Path: Policy - Network Objects - Static Network Object

Path: Policy - Rules


Situation

You have an already configured company proxy server with detailed URL based rulesets.

Now, you wanna ensure that all HTTP/HTTPS traffic which is not handled by your proxy will be blocked.


To achieve this you need just 3 things:

a Static Network Object (your proxy) and 2 rules which handles the allowed and all other traffic.


The Static Network Object for the Proxy

At first we're creating the Static Network Object which characterises your Proxy.


In Policy - Network Objects - Static Network Objects push the ADD button.


Enter the name and - in this case - we're tagging our object as a member of the servers.


And we're adding the characteristics - the IP address - of the Proxy server:


Finally push SAVE to finalise the creation of our Static Network Object "Proxy"



Create the ruleset for handling the network traffic

Allow communication to the Proxy

This is a simple rule which allows all HTTP/HTTPS communication to the Proxy.


Create this by hitting the ADD GLOBAL RULE button in Policy - Rules & enter a name like "Allow outgoing HTTP/HTTPS via Proxy"


Set the  Source & Destination  as per our needs:


as well as the  Classification  for HTTP and HTTPS:


and the  Final Action  to Allow:


Hit SAVE to store the rule.




Reject all other HTTP/HTTPS traffic

Now we create a rule for blocking all other http/https traffic within the network.


Add a new rule via the ADD button and enter a name:


Now we set this rule as valid for ALL network traffic via  Source & Destination :


The rule is valid for HTTP/HTTPS traffic only, so it needs to be classified:


And finally, the TD shall reject the packages:



Scenario workflow

The network client (web browser) with a Proxy configured:

  1. The network package via HTTP (or HTTPS) with target network address of the Proxy Server (he will handle the webpage request at the end) will hit the rule "Allow outgoing HTTP/HTTPS via Proxy"
  2. The network package is matching the rule settings, and is allowed to pass


The network client (web browser) with no Proxy configured tries to reach the company intranet:

  1. The network package via HTTP (or HTTPS) with target address of the webserver hosting the company intranet hits the rule "Allow outgoing HTTP/HTTPS via Proxy"
  2. The network package characteristic does not met the criteria -> the rule will be skipped
  3. The network package is checked by TD against the next rule "Block HTTP/SSL"
  4. The packages matches the rule criteria and will be rejected
  5. The client application will be informed that the webserver cannot be reached.