HTTP Request: General Settings
In the HTTP Proxy Action HTTP Request General Settings configuration, you can set basic HTTP parameters, such as idle time out and URL length.
- Select Firewall > Proxy Actions.
The Proxy Action page opens.
- Select the proxy action to edit.
- Click Edit.
- Select Proxy Action > HTTP Request.
- Select Setup > Actions > Proxies.
The Proxy Action dialog box opens.
- Select the proxy action to edit.
- Click Edit.
- Select HTTP Request > General Settings.
HTTP Proxy Action HTTP Request General Settings configuration from Policy Manager
Set the connection idle timeout to
This option controls performance.
To close the TCP socket for the HTTP connection when no packets have passed through the TCP socket in the amount of time you specify, select the Set the connection idle timeout to check box. In the adjacent text box, type or select the number of minutes before the proxy times out.
Because every open TCP session uses a small amount of memory on the Firebox, and browsers and servers do not always close HTTP sessions cleanly, we recommend that you keep this check box selected. This makes sure that stale TCP connections are closed and helps the Firebox save memory. You can lower the timeout to five minutes and not reduce performance standards.
Set the maximum URL path length to
To set the maximum number of characters allowed in a URL, select the Set the maximum URL path link to check box.
In this area of the proxy, URL includes anything in the web address after the top-level-domain. This includes the slash character but not the host name (www.myexample.com or myexample.com). For example, the URL www.myexample.com/products counts nine characters toward this limit because /products has nine characters.
The default value of 4096 is usually enough for any URL requested by a computer behind your Firebox. A URL that is very long can indicate an attempt to compromise a web server. The minimum length is 15 bytes. We recommend that you keep this setting enabled with the default settings. This helps protect against infected web clients on the networks that the HTTP-proxy protects.
Allow range requests through unmodified
To allow range requests through the Firebox, select this check box. Range requests allow a client to request subsets of the bytes in a web resource instead of the full content. For example, if you want only some sections of a large Adobe file but not the whole file, the download occurs more quickly and prevents the download of unnecessary pages if you can request only what you need.
Range requests introduce security risks. Malicious content can hide anywhere in a file and a range request makes it possible for any content to be split across range boundaries. The proxy can fail to see a pattern it is looking for when the file spans two GET operations.
We recommend that you do not select this check box if the rules you add in the Body Content Types section of the proxy are designed to identify byte signatures deep in a file, instead of just in the file header.
To add a traffic log message when the proxy takes the action indicated in the check box for range requests, select the Log this action check box.
SafeSearch is a feature included in web browser search engines that enables users to specify what level of potentially inappropriate content can be returned in search results.
To enable SafeSearch in the HTTP-Client proxy action, select the Enforce SafeSearch check box. When you enable SafeSearch, the strictest level of SafeSearch rules are enforced regardless of the settings configured in the client web browser search engines.
To enforce SafeSearch for some sites that require HTTPS connections (such as Google and YouTube), you must use an HTTPS Proxy policy with content inspection enabled. To enable SafeSearch for decrypted HTTPS content, in the proxy action for the HTTPS-Client Proxy policy, select an HTTP-Client proxy action with SafeSearch enabled. For more information on HTTPS and content inspection, see HTTPS-Proxy: Content Inspection.
When SafeSearch is enabled, you can select the level of enforcement used to restrict which videos are viewable by users on YouTube. YouTube offers two content restriction levels — Moderate and Strict.
From the SafeSearch enforcement level for YouTube drop-down list, select the content restriction level to use. YouTube uses an algorithm to decide which videos to restrict.
SafeSearch uses the HTTP header request YouTube-Restrict: Strict or YouTube-Restrict: Moderate to set the YouTube content restriction level in the browser when users connect to these YouTube domains:
The SafeSearch enforcement level for YouTube is available in Fireware OS v12.2.1 and higher.
Enable logging for reports
To create a traffic log message for each transaction, select this check box. This option creates a large log file, but this information can be very important if your firewall is attacked. If you do not select this check box, you do not see detailed information about HTTP-proxy connections in reports.
To generate log messages for both Web Audit and WebBlocker reports, you must select this option. For more information about how to generate reports for the log messages from your device, see Configure Report Generation Settings.
If you use Active Directory authentication, make sure your Firebox device is configured to use Single Sign-On. This enables you to create reports based on the authenticated user names. To learn more about authentication with Single Sign-On, see How Active Directory SSO Works.
Override the diagnostic log level for proxy policies that use this proxy action
To specify the diagnostic log level for all proxy polices that use this proxy action, select this check box. Then, from the Diagnostic log level for this proxy action drop-down list, select a log level:
The log level you select overrides the diagnostic log level that is configured for all log messages of this proxy policy type.
For more information about the diagnostic log level, see Set the Diagnostic Log Level.
Enforce Safe Search (Video)