HTTPS-Proxy: Content Inspection

When content inspection is enabled, the Firebox can decrypt HTTPS traffic, examine the content, then encrypt the traffic again with a new certificate. The HTTPS-proxy decrypts content for requests that match configured domain name rules configured with the Inspect action and for WebBlocker categories you select to inspect.

The available content inspection settings depend on whether the HTTPS proxy action is for outbound or inbound HTTPS requests.

HTTPS client proxy action

An HTTPS client proxy action specifies settings for inspection of outbound HTTPS requests. When you select the Inspect action in an HTTPS client proxy action, you select the HTTP client proxy action the HTTPS proxy uses to examine the content.

HTTPS server proxy action

An HTTPS server proxy action specifies settings for inspection and routing of inbound HTTPS requests to an internal web server. When you select the Inspect action for a domain name rule in an HTTPS server proxy action, you select the HTTP proxy action or HTTP content action the HTTPS proxy uses to examine the content.

In Fireware v12.2 and higher, you can also choose to use the default Proxy Server certificate or a different Proxy Server certificate for each domain name rule. This enables you to host several different public-facing web servers and domains behind one Firebox and allow different domains to use different certificates for inbound HTTPS traffic. For more information, see Use Certificates with Outbound HTTPS Proxy Content Inspection.

An HTTP content action enables the Firebox to route inbound HTTP requests to different internal web servers based on the content of the HTTP host header and the path in the HTTP request. For an example of how to configure content inspection with an HTTP content action, see Example: HTTPS Proxy Action with an HTTP Content Action.

Enable Content Inspection in the HTTPS Proxy Action

In Fireware v12.1.1 and higher, you configure the HTTPS content inspection settings in a TLS profile that is used by the HTTPS proxy action. By default, the HTTPS proxy action uses a predefined TLS profile. You can edit the TLS profile settings in the proxy action, or from the TLS Profiles page.

To enable content inspection in the HTTPS-proxy, select the Inspect action in the Domain Name or WebBlocker settings. The HTTPS-proxy uses the settings in the TLS profile for content inspection.

  1. Edit the HTTPS proxy action used by your HTTPS-proxy policy.
    The Content Inspection tab is selected by default.

Screen shot of the HTTPS proxy action settings, Content Inspection tab in Fireware Web UI

  1. From the TLS Profile drop-down list, select the TLS profile to use.
    The settings for the selected profile show in the Content Inspection Summary.
  • Minimum Protocol Version — Shows the minimum protocol version allowed
  • OCSP — Shows whether OCSP is set to Disabled, Lenient, or Strict
  • PFS Ciphers — Shows whether Perfect Forward Secrecy Ciphers is set to Allowed, Required, or None
  • TLS Compliance — Shows whether TLS Compliance is enforced
  1. To edit the TLS profile, click Edit. Predefined TLS profiles are not editable. To edit a predefined TLS profile, you must first click Clone to make an editable copy.

Screen shot of the TLS Profile dialog in Fireware Web UI

  1. Configure the TLS Profile settings as required for your network. For more information, see Configure TLS Profiles.
  2. To enable content inspection, select the Inspect action in the domain name rules or WebBlocker settings. For more information, see HTTPS-Proxy: Domain Name Rules, and HTTPS-Proxy: WebBlocker.
  1. Edit the HTTPS proxy action used by your HTTPS-proxy policy.
  2. In the Categories list, select Content Inspection.
    The Content Inspection settings appear.

Screen shot of the Content Inspection settings in an HTTPS Proxy action in Policy Manager

  1. From the TLS Profile drop-down list, select the TLS profile to use.
    The settings for the selected profile show in the Content Inspection Summary.
  • Minimum Protocol Version — Shows the minimum protocol version allowed
  • OCSP — Shows whether OCSP is set to Disabled, Lenient, or Strict
  • PFS Ciphers — Shows whether PFS Ciphers is set to Allowed, Required, or None
  • TLS Compliance — Shows whether TLS Compliance is enforced
  1. To edit the TLS profile, click . To edit a predefined TLS profile, you must click to make an editable copy.

Screen shot of the Edit TLS Profile dialog box

  1. Configure the TLS Profile settings as required for your network. For more information, see Configure TLS Profiles.
  2. To enable content inspection, select the Inspect action in the domain name rules or WebBlocker settings. For more information, see HTTPS-Proxy: Domain Name Rules and HTTPS-Proxy: WebBlocker.

When you enable content inspection in the HTTPS-proxy you can block user access to personal Google services. For more information, see Restrict Google Apps to Allowed Domains.

About HTTPS Content Inspection in Fireware v12.1 or Lower

In Fireware v12.1 and lower, you configure content inspection settings in the HTTPS proxy action settings instead of in a TLS profile. You must also select a check box to enable content inspection before you can select the Inspect action.

If you use Policy Manager v12.1.1 or higher to manage a Firebox that runs a version of Fireware that does not support TLS profiles for the HTTPS proxy, you configure the content inspection settings in a TLS profile in Policy Manager. When you save the configuration to the Firebox, or save the configuration to a file for a specific Fireware version, Policy Manager automatically changes the configuration to be compatible with the lower version of Fireware.

  1. In the HTTPS proxy action, select Content Inspection.
    The Content Inspection Summary section shows the current Content Inspection configuration settings.

Screen shot of the HTTPS Content Inspection Summary section in Fireware Web UI

  1. In the Content Inspection Summary section, click Edit.
    The Content Inspection Settings dialog box appears.

Screen shot of the HTTPS Content Inspection Settings page in Fireware Web UI

Content Inspection Settings dialog box for an HTTPS client proxy action in Fireware Web UI

Screen shot of the Content Inspection Settings dialog box in Policy Manager

Content Inspection Settings dialog box in Policy Manager

  1. Configure the content inspection settings described in the next section.
  2. Add domain name rules with the Inspect action. For more information, see HTTPS-Proxy: Domain Name Rules.
  3. Save the configuration to the Firebox.

In Fireware v12.1 and lower, you can configure these content inspection settings in the proxy action, instead of in a TLS profile:

Allow only SSL compliant traffic

When you select this option, the HTTPS proxy policy allows only traffic that is compliant with the SSL V3, TLS 1.0, TLS 1.1, and TLS 1.2 protocols.

SSL compliant traffic refers to SSL protocol messages that adhere to SSL/TLS standards that are considered secure and can be interpreted by the HTTPS proxy. This option is automatically enabled when you enable content inspection. If content inspection is not enabled, you can allow non-compliant SSL protocol traffic (used by some VPN software and other applications), to enable the HTTPS proxy to send traffic over port 443 through the Firebox.

When content inspection is enabled and SSL compliant traffic establishes a secure tunnel through the HTTPS proxy, if the tunneled traffic does not use a valid HTTP protocol, the HTTP proxy action used for inspection prompts the Firebox to send a log message about the errors and drop the traffic.

Enable Content Inspection

When you select the Enable Content Inspection check box, the Firebox can decrypt HTTPS traffic, examine the content, then encrypt the traffic again with a new certificate. After you enable content inspection, configure domain name rules and WebBlocker categories for the proxy to inspect. The HTTPS-proxy uses the HTTP proxy action you select for each Inspect action to examine the content.

When you enable content inspection, website appearance might be affected because the HTTP-proxy will enforce features such as maximum header-line length and apply Gateway AntiVirus and WebBlocker to page elements.

To specify which domains and WebBlocker categories this HTTPS proxy action inspects:

  • In the Domain Names list in the HTTPS proxy action, add a domain with the Inspect action.
    For more information, see HTTPS-Proxy: Domain Name Rules.
  • In the WebBlocker settings in an HTTPS client proxy action, edit the WebBlocker action. In the WebBlocker categories list, select the WebBlocker content categories to inspect, or select the Inspect when a URL is uncategorized check box.
    For more information, see HTTPS-Proxy: WebBlocker.

By default, the Proxy Authority CA certificate the HTTPS proxy uses to encrypt the traffic is generated automatically by your Firebox. When you use this certificate, your users receive a warning in their browsers because it is an untrusted self-signed certificate. To prevent these warnings, you can import this certificate on each client device.

You can also upload your own certificate to use for this purpose. If you choose to upload your own certificate, we recommend you use your own internal CA to sign the certificate. If your users are on your domain, and you use a certificate signed by your own internal CA, users can connect successfully without browser warnings.

A client can download and install the Proxy Authority certificate from the Certificate Portal on the Firebox at http://<Firebox IP address>:4126/certportal. For more information, see Certificate Portal.

When you enable content inspection, automatic trusted CA certificate updates on the Firebox are enabled, if they were not already enabled.

For information about how to use certificates with content inspection, see Use Certificates with Outbound HTTPS Proxy Content Inspection.

For information about how to export a certificate from a Firebox, see Export a Certificate from Your Firebox.

For information about how to import a certificate on a client device, see Import a Certificate on a Client Device.

If the original website or your web server has a self-signed or invalid certificate, or if the certificate was signed by a CA the Firebox does not recognize (such as a public, third-party CA), clients see a certificate warning in their web browsers. Certificates that cannot be correctly re-signed appear to be issued by Fireware HTTPS-proxy: Unrecognized Certificate or Invalid Certificate.

Some third-party programs keep private copies of necessary certificates and do not use the operating system certificate store, or transmit other types of data over TCP port 443. These programs include:

  • Communications software (for example, Google Voice)
  • Remote desktop and presentation software (for example, LiveMeeting and WebEx)
  • Financial and business software (for example, iVantage, FedEx, and UPS)

If these programs do not have a method to import trusted CA certificates, they do not operate correctly when content inspection is enabled. For more information about certificate use or technical support, contact your software vendor, or add domain rules with the Allow action for IP addresses of computers with this software to bypass content inspection.

Allow SSLv3

TLSv1 and SSLv3 are protocols used for HTTPS connections. SSLv3 is not as secure as TLSv1. By default, the HTTPS proxy only allows connections that negotiate the TLSv1 protocol. If your users connect to client or server applications that only support SSLv3, you can configure the HTTPS-proxy to use SSLv3 for connections to these websites.

To enable SSLv3, select the Allow SSLv3 check box. This option is disabled by default.

Use OCSP to validate certificates

This option applies only to HTTPS client proxy actions. HTTPS server proxy actions do not validate certificates.

Select this check box to enable your Firebox to automatically check for certificate revocations with OCSP (Online Certificate Status Protocol). When this feature is enabled, your Firebox uses information in the certificate to contact an OCSP server that keeps a record of the certificate status. If the OCSP server responds that the certificate has been revoked, your Firebox disables the certificate.

If you select this option, there can be a delay of several seconds while your Firebox requests a response from the OCSP server. The Firebox retains between 300 and 3000 OCSP responses in a cache to improve performance for frequently visited websites. The number of responses stored in the cache is determined by your Firebox model.

This option implements a loose OCSP policy. If the OCSP server cannot be contacted for any reason and does not send a response, the Firebox does not disable the certificate or break the certificate chain.

If a certificate cannot be validated, the certificate is considered invalid

When this option is enabled, the Firebox enforces a strict OCSP policy. If an OCSP responder does not send a response to a revocation status request, your Firebox considers the original certificate as invalid or revoked. This option can cause certificates to be considered invalid if there is a routing error or a problem with your network connection.

Perfect Forward Secrecy Ciphers

The HTTPS-proxy supports PFS-capable ciphers for TLS connections. Fireware supports only Elliptic Curve Ephemeral Diffie-Hellman (ECDHE) ciphers for PFS.

To control whether the Firebox uses PFS-capable ciphers, choose one of these options:

  • None — The Firebox does not advertise or select PFS-capable ciphers.
  • Allowed — The Firebox advertises and selects both PFS-capable and non-PFS-capable ciphers.
  • Required — The Firebox advertises and selects only PFS-capable ciphers.

The setting you select applies to both client and server side TLS connections. When this option is set to Allowed, the client does not use a PFS-cipher unless the server also uses one.

Perfect Forward Secrecy Ciphers require significant resources and can impact system performance on Firebox NV5, T10, T15, T30, T35, and T50 devices. In Fireware v11.12.1, you cannot enable PFS ciphers for these models.

The cipher name used for client/server TLS sessions appears in the HTTPS content inspection traffic log messages generated by the Firebox. For more information about log messages, see Types of Log Messages.

Google Apps Allowed Domains

You can use the HTTPS proxy (with content inspection enabled) to block user access to personal Google services. For more information, see Restrict Google Apps to Allowed Domains.

Manage Content Inspection Exceptions

When you enable content inspection in an HTTPS proxy action, the Content Inspection Exceptions list is enabled by default. If you do not want to allow connections to the domains in the exception list you can disable the entire exception list, or disable specific exceptions.

Content Inspection Exceptions are supported in Fireware v12.1 and higher.

The Content Inspection Exceptions list includes domains for services that are known to be incompatible with content inspection. The Manage Content Inspection Exceptions list is created and maintained by WatchGuard. You can enable or disable the predefined exceptions. You cannot add or remove exceptions. For more information about default exceptions, see the Knowledge Base article Which applications are on the default exception list in an HTTPS proxy action?

  • The HTTPS-proxy does not perform content inspection for a domain when the content inspection exception is enabled.
  • Content inspection exceptions are shared by all HTTPS proxy actions that have predefined content inspection exceptions enabled.

Domain name rules have higher precedence than any match in the Content Inspection Exceptions list. If a domain name rule is matched, the action from that rule will always be applied. If there are other domains you do not want the proxy to inspect, you can configure domain name rules to bypass inspection. For more information about domain name rules, see HTTPS-Proxy: Domain Name Rules.

To enable or disable predefined content inspection exceptions, content inspection must be enabled in the Domain Name Rules or WebBlocker settings in the proxy action.

In Fireware v12.7 and higher, you can use the Automatically Update HTTPS Exception List check box to specify whether to update the Content Inspection Exceptions list automatically when WatchGuard makes changes. By default, the check box is selected and the list updates automatically.

  1. In the HTTPS proxy action, select Content Inspection.
    The Content Inspection Summary section shows the current Content Inspection status and configuration settings.

Screen shot of the Content Inspection Summary with Domain Name Rules On

  1. To disable all predefined content inspections, clear the Enable Predefined Content Inspection Exceptions check box.
  2. To specify whether to update the Content Inspection Exceptions list automatically, select or clear the Automatically Update HTTPS Exception List check box.
  3. To disable specific content inspection exceptions, below the Content Inspection Summary, click Manage Exceptions.
    The Manage Content Inspection Exceptions dialog box opens.

Screen shot of the HTTPS Manage Content Inspection Exceptions dialog box in Fireware Web UI

  1. Search for a domain or select a display option:
    • Show all domain names
    • Show only enabled domain names
    • Show only disabled domain names
  2. Select one or more domains.
  3. From the Select Action drop-down list, select Enable or Disable.
  4. Click Save.
  1. In the HTTPS proxy action, select Content Inspection.
    The Content Inspection Summary section shows the current content inspection status and configuration settings.

Screen shot of the Content Inspection Summary

  1. To disable all predefined content inspections, clear the Enable Predefined Content Inspection Exceptions check box.
  2. To specify whether to update the Content Inspection Exceptions list automatically, select or clear the Automatically Update HTTPS Exception List check box.
  3. To disable specific content inspection exceptions, below the Content Inspection Summary, click Manage Exceptions.
    The Manage Content Inspection Exceptions dialog box opens.

Screen shot of the Content Inspection Exceptions

  1. Search for a domain or select a display option:
    • Show all domain names
    • Show only enabled domain names
    • Show only disabled domain names

  2. Select one or more domains.
  3. From the Select Action drop-down list, select Enable or Disable.
  4. Click Save.

Related Topics

About Proxy Policies and ALGs

About the HTTPS-Proxy

Use Certificates with Outbound HTTPS Proxy Content Inspection.