About the HTTP-Proxy

Hyper Text Transfer Protocol (HTTP) is a request/response protocol between clients and servers. The HTTP client is usually a web browser. The HTTP server is a remote resource that stores HTML files, images, and other content. When the HTTP client starts a request, it establishes a TCP (Transmission Control Protocol) connection on Port 80. An HTTP server listens for requests on Port 80. When it receives the request from the client, the server replies with the requested file, an error message, or some other information.

The HTTP-proxy is a high-performance content filter. It examines Web traffic to identify suspicious content that can be a virus or other type of intrusion. It can also protect your HTTP server from attacks. WatchGuard recommends you use HTTP Proxy policies for any HTTP traffic between your network and external hosts.

With an HTTP-proxy filter, you can:

  • Adjust timeout and length limits of HTTP requests and responses to prevent poor network performance, as well as several attacks.
  • Customize the deny message that users see when they try to connect to a website blocked by the HTTP-proxy.
  • Filter web content MIME types.
  • Block specified path patterns and URLs.
  • Deny cookies from specified websites.

You can also use the HTTP-proxy with the WebBlocker security subscription. For more information, go to About WebBlocker.

The TCP/UDP proxy is available for protocols on non-standard ports. When HTTP uses a port other than Port 80, the TCP/UDP proxy sends the traffic to the HTTP-proxy. For more information on the TCP/UDP proxy, go to About the TCP-UDP-Proxy.

To add the HTTP-proxy to your Firebox configuration, see Add a Proxy Policy to Your Configuration.

Which Proxy Action To Use

When you configure a proxy policy, you must select a proxy action appropriate to the policy. For a proxy policy that allows connections from your internal clients to the internet, use the Client proxy action. For a proxy policy that allows connections to your internal servers from the internet, use the Server proxy action.

Predefined proxy actions with Standard appended to the proxy action name include recommended standard settings that reflect the latest Internet network traffic trends.

In Fireware v11.12 and higher, the Web Setup Wizard and WSM Quick Setup Wizard automatically adds an HTTP-proxy policy that uses the Default-HTTP-Client proxy action. The Default-HTTP-Client proxy action is based on the HTTP-Client.Standard proxy action and enables subscription services that were licensed in the feature key when the setup wizard was run. If you add a new HTTP-proxy policy, the Default-HTTP-Client proxy action could be a better choice than the HTTP-Client.Standard proxy action. For more information about the Default-HTTP-Client proxy action, go to Setup Wizard Default Policies and Settings.

About Content Actions

In the HTTP proxy, you can select an HTTP content action instead of a proxy action. A content action enables the Firebox to route inbound HTTP requests to different internal web servers and use different HTTP server proxy actions based on the content of the HTTP host header. Use a content action instead of an HTTP server proxy action when you want to reduce the number of public IP addresses required for connections to public web servers behind the Firebox. For more information, go to About Content Actions.

For an example of how to configure an HTTP proxy policy with an HTTP content action, go to Example — HTTP Proxy with an HTTP Content Action.

Configure an HTTP Proxy Action

Related Topics

About Proxy Policies and ALGs