Proxy tab


Keep original source IP address When a request is made by a web client (browser) to the server, the firewall will intercept it and check that the request complies with URL filter rules and then relays the request.
If this option is selected, the new request will use the original source IP address of the web client that sent the packet. Otherwise, the firewall’s address will be used.

URL Filtering ( Extended Web Control base only)

Action when classification of URL failed The choice is either Pass or Block. If a URL has not been listed in a URL category, this action will determine whether access to the site will be authorized.
Allow IP addresses in URLs An option allows authorizing or denying the use of IP addresses in the URL, meaning access to a website by its IP address instead of its domain name. Such a method may be an attempt to bypass URL filtering.

If the option has not been selected and the URL queried (containing an IP address) cannot be classified by the URL filtering system, its access will be blocked. However, this option has been designed to be applied after the evaluation of the filter.

As a result, internal servers that are contacted by their IP addresses will not be blocked if their access has been explicitly authorized in the filter policy (different from the pass all policy). Such access can be authorized via the firewall’s basic Network objects (RFC5735) or the “Private IP” group in the EWC URL database.

Regardless of whether the previous option has been selected, an IP address expressed differently from the format a.b.c.d will be systematically blocked.

HTTP protocol extensions

Allow WebDAV connections (reading and writing) WebDAV is a set of extensions to the HTTP protocol concerning the edition and collaborative management of documents. If this option has been selected, the WebDav protocol will be authorized in the Stormshield Network Firewall.
Allow TCP tunnels (CONNECT method) The CONNECT method allows building secure tunnels through proxy servers.
If this option has been selected, the CONNECT method will be authorized in the Stormshield Network Firewall.

TCP tunnels: List of allowed destination ports

In this zone, specify the types of service that can use the CONNECT method.

Destination port (service object) The Add button allows you to add services objects database.
To modify a service, select the line to be modified and make changes.
Use the Delete button to delete the selected service.

Advanced properties

Protection quality

Check URL encoding By selecting this option, the filter policy cannot be bypassed.

Traffic sent to the server

Add authenticated user to HTTP header If the external HTTP proxy requires user authentication, the administrator can select this option to send data regarding the user (collected by the firewall’s authentication module) to the external proxy.

Explicit proxy

The explicit proxy allows referencing the firewall’s proxy in a browser and sending HTTP requests directly to it.

Enable "Proxy-Authorization" (HTTP 407) 'authentication The browser will prompt the user to authenticate through a message window and the connection information will be relayed to the firewall via the HTTP header.

The "Proxy-Authorization" (HTTP 407) authentication method via the browser does not allow the SSL (certificates) and SPNEGO methods as they do not involve the authentication portal, even though it needs to be enabled.

For further information, refer to the help for the Authentication module, in the section “Transparent or explicit HTTP proxy and Multi-user networks”