HTTPS-Proxy: Content Inspection

When content inspection is enabled, the Firebox can decrypt HTTPS traffic, examine the content, then encrypt the traffic again with a new certificate. The HTTPS-proxy decrypts content for requests that match configured domain name rules configured with the Inspect action and for WebBlocker categories you select to inspect.

The available content inspection settings depend on whether the HTTPS proxy action is for outbound or inbound HTTPS requests.

HTTPS client proxy action

An HTTPS client proxy action specifies settings for inspection of outbound HTTPS requests. When you select the Inspect action in an HTTPS client proxy action, you select the HTTP client proxy action the HTTPS proxy uses to examine the content.

HTTPS server proxy action

An HTTPS server proxy action specifies settings for inspection and routing of inbound HTTPS requests to an internal web server. When you select the Inspect action for a domain name rule in an HTTPS server proxy action, you select the HTTP proxy action or HTTP content action the HTTPS proxy uses to examine the content.

In Fireware v12.2 and higher, you can also choose to use the default Proxy Server certificate or a different Proxy Server certificate for each domain name rule. This enables you to host several different public-facing web servers and domains behind one Firebox and allow different domains to use different certificates for inbound HTTPS traffic. For more information, see Use Certificates with Outbound HTTPS Proxy Content Inspection.

An HTTP content action enables the Firebox to route inbound HTTP requests to different internal web servers based on the content of the HTTP host header and the path in the HTTP request. For an example of how to configure content inspection with an HTTP content action, see Example: HTTPS Proxy Action with an HTTP Content Action.

Enable Content Inspection in the HTTPS Proxy Action

In Fireware v12.1.1 and higher, you configure the HTTPS content inspection settings in a TLS profile that is used by the HTTPS proxy action. By default, the HTTPS proxy action uses a predefined TLS profile. You can edit the TLS profile settings in the proxy action, or from the TLS Profiles page.

To enable content inspection in the HTTPS-proxy, select the Inspect action in the Domain Name or WebBlocker settings. The HTTPS-proxy uses the settings in the TLS profile for content inspection.

When you enable content inspection in the HTTPS-proxy you can block user access to personal Google services. For more information, see Restrict Google Apps to Allowed Domains.

About HTTPS Content Inspection in Fireware v12.1 or Lower

In Fireware v12.1 and lower, you configure content inspection settings in the HTTPS proxy action settings instead of in a TLS profile. You must also select a check box to enable content inspection before you can select the Inspect action.

If you use Policy Manager v12.1.1 or higher to manage a Firebox that runs a version of Fireware that does not support TLS profiles for the HTTPS proxy, you configure the content inspection settings in a TLS profile in Policy Manager. When you save the configuration to the Firebox, or save the configuration to a file for a specific Fireware version, Policy Manager automatically changes the configuration to be compatible with the lower version of Fireware.

Manage Content Inspection Exceptions

When you enable content inspection in an HTTPS proxy action, the Content Inspection Exceptions list is enabled by default. If you do not want to allow connections to the domains in the exception list you can disable the entire exception list, or disable specific exceptions.

Content Inspection Exceptions are supported in Fireware v12.1 and higher.

The Content Inspection Exceptions list includes domains for services that are known to be incompatible with content inspection. The Manage Content Inspection Exceptions list is created and maintained by WatchGuard. You can enable or disable the predefined exceptions. You cannot add or remove exceptions. For more information about default exceptions, see the Knowledge Base article Which applications are on the default exception list in an HTTPS proxy action?

  • The HTTPS-proxy does not perform content inspection for a domain when the content inspection exception is enabled.
  • Content inspection exceptions are shared by all HTTPS proxy actions that have predefined content inspection exceptions enabled.

Domain name rules have higher precedence than any match in the Content Inspection Exceptions list. If a domain name rule is matched, the action from that rule will always be applied. If there are other domains you do not want the proxy to inspect, you can configure domain name rules to bypass inspection. For more information about domain name rules, see HTTPS-Proxy: Domain Name Rules.

To enable or disable predefined content inspection exceptions, content inspection must be enabled in the Domain Name Rules or WebBlocker settings in the proxy action.

In Fireware v12.7 and higher, you can use the Automatically Update HTTPS Exception List check box to specify whether to update the Content Inspection Exceptions list automatically when WatchGuard makes changes. By default, the check box is selected and the list updates automatically.

Related Topics

About Proxy Policies and ALGs

About the HTTPS-Proxy

Use Certificates with Outbound HTTPS Proxy Content Inspection.