HTTPS (Hypertext Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a request/response protocol between clients and servers used for secure communications and transactions. You can use the HTTPS-proxy to secure a web server protected by your Firebox or to examine HTTPS traffic requested by clients on your network. By default, when an HTTPS client starts a request, it establishes a TCP (Transmission Control Protocol) connection on port 443. Most HTTPS servers listen for requests on port 443.
HTTPS is more secure than HTTP because HTTPS uses a digital certificate to secure a connection, validate the web server identity and exchange the shared key. The Firebox can then encrypt and decrypt the HTTPS traffic. It encrypts and decrypts user page requests as well as the pages that are returned by the web server. The Firebox must decrypt a page it before it can be examined. After it examines the content, the Firebox encrypts the traffic with a certificate and sends it to the intended destination.
You can export the default certificate created by your Firebox for this feature, or import a certificate for the device to use instead. If you use the HTTPS-proxy to examine web traffic requested by users on your network, we recommend that you export the default certificate and distribute it to each user so that they do not receive browser warnings about untrusted certificates. If you use the HTTPS-proxy to secure a web server that accepts requests from an external network, we recommend that you import the current web server certificate for the same reason.
When an HTTPS client or server uses a port other than port 443 in your organization, we recommend that you create a custom policy for the port you need. Use the HTTPS-proxy as a template to create this policy. For more information, go to Add a Proxy Policy to Your Configuration.
Which Proxy Action To Use
When you configure a proxy policy, you must select a proxy action appropriate to the policy. For a proxy policy that allows connections from your internal clients to the internet, use the Client proxy action. For a proxy policy that allows connections to your internal servers from the internet, use the Server proxy action.
Predefined proxy actions with Standard appended to the proxy action name include recommended standard settings that reflect the latest Internet network traffic trends.
It is important to select the correct proxy action for incoming or outgoing HTTPS connections so that the proxy uses the appropriate certificate. HTTPS-Client proxy actions use the outbound Proxy Authority CA certificate. HTTPS-Server proxy actions use the Proxy Server web server certificate.
The Web Setup Wizard and WSM Quick Setup Wizard automatically adds an HTTPS-proxy policy that uses the Default-HTTPS-Client proxy action. The Default-HTTPS-Client proxy action is based on the HTTPS-Client.Standard proxy action and enables subscription services that were licensed in the feature key when the setup wizard was run. If you add a new HTTPS-proxy policy, the Default-HTTPS-Client proxy action could be a better choice than the HTTPS-Client.Standard proxy action. For more information about the Default-HTTPS-Client proxy action, go to Setup Wizard Default Policies and Settings.
Configure the HTTPS-Proxy
Settings Tab
On the Settings tab, you can set basic information about a proxy policy, such as whether it allows or denies traffic, create access rules for a policy, enable bandwidth and time quotas, and configure static NAT and server load balancing. The Settings tab also shows the port and protocol for the policy, as well as an optional description of the policy. You can use the settings on this tab to set logging, notification, automatic blocking, and timeout preferences.
- Connections are — Specify whether connections are Allowed, Denied, or Denied (send reset) and define who appears in the From and To list (on the Policy tab of the proxy definition). Go to Set Access Rules for a Policy.
- You can also configure static NAT or configure server load balancing. Go to Configure Static NAT (SNAT) and Configure Server Load Balancing.
- To define the logging settings for the policy, configure the settings in the Logging section.
For more information, go to Set Logging and Notification Preferences. - If you set the Connections are drop-down list to Denied or Denied (send reset), you can block sites that try to use HTTPS.
For more information, go to Block Sites Temporarily with Policy Settings. - To change the idle timeout that is set by the Firebox or Firebox or authentication server, go to Set a Custom Idle Timeout.
- To enable bandwidth and time quotas, go to About Quotas.
SD-WAN Tab
On the SD-WAN tab, you can select to apply an SD-WAN action to the policy. You can also add a new SD-WAN action. For more information about SD-WAN routing, go to About SD-WAN.
SD-WAN replaces policy-based routing in Fireware v12.3 or higher.
Application Control Tab
If Application Control is enabled on your Firebox, you can set the action this proxy uses for Application Control.
- Select the Application Control tab.
- From the Application Control Action drop-down list, select an application control action to use for this policy, or create a new action.
- (Optional) Edit the Application Control settings for the selected action.
- Click Save.
For more information, go to Enable Application Control in a Policy.
Geolocation Tab
If Geolocation is enabled on your Firebox, on the Geolocation tab, you can select the Geolocation action for this proxy. You can also add a new Geolocation action. For more information about Geolocation, go to Configure Geolocation.
To apply a Geolocation action in a policy:
- Select the Geolocation tab.
- From the Geolocation Control Action drop-down list, select a Geolocation action.
Or, to create a new Geolocation action, click Add. - Click Save.
The Geolocation tab is available in Fireware 12.3 or higher.
Traffic Management Tab
On the Traffic Management tab, you can select the Traffic Management action for the policy. You can also create a new Traffic Management action. For more information about Traffic Management actions, go to Define a Traffic Management Action and Add Traffic Management Actions to a Policy.
To apply a Traffic Management action in a policy:
- Select the Traffic Management tab.
- From the Traffic Management Action drop-down list, select a Traffic Management action.
Or, to create a new Traffic Management action, select Create new and configure the settings as described in the topic Define a Traffic Management Action. - Click Save.
Proxy Action Tab
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For more information about how to configure proxy actions, go to About Proxy Actions.
To configure the proxy action:
- Select the Proxy Action tab.
- From the Proxy Action drop-down list, select the proxy action to use for this policy.
For information about proxy actions, go to About Proxy Actions. - Click Save.
For the HTTPS-proxy, you can configure these categories of settings for a proxy action:
- HTTPS-Proxy: General Settings
- HTTPS-Proxy: Content Inspection
- HTTPS-Proxy: Domain Name Rules
- HTTPS-Proxy: WebBlocker
- HTTPS-Proxy: Proxy Alarm
Scheduling Tab
On the Scheduling tab, you can specify an operating schedule for the policy. You can select an existing schedule or create a new schedule.
- Select the Scheduling tab.
- From the Schedule Action drop-down list, select a schedule.
Or, to create a new schedule, select Create New and configure the settings as described in the topics Create Schedules for Firebox Actions and Set an Operating Schedule. - Click Save.
Advanced Tab
The Advanced tab includes settings for NAT, QoS, multi-WAN, and ICMP options.
To edit or add a comment to this proxy policy configuration, type the comment in the Comment text box.
For more information on the options for this tab, go to:
Policy Tab
To set access rules and other options, select the Policy tab.
- HTTPS-proxy connections are — Specify whether connections are Allowed, Denied, or Denied (send reset) and define who appears in the From and To list (on the Policy tab of the proxy definition). Go to Set Access Rules for a Policy.
- Route outbound traffic using > SD-WAN — Go to About SD-WAN. Tip!
- Enable Application Control — Enable Application Control and select the Application Control action to use for this policy. For more information, go to Enable Application Control in a Policy.
- Enable Geolocation — Enable Geolocation and select the Geolocation action to use for this policy. For more information, go to Configure Geolocation.
- Enable IPS — Enable IPS for this policy. For more information, go to Enable or Disable IPS for a Policy.
- You can also configure static NAT or configure server load balancing. See Configure Static NAT (SNAT) and Configure Server Load Balancing.
- Proxy action — Select the proxy action to use for this policy. You can also edit the rulesets for proxy actions.
- To enable bandwidth and time quotas, go to About Quotas.
Properties Tab
On the Properties tab, you can configure these options:
- To edit or add a comment to this policy configuration, type the comment in the Comment text box.
- To define the logging settings for the policy, click Logging.
For more information, go toSet Logging and Notification Preferences. - If you set the HTTPS-proxy connections are drop-down list (on the Policy tab) to Denied or Denied (send reset), you can block sites that try to use HTTPS.
For more information, go to Block Sites Temporarily with Policy Settings. - To change the idle timeout that is set by the Firebox or Firebox, or authentication server, go to Set a Custom Idle Timeout.
Advanced Tab
You can also configure these options in your proxy definition:
- Set an Operating Schedule
- Add Traffic Management Actions to a Policy
- Set ICMP Error Handling
- Apply NAT Rules (Both 1-to-1 NAT and dynamic NAT are enabled by default in all policies.)
- Set Connection Rate Limits
- Enable QoS Marking and Prioritization in a Policy
- Set the Sticky Connection Duration for a Policy
Configure the Proxy Action
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For more information about how to configure proxy actions, go to About Proxy Actions.
For the HTTPS-proxy, you can configure these categories of settings for a proxy action:
If you enable WebBlocker in an HTTPS proxy action, but do not enable content inspection, users do not see a deny message when content is denied by WebBlocker. Without content inspection, protection is less thorough. WebBlocker can only see the common name or server name domain information, not the URL. For more information, see HTTPS-Proxy: WebBlocker.