Related Topics
HTTPS-Proxy: Content Inspection
In an HTTPS proxy action, you can enable content inspection and configure domain name rules. When content inspection is enabled, the Firebox can decrypt HTTPS traffic, examine the content, then encrypt the traffic again with a new certificate. The HTTPS proxy inspects content for requests that match configured domain name rules with the Inspect action and for WebBlocker categories you select to inspect.
The available content inspection settings depend on whether the HTTPS proxy action is for outbound or inbound HTTPS requests.
HTTPS client proxy action
An HTTPS client proxy action specifies settings for inspection of outbound HTTPS requests. When you select the Inspect action in an HTTPS client proxy action, you select the HTTP proxy action the HTTPS proxy uses to examine the content.
HTTPS server proxy action
An HTTPS server proxy action specifies settings for inspection and routing of inbound HTTPS requests to an internal web server. When you select the Inspect action for a domain name rule in an HTTPS server proxy action, you select the HTTP proxy action or HTTP content action the HTTPS proxy uses to examine the content.
For an example of how to configure content inspection with an HTTP content action, see Example: HTTPS Proxy Action with an HTTP Content Action.
Enable Content Inspection
To enable content inspection:
- In the HTTPS-Proxy action, select Content Inspection.
The Content Inspection Summary section shows the current Content Inspection configuration settings.
Content Inspection Summary for an HTTPS client proxy action in Fireware Web UI
- In the Content Inspection Summary section, click Edit.
The Content Inspection Settings dialog box appears.
Content Inspection Settings dialog box for an HTTPS client proxy action in Fireware Web UI
Content Inspection Settings dialog box in Policy Manager
- Configure the settings described in the next section.
- Add domain name rules with the Inspect action. For more information, see HTTPS-Proxy: Domain Name Rules.
- Save the configuration to the Firebox.
Content Inspection Settings
In the Content Inspection Settings dialog box, you can configure these settings:
Allow only SSL compliant traffic
This option enable the HTTPS proxy policy to allow only traffic that is compliant with the SSL V3, TLS 1.0, TLS 1.1, TLS 1.2 protocols.
SSL compliant traffic refers to SSL protocol messages that adhere to SSL/TLS standards that are considered secure and can be interpreted by the HTTPS proxy. This option is automatically enabled when you enable content inspection. If content inspection is not enabled, you can allow non-compliant SSL protocol traffic (used by some VPN software and other applications), to enable the HTTPS proxy to send traffic over port 443 through the Firebox.
When content inspection is enabled and SSL compliant traffic establishes a secure tunnel through the HTTPS proxy, if the tunneled traffic does not use a valid HTTP protocol, the HTTP proxy action used for inspection prompts the Firebox to send a log message about the errors and drop the traffic.
Enable Content Inspection
When you select the Enable Content Inspection check box, the Firebox can decrypt HTTPS traffic, examine the content, then encrypt the traffic again with a new certificate. After you enable content inspection, configure domain name rules and WebBlocker categories for the proxy to inspect. The HTTPS proxy uses the HTTP proxy action you select for each Inspect action to examine the content.
When you enable content inspection, aspects of website display may be affected as the HTTP proxy will enforce features such as maximum header-line length and apply Gateway AntiVirus and WebBlocker to page elements.
To specify which domains and WebBlocker categories this HTTPS proxy action inspects:
- In the Domain Names list in the HTTPS proxy action, add a domain with the Inspect action.
For more information, see HTTPS-Proxy: Domain Name Rules. - In the WebBlocker settings in an HTTPS client proxy action, edit the WebBlocker action. In the WebBlocker categories list, select the WebBlocker content categories to inspect, or select the Inspect when a URL is uncategorized check box.
For more information, see HTTPS-Proxy: WebBlocker.
By default, the Proxy Authority CA certificate the HTTPS proxy uses to encrypt the traffic is generated automatically by your Firebox. When you use this certificate, your users receive a warning in their browsers because it is an untrusted self-signed certificate. To prevent these warnings, you can import this certificate on each client device.
You can also upload your own certificate to use for this purpose. If you choose to upload your own certificate, we recommend you use your own internal CA to sign the certificate. If your users are on your domain, and you use a certificate signed by your own internal CA, users can connect successfully without browser warnings.
A client can download and install the Proxy Authority certificate from the Certificate Portal on the Firebox at http://<Firebox IP address>:4126/certportal. For more information, see Certificate Portal.
When you enable content inspection, automatic trusted CA certificate updates on the Firebox are enabled, if they were not already enabled.
For information about how to use certificates with content inspection, see Use Certificates with HTTPS Proxy Content Inspection.
For information about how to export a certificate from a Firebox, see Export a Certificate from Your Firebox.
For information about how to import a certificate on a client device, see Import a Certificate on a Client Device.
If the original website or your web server has a self-signed or invalid certificate, or if the certificate was signed by a CA the Firebox does not recognize (such as a public, third-party CA), clients see a certificate warning in their web browsers. Certificates that cannot be correctly re-signed appear to be issued by Fireware HTTPS-proxy: Unrecognized Certificate or Invalid Certificate.
Some third-party programs keep private copies of necessary certificates and do not use the operating system certificate store, or transmit other types of data over TCP port 443. These programs include:
- Communications software (for example, Google Voice)
- Remote desktop and presentation software (for example, LiveMeeting and WebEx)
- Financial and business software (for example, iVantage, FedEx, and UPS)
If these programs do not have a method to import trusted CA certificates, they do not operate correctly when Content Inspection is enabled. For more information about certificate use or technical support, contact your software vendor, or add domain rules with the Allow action for IP addresses of computers with this software to bypass content inspection.
Allow SSLv3
TLSv1 and SSLv3 are protocols used for HTTPS connections. SSLv3 is not as secure as TLSv1. By default, the HTTPS proxy only allows connections that negotiate the TLSv1 protocol. If your users connect to client or server applications that only support SSLv3, you can configure the HTTPS proxy to use SSLv3 for connections to these websites.
To enable SSLv3, select the Allow SSLv3 check box. This option is disabled by default.
Use OCSP to validate certificates
This option applies only to HTTPS client proxy actions. HTTPS server proxy actions do not validate certificates.
Select this check box to enable your Firebox to automatically check for certificate revocations with OCSP (Online Certificate Status Protocol). When this feature is enabled, your Firebox uses information in the certificate to contact an OCSP server that keeps a record of the certificate status. If the OCSP server responds that the certificate has been revoked, your Firebox disables the certificate.
If you select this option, there can be a delay of several seconds while your Firebox requests a response from the OCSP server. The Firebox retains 300 and 3000 OCSP responses in a cache to improve performance for frequently visited websites. The number of responses stored in the cache is determined by your Firebox model.
This option implements a loose OCSP policy. If the OCSP server cannot be contacted for any reason and does not send a response, the Firebox does not disable the certificate or break the certificate chain.
If a certificate cannot be validated, the certificate is considered invalid
When this option is enabled, the Firebox enforces a strict OCSP policy. If an OCSP responder does not send a response to a revocation status request, your Firebox considers the original certificate as invalid or revoked. This option can cause certificates to be considered invalid if there is a routing error or a problem with your network connection.
Perfect Forward Secrecy Ciphers
The HTTPS proxy supports PFS-capable ciphers for TLS connections. Fireware supports only Elliptic Curve Ephemeral Diffie-Hellman (ECDHE) ciphers for PFS.
To control whether the Firebox uses PFS-capable ciphers, choose one of these options:
- None — The Firebox does not advertise or select PFS-capable ciphers.
- Allowed — The Firebox advertises and selects both PFS-capable and non-PFS-capable ciphers.
- Required— The Firebox advertises and selects only PFS-capable ciphers.
The setting you select applies to both client and server side TLS connections. When this option is set to Allowed, the client does not use a PFS-cipher unless the server also uses one.
Perfect Forward Secrecy Ciphers require significant resources and can impact system performance on Firebox T10, T15, T30, T35, T50, XTM 25, XTM 26, and XTM 33 devices. In Fireware v11.12.1, you cannot enable PFS ciphers for these models.
The cipher name used for client/server TLS sessions appears in the HTTPS content inspection traffic log messages generated by the Firebox. For more information about log messages, see Types of Log Messages.
Google Apps Allowed Domains
You can use the HTTPS proxy (with content inspection enabled) to block user access to personal Google services. For more information, see Restrict Google Apps to Allowed Domains.
Manage Content Inspection Exceptions
When you enable content inspection in a proxy action, the Content Inspection Exceptions list is enabled by default. If you do not want to allow connections to the domains in the exception list you can disable the entire exception list, or disable specific exceptions.
Content Inspection Exceptions are supported in Fireware v12.1 and higher.
The Content Inspection Exceptions list includes domains for services that are known to be incompatible with content inspection. The Manage Content Inspection Exceptions list is created and maintained by WatchGuard. You can enable or disable the predefined exceptions. You cannot add or remove exceptions. For more information about default exceptions see the Knowledge Base article, Which applications are on the default exception list in an HTTPS proxy action?
- The HTTPS proxy does not perform content inspection for a domain when the content inspection exception is enabled.
- Content inspection exceptions are shared by all HTTPS proxy actions that have predefined content inspection exceptions enabled.
Domain name rules have higher precedence than any match in the Content Inspection Exceptions list. If a domain name rule is matched, the action from that rule will always be applied. If there are other domains you do not want the proxy to inspect, you can configure Domain Name rules to bypass inspection. For more information about domain name rules, see HTTPS-Proxy: Domain Name Rules.
To enable or disable predefined content inspection exceptions (content inspection must be enabled):
- In the HTTPS-Proxy action, select Content Inspection.
The Content Inspection Summary section shows the current Content Inspection configuration settings.
Content Inspection Summary for an HTTPS client proxy action in Fireware Web UI.
- In the Content Inspection Summary section, click Manage Exceptions.
The Manage Content Inspection Exceptions dialog box appears.
Manage Content Inspection Exception dialog box for an HTTPS client proxy action in Fireware Web UI.
Manage Content Inspection Exception dialog box for an HTTPS client proxy action in Policy Manager.
- Search for a domain or select a display option:
- Show all domain names
- Show only enabled domain names
- Show only disabled domain names
- Select one or several domains.
- From the Select Action drop-down list, choose Enable or Disable.
- Click Save.