SafeSearch is enabled, you can select the level of enforcement used to restrict which videos are viewable by users on YouTube. YouTube offers two content restriction levels — Moderate and Strict.
From the SafeSearch enforcement level for YouTube drop-down list, select the content restriction level to use. YouTube uses an algorithm to decide which videos to restrict.
SafeSearch uses the HTTP header request YouTube-Restrict: Strict or YouTube-Restrict: Moderate to set the YouTube content restriction level in the browser when users connect to these YouTube domains:
- www.youtube.com
- m.youtube.com
- youtubei.googleapis.com
- youtube.googleapis.com
- www.youtube-nocookie.com
The SafeSearch enforcement level for YouTube is available in Fireware version 12.2.1 and higher.
Enable logging for reports
To create a traffic log message for each transaction, select this check box. This option creates a large log file, but this information can be very important if your firewall is attacked. If you do not select this check box, you cannot view detailed information about HTTP-proxy connections in reports.
To generate log messages for both Web Audit and WebBlocker reports, you must select this option. For more information about how to generate reports for the log messages from your device, go to Configure Report Generation Settings.
If you use Active Directory authentication, make sure your Firebox device is configured to use Single Sign-On. This enables you to create reports based on the authenticated user names. To learn more about authentication with Single Sign-On, go to How Active Directory SSO Works.
Override the Diagnostic Log Level for Proxy Policies That Use This Proxy Action
To specify the diagnostic log level for all proxy polices that use this proxy action, select this check box. Then, from the Diagnostic Log Level for This Proxy Action drop-down list, select a log level:
- Error
- Warning
- Information
- Debug
The log level you select overrides the diagnostic log level that is configured for all log messages of this proxy policy type.
For more information about the diagnostic log level, go to Set the Diagnostic Log Level.