Path: Policy - Network Objects - Static Network Objects

Path: Policy - Rules


Objective

In a company there is a proxy server with detailed URL-based rule sets. Therefore, all HTTP/HTTPS traffic which is not handled by the proxy server should be blocked.


To achieve this, you need to set up the following:

  • a static network object for the proxy server,
  • a rule that handles the allowed traffic, and
  • a rule that blocks all other traffic.


Note: This example configuration only handles HTTP/HTTPS communication. Other protocols, such as QUIC, are not blocked.


Creating the Static Network Object for the Proxy Server

Navigate to Policy > Network Objects > Static Network Objects. Create a static network object that characterizes the proxy server.


The following table shows the required settings of the static network object:


NameNetwork TagsNetworkMAC Addresses
Proxy ServerServers (optional)InternalIncluded: MAC address of the internal proxy server


For detailed instructions on how to create a static network object, refer to Creating Static Network Objects.


Creating the Rule Set 

Navigate to Policy > Rules. Configure a rule set consisting of two global rules:

  • Rule 1 allows all HTTP/HTTPS traffic to the proxy server.
  • Rule 2 rejects all HTTP/HTTPS traffic in the network that is not directed at the proxy server.

The following table shows the required rule settings:



RuleSourceDestinationConditionActions
1AnyProxy Server
Classification
Included Applications/Protocols:HTTP, SSL
Final Action:
Allow Traffic and Skip to Next Scenario
2AnyAnyClassification
Included Applications/Protocols:HTTP, SSL
Final Action:
Allow Traffic and Stop Processing


For detailed instructions on how to create a rule, refer to Creating Global Rules in the Threat Defender manual.


Click APPLY CHANGES to activate your configuration changes.


Result

Threat Defender processes the rule set in a top-down approach, resulting in the workflows detailed below.


Network clients (web browsers) with a configured proxy server:

  1. Network packages sent via HTTP (or HTTPS) to the network address of the proxy server (handles the website request) hit rule 1.
  2. The network packages match the rule settings. Therefore, they are allowed to pass.

Network clients (web browsers) with no configured proxy server try to access the company intranet:

  1. Network packages sent via HTTP (or HTTPS) to the webserver hosting the company intranet hit rule 1.
  2. The network packages do not meet the rule criteria because their destination is not the proxy server. Therefore, the rule is skipped.
  3. Threat Defender checks the network packages against the next rule, rule 2.
  4. The packages match the rule settings and are rejected.
  5. The client application is notified that the web server cannot be reached.