Proxy tab
Connection
Keep original source IP address | When a request is made by a web client (browser) to the server, the firewall will intercept it and check that the request complies with URL filter rules and then relays the request. If this option is selected, the new request will use the original source IP address of the web client that sent the packet. Otherwise, the firewall’s address will be used. |
Content inspection
Self-signed certificates | These certificates are used internally and signed by your local server. They allow guaranteeing the security of your exchanges and authenticating users, among other functions. This option determines the action to perform when you encounter self-signed certificates:
|
Expired certificates | Expired certificates have validity dates that have lapsed and are therefore not valid. To fix this problem, they must be renewed by a certification authority WARNING This option determines the action to perform when you encounter expired certificates:
|
Unknown certificates | This option will determine the action to perform when you encounter unknown certificates:
|
Wrong certificate type |
This test validates the certificate’s type. A certificate is deemed compliant if it is used in the context defined by its signature. Therefore, a user certificate used by a server does not comply. This option will determine the action to perform when you encounter non-compliant certificates:
|
Certificate with incorrect FQDN |
This option will determine the action to perform when certificates with an invalid domain name are encountered:
|
When the FQDN of the certificate is different from the SSL domain name | This option will determine the action to perform when you encounter certificates with domain names (FQDN) that are different from the expected SSL domain:
|
Allow IP addresses in SSL domain names | This option allows or denies access to a site based on its IP addresses instead of its SSL domain name. |
Support
If decryption fails | This option will determine the action to perform when decryption fails: you can choose to Block traffic or Do not decrypt. Traffic will not be inspected if the second option is selected. |
If classification of certificate fails | The choice is either Pass without decrypting or Block without decrypting. If a certificate has not been listed in a certificate category, this action will determine whether the traffic will be authorized. |
Application-Layer Protocol Negotiation (ALPN)
Application-Layer Protocol Negotiation (ALPN) is an extension of the Transport Layer Security (TLS) protocol, which negotiates the protocol of the application layer during the TLS handshake.
IANA ALPN tab
In this grid, protocols registered with the IANA and included in the ALPN extension as described in RFC 7301 can be allowed/prohibited.
You can:
- Allow or prohibit protocols individually by clicking on their associated action,
- Select all protocols with the Select all button and apply a common action to them using Allowand Block.
A search field also makes it possible to filter the display of protocols.
ALPN EXCEPTIONS tab
In this grid, ALPN extension protocols that must be excluded from the SSL/TLS protocol analysis can be defined.
You can:
- Add a protocol to be deleted by using the Add button.
- Select all excluded protocols and delete them from the grid by using the Select all then Remove buttons.
A search field also makes it possible to filter the display of protocols.