Related Topics
HTTP Request: General Settings
In the HTTP Proxy Action HTTP Request General Settings configuration, you can set basic HTTP parameters, such as idle time out and URL length.
HTTP Proxy Action HTTP Request General Settings configuration from Fireware Web UI
HTTP Proxy Action HTTP Request General Settings configuration from Policy Manager
Set the connection idle timeout to
This option controls performance.
To close the TCP socket for the HTTP connection when no packets have passed through the TCP socket in the amount of time you specify, select the Set the connection idle timeout to check box. In the adjacent text box, type or select the number of minutes before the proxy times out.
Because every open TCP session uses a small amount of memory on the Firebox, and browsers and servers do not always close HTTP sessions cleanly, we recommend that you keep this check box selected. This makes sure that stale TCP connections are closed and helps the Firebox save memory. You can lower the timeout to five minutes and not reduce performance standards.
Set the maximum URL path length to
To set the maximum number of characters allowed in a URL, select the Set the maximum URL path link to check box.
In this area of the proxy, URL includes anything in the web address after the top-level-domain. This includes the slash character but not the host name (www.myexample.com or myexample.com). For example, the URL www.myexample.com/products counts nine characters toward this limit because /products has nine characters.
The default value of 4096 is usually enough for any URL requested by a computer behind your Firebox. A URL that is very long can indicate an attempt to compromise a web server. The minimum length is 15 bytes. We recommend that you keep this setting enabled with the default settings. This helps protect against infected web clients on the networks that the HTTP-proxy protects.
Allow range requests through unmodified
To allow range requests through the Firebox, select this check box. Range requests allow a client to request subsets of the bytes in a web resource instead of the full content. For example, if you want only some sections of a large Adobe file but not the whole file, the download occurs more quickly and prevents the download of unnecessary pages if you can request only what you need.
Range requests introduce security risks. Malicious content can hide anywhere in a file and a range request makes it possible for any content to be split across range boundaries. The proxy can fail to see a pattern it is looking for when the file spans two GET operations.
We recommend that you do not select this check box if the rules you add in the Body Content Types section of the proxy are designed to identify byte signatures deep in a file, instead of just in the file header.
To add a traffic log message when the proxy takes the action indicated in the check box for range requests, select the Log this action check box.
Safe Search
Safe Search is a feature included in web browser search engines that enables users to specify what level of potentially inappropriate content can be returned in search results. When you enable Safe Search in the HTTP-Client proxy action, the strictest level of Safe Search rules are enforced regardless of the settings configured in the client web browser search engines.
To enforce safe search for some sites that require HTTPS connections (including Google and YouTube), you must use an HTTPS Proxy Policy with content inspection enabled. You can select the HTTP-Client proxy action with Safe Search enabled to use with the decrypted HTTPS traffic. For more information on HTTPS and content inspection, see HTTPS-Proxy: Content Inspection.
When Safe Search is enabled, restricted mode is set for YouTube. This restricts the videos viewable by users. YouTube uses an algorithm to decide which videos to restrict. Safe Search sets restricted mode in the browser using the HTTP header request YouTube-Restrict: Strict when connected to these YouTube domains:
- www.youtube.com
- m.youtube.com
- youtubei.googleapis.com
- youtube.googleapis.com
- www.youtube-nocookie.com
The YouTube restricted mode feature is available in Fireware OS v12.1 and higher.
Enable logging for reports
To create a traffic log message for each transaction, select this check box. This option creates a large log file, but this information can be very important if your firewall is attacked. If you do not select this check box, you do not see detailed information about HTTP-proxy connections in reports.
To generate log messages for both Web Audit and WebBlocker reports, you must select this option. For more information about how to generate reports for the log messages from your device, see Configure Report Generation Settings.
If you use Active Directory authentication, make sure your Firebox device is configured to use Single Sign-On. This enables you to create reports based on the authenticated user names. To learn more about authentication with Single Sign-On, see About Active Directory Single Sign-On (SSO).
Override the diagnostic log level for proxy policies that use this proxy action
To specify the diagnostic log level for all proxy polices that use this proxy action, select this check box. Then, from the Diagnostic log level for this proxy action drop-down list, select a log level:
- Error
- Warning
- Information
- Debug
The log level you select overrides the diagnostic log level that is configured for all log messages of this proxy policy type.
For more information about the diagnostic log level, see Set the Diagnostic Log Level.
See Also
About Logging, Log Files, and Notification
Enforce Safe Search (Video)