Proxy tab

Connection

Keep original source IP address When a request is made by a web client (browser) to the server, the firewall will intercept it and check that the request complies with URL filter rules and then relays the request.
If this option is selected, the new request will use the original source IP address of the web client that sent the packet. Otherwise, the firewall’s address will be used.

Content inspection

Self-signed certificates These certificates are used internally and signed by your local server. They allow guaranteeing the security of your exchanges and authenticating users, among other functions.
This option determines the action to perform when you encounter self-signed certificates:
  • Delegate to user: this action raises a security alert in the client's web browser. The client will then decide whether to continue the connection to the server concerned. An alarm will be generated and the client's action will be recorded in the logs l_alarm file.
  • Continue analysis: these certificates are accepted without generating any security alerts in the client's web browser. Traffic goes through and is analyzed by the intrusion prevention engine.
  • Block: the firewall rejects these certificates and matching traffic is blocked.
Expired certificates Expired certificates have validity dates that have lapsed and are therefore not valid. To fix this problem, they must be renewed by a certification authority

WARNING
Expired certificates may pose a security risk. After the expiry of a certificate, the CA that issued it will no longer be responsible for it if it is used maliciously.


This option determines the action to perform when you encounter expired certificates:
  • Delegate to user: this action raises a security alert in the client's web browser. The client will then decide whether to continue the connection to the server concerned. An alarm will be generated and the client's action will be recorded in the logs l_alarm file.
  • Continue analysis: these certificates are accepted without generating any security alerts in the client's web browser. Traffic goes through and is analyzed by the intrusion prevention engine.
  • Block: the firewall rejects these certificates and matching traffic is blocked.
Unknown certificates This option will determine the action to perform when you encounter unknown certificates:
  • Delegate to user: this action raises a security alert in the client's web browser. The client will then decide whether to continue the connection to the server concerned. An alarm will be generated and the client's action will be recorded in the logs l_alarm file.
  • Do not decrypt: these certificates are accepted without generating any security alerts in the client's web browser. Traffic goes through without being analyzed by the intrusion prevention engine.
  • Block: the firewall rejects these certificates and matching traffic is blocked.

Wrong certificate type

This test validates the certificate’s type. A certificate is deemed compliant if it is used in the context defined by its signature. Therefore, a user certificate used by a server does not comply.

This option will determine the action to perform when you encounter non-compliant certificates:
  • Delegate to user: this action raises a security alert in the client's web browser. The client will then decide whether to continue the connection to the server concerned. An alarm will be generated and the client's action will be recorded in the logs l_alarm file.
  • Continue analysis: these certificates are accepted without generating any security alerts in the client's web browser. Traffic goes through and is analyzed by the intrusion prevention engine.
  • Block: the firewall rejects these certificates and matching traffic is blocked.

Certificate with incorrect FQDN

This option will determine the action to perform when certificates with an invalid domain name are encountered:
  • Delegate to user: this action raises a security alert in the client's web browser. The client will then decide whether to continue the connection to the server concerned. An alarm will be generated and the client's action will be recorded in the logs l_alarm file.
  • Continue analysis: these certificates are accepted without generating any security alerts in the client's web browser. Traffic goes through and is analyzed by the intrusion prevention engine.
  • Block: the firewall rejects these certificates and matching traffic is blocked.
When the FQDN of the certificate is different from the SSL domain name This option will determine the action to perform when you encounter certificates with domain names (FQDN) that are different from the expected SSL domain:
  • Delegate to user: this action raises a security alert in the client's web browser. The client will then decide whether to continue the connection to the server concerned. An alarm will be generated and the client's action will be recorded in the logs l_alarm file.
  • Continue analysis: these certificates are accepted without generating any security alerts in the client's web browser. Traffic goes through and is analyzed by the intrusion prevention engine.
  • Block: the firewall rejects these certificates and matching traffic is blocked.
Allow IP addresses in SSL domain names This option allows or denies access to a site based on its IP addresses instead of its SSL domain name.

Support

If decryption fails This option will determine the action to perform when decryption fails: you can choose to Block traffic or Pass without decrypting. Traffic will not be inspected if the second option is selected.
If classification of certificate fails The choice is either Pass without decrypting or Block. If a certificate has not been listed in a certificate category, this action will determine whether the traffic will be authorized.