HTTPS-Proxy: General Settings
In the HTTPS proxy action general settings configuration, you can configure basic HTTPS parameters.
HTTPS proxy action general settings configuration in Fireware Web UI
HTTPS proxy action general settings configuration in Policy Manager
Allow only SSL compliant traffic
This option is available only for Fireboxes that run Fireware OS v11.8.1 or higher.
When content inspection is not enabled, select this option to enable your Firebox to allow only traffic that is compliant with these SSL protocols:
SSL compliant traffic refers to SSL protocol messages that adhere to SSL/TLS standards that are considered secure and can be interpreted by the HTTPS proxy. Successful interpretation is required to perform content inspection of traffic within the HTTPS tunnel. If content inspection is not enabled, you can allow non-compliant SSL protocol traffic (used by some VPN software and other applications), to enable the HTTPS proxy to send traffic over port 443 through the Firebox.
In Fireware v11.11.1 and higher, because of known security vulnerabilities, SSLv2 is considered a non-compliant SSL protocol. In Fireware v11.11.4 and higher, to configure the HTTPS proxy to allow SSLv2 traffic, make sure the Allow only SSL compliant traffic check box is not selected and content inspection is not enabled.
When content inspection is enabled and SSL compliant traffic establishes a secure tunnel through the HTTPS proxy, if the tunneled traffic does not use a valid HTTP protocol, the HTTP proxy action with content inspection enabled that is specified in the HTTPS proxy settings prompts the Firebox to send a log message about the errors and drop the traffic.
You can configure the proxy to send an SNMP trap, a notification to a network administrator, or both. The notification can either be an email message to a network administrator or a pop-up window on the management computer.
Configure these settings to specify how long the HTTPS proxy waits for the web client to make a request from the external web server after it starts a TCP/IP connection, or after an earlier request for the same connection. If the time period exceeds this setting, the HTTPS proxy closes the connection.
To enable this feature, select the Connection timeout check box. In the adjacent text box, type or select the number of minutes before the proxy times out.
Enable logging for reports
To create a traffic log message for each transaction that can be used to generate reports, select this check box. This option increases the size of your log file, but this information is very important if your firewall is attacked. If you do not select this check box, you do not see detailed information about HTTPS proxy connections in reports.
Override the diagnostic log level for proxy policies that use this proxy action
To specify the diagnostic log level for all proxy polices that use this proxy action, select this check box. Then, from the Diagnostic log level for this proxy action drop-down list, select a log level:
The log level you select overrides the diagnostic log level that is configured for all log messages of this proxy policy type.
For more information about the diagnostic log level, see Set the Diagnostic Log Level.