Proxy tab

Connection

Keep original source IP address When a request is made by a web client (browser) to the server, the firewall will intercept it and check that the request complies with URL filter rules and then relays the request.
If this option is selected, the new request will use the original source IP address of the web client that sent the packet. Otherwise, the firewall’s address will be used.

Content inspection

Self-signed certificates These certificates are used internally and signed by your local server. They allow guaranteeing the security of your exchanges and authenticating users, among other functions.
This option determines the action to perform when you encounter self-signed certificates:
  • Delegate to user: this action raises a security alert in the client's web browser. The client will then decide whether to continue the connection to the server concerned. An alarm will be generated and the client's action will be recorded in the logs l_alarm file.
  • Continue analysis: these certificates are accepted without generating any security alerts in the client's web browser. Traffic goes through and is analyzed by the intrusion prevention engine.
  • Block: the firewall rejects these certificates and matching traffic is blocked.
Expired certificates Expired certificates have validity dates that have lapsed and are therefore not valid. To fix this problem, they must be renewed by a certification authority

WARNING
Expired certificates may pose a security risk. After the expiry of a certificate, the CA that issued it will no longer be responsible for it if it is used maliciously.


This option determines the action to perform when you encounter expired certificates:
  • Delegate to user: this action raises a security alert in the client's web browser. The client will then decide whether to continue the connection to the server concerned. An alarm will be generated and the client's action will be recorded in the logs l_alarm file.
  • Continue analysis: these certificates are accepted without generating any security alerts in the client's web browser. Traffic goes through and is analyzed by the intrusion prevention engine.
  • Block: the firewall rejects these certificates and matching traffic is blocked.
Unknown certificates This option will determine the action to perform when you encounter unknown certificates:
  • Delegate to user: this action raises a security alert in the client's web browser. The client will then decide whether to continue the connection to the server concerned. An alarm will be generated and the client's action will be recorded in the logs l_alarm file.
  • Do not decrypt: these certificates are accepted without generating any security alerts in the client's web browser. Traffic goes through without being analyzed by the intrusion prevention engine.
  • Block: the firewall rejects these certificates and matching traffic is blocked.

Wrong certificate type

This test validates the certificate’s type. A certificate is deemed compliant if it is used in the context defined by its signature. Therefore, a user certificate used by a server does not comply.

This option will determine the action to perform when you encounter non-compliant certificates:
  • Delegate to user: this action raises a security alert in the client's web browser. The client will then decide whether to continue the connection to the server concerned. An alarm will be generated and the client's action will be recorded in the logs l_alarm file.
  • Continue analysis: these certificates are accepted without generating any security alerts in the client's web browser. Traffic goes through and is analyzed by the intrusion prevention engine.
  • Block: the firewall rejects these certificates and matching traffic is blocked.

Certificate with incorrect FQDN

This option will determine the action to perform when certificates with an invalid domain name are encountered:
  • Delegate to user: this action raises a security alert in the client's web browser. The client will then decide whether to continue the connection to the server concerned. An alarm will be generated and the client's action will be recorded in the logs l_alarm file.
  • Continue analysis: these certificates are accepted without generating any security alerts in the client's web browser. Traffic goes through and is analyzed by the intrusion prevention engine.
  • Block: the firewall rejects these certificates and matching traffic is blocked.
When the FQDN of the certificate is different from the SSL domain name This option will determine the action to perform when you encounter certificates with domain names (FQDN) that are different from the expected SSL domain:
  • Delegate to user: this action raises a security alert in the client's web browser. The client will then decide whether to continue the connection to the server concerned. An alarm will be generated and the client's action will be recorded in the logs l_alarm file.
  • Continue analysis: these certificates are accepted without generating any security alerts in the client's web browser. Traffic goes through and is analyzed by the intrusion prevention engine.
  • Block: the firewall rejects these certificates and matching traffic is blocked.
Allow IP addresses in SSL domain names This option allows or denies access to a site based on its IP addresses instead of its SSL domain name.

Support

If decryption fails This option will determine the action to perform when decryption fails: you can choose to Block traffic or Do not decrypt. Traffic will not be inspected if the second option is selected.
If classification of certificate fails The choice is either Pass without decrypting or Block without decrypting. If a certificate has not been listed in a certificate category, this action will determine whether the traffic will be authorized.

Application-Layer Protocol Negotiation (ALPN)

Application-Layer Protocol Negotiation (ALPN) is an extension of the Transport Layer Security (TLS) protocol, which negotiates the protocol of the application layer during the TLS handshake.

IANA ALPN tab

In this grid, protocols registered with the IANA and included in the ALPN extension as described in RFC 7301 can be allowed/prohibited.

You can:

  • Allow or prohibit protocols individually by clicking on their associated action,
  • Select all protocols with the Select all button and apply a common action to them using Allowand Block.

A search field also makes it possible to filter the display of protocols.

ALPN EXCEPTIONS tab

In this grid, ALPN extension protocols that must be excluded from the SSL/TLS protocol analysis can be defined.

You can:

  • Add a protocol to be deleted by using the Add button.
  • Select all excluded protocols and delete them from the grid by using the Select all then Remove buttons.

A search field also makes it possible to filter the display of protocols.