Path: Policy - Network Objects - Static Network Objects
Path: Policy - Rules
In a company there is a proxy server with detailed URL-based rule sets. Therefore, all HTTP/HTTPS traffic which is not handled by the proxy server should be blocked.
To achieve this, you need to set up the following:
- a static network object for the proxy server,
Note: This example configuration only handles HTTP/HTTPS communication. Other protocols, such as QUIC, are not blocked.
Creating the Static Network Object for the Proxy Server
Navigate to Policy > Network Objects > Static Network Objects. Create a static network object that characterizes the proxy server.
The following table shows the required settings of the static network object:
|Name||Network Tags||Network||MAC Addresses|
|Proxy Server||Internal||Included: MAC address of the internal proxy server|
For detailed instructions on how to create a static network object, refer to Creating Static Network Objects.
Creating the Rule Set
Navigate to Policy > Rules. Configure a rule set consisting of two global rules:
- Rule 1 allows all HTTP/HTTPS traffic to the proxy server.
- Rule 2 rejects all HTTP/HTTPS traffic in the network that is not directed at the proxy server.
The following table shows the required rule settings:
Allow Traffic and Skip to Next Scenario
Allow Traffic and Stop Processing
For detailed instructions on how to create a rule, refer to Creating Global Rules in the Threat Defender manual.
Click APPLY CHANGES to activate your configuration changes.
Threat Defender processes the rule set in a top-down approach, resulting in the workflows detailed below.
Network clients (web browsers) with a configured proxy server:
- Network packages sent via HTTP (or HTTPS) to the network address of the proxy server (handles the website request) hit rule 1.
- The network packages match the rule settings. Therefore, they are allowed to pass.
Network clients (web browsers) with no configured proxy server try to access the company intranet:
- Network packages sent via HTTP (or HTTPS) to the webserver hosting the company intranet hit rule 1.
- The network packages do not meet the rule criteria because their destination is not the proxy server. Therefore, the rule is skipped.
- Threat Defender checks the network packages against the next rule, rule 2.
- The packages match the rule settings and are rejected.
- The client application is notified that the web server cannot be reached.