Proxy tab
Connection
Keep original source IP address | When a request is made by a web client (browser) to the server, the firewall will intercept it and check that the request complies with URL filter rules and then relays the request. If this option is selected, the new request will use the original source IP address of the web client that sent the packet. Otherwise, the firewall’s address will be used. |
Content inspection
Self-signed certificates | These certificates are used internally and signed by your local server. They allow guaranteeing the security of your exchanges and authenticating users, among other functions. This option determines the action to perform when you encounter self-signed certificates:
|
Expired certificates | Expired certificates have validity dates that have lapsed and are therefore not valid. To fix this problem, they must be renewed by a certification authority WARNING This option determines the action to perform when you encounter expired certificates:
|
Unknown certificates | This option will determine the action to perform when you encounter unknown certificates:
|
Wrong certificate type |
This test validates the certificate’s type. A certificate is deemed compliant if it is used in the context defined by its signature. Therefore, a user certificate used by a server does not comply. This option will determine the action to perform when you encounter non-compliant certificates:
|
Certificate with incorrect FQDN |
This option will determine the action to perform when certificates with an invalid domain name are encountered:
|
When the FQDN of the certificate is different from the SSL domain name | This option will determine the action to perform when you encounter certificates with domain names (FQDN) that are different from the expected SSL domain:
|
Allow IP addresses in SSL domain names | This option allows or denies access to a site based on its IP addresses instead of its SSL domain name. |
Support
If decryption fails | This option will determine the action to perform when decryption fails: you can choose to Block traffic or Pass without decrypting. Traffic will not be inspected if the second option is selected. |
If classification of certificate fails | The choice is either Pass without decrypting or Block. If a certificate has not been listed in a certificate category, this action will determine whether the traffic will be authorized. |