Allowing Internet Traffic via Internal Proxy Server Only

Objective

In a company there is a proxy server with detailed URL-based rule sets. Therefore, all HTTP/HTTPS traffic which is not handled by the proxy server should be blocked.

This requires the following:

  • a static network object for the proxy server,

  • a rule that handles the allowed traffic, and

  • a rule that blocks all other traffic.

Note

This example configuration only handles HTTP/HTTPS communication. Other protocols, such as QUIC, are not blocked.

Creating the Static Network Object for the Proxy Server

Create a static network object that characterizes your proxy server.

The following table shows the required settings of the static network object:

Name

Network

MAC Addresses

Proxy Server

Internal

Included: MAC address of the internal proxy server

For detailed instructions on how to create a static network object, refer to Creating Static Network Objects.

Creating the Rule Set

Configure a rule set consisting of two global rules:

  • Rule 1 allows all HTTP/HTTPS traffic to the proxy server.

  • Rule 2 rejects all HTTP/HTTPS traffic in the network that is not directed at the proxy server.

The following table shows the required rule settings:

Rule

Source

Destination

Condition

Actions

Any

Proxy Server

Classification
Included Applications/Protocols: HTTP, SSL

Final Action: Allow Traffic and Skip to Next Scenario

Any

Any

Classification
Included Applications/Protocols: HTTP, SSL

Final Action: Reject Traffic and Stop Processing

For detailed instructions on how to create a rule, refer to Creating Global Rules.

Click the APPLY CHANGES button at the top of the menu bar to activate your configuration changes.

Result

Threat Defender processes the rule set in a top-down approach, resulting in the workflows detailed below.

Network clients (web browsers) with a configured proxy server:

  1. Network packages sent via HTTP (or HTTPS) to the network address of the proxy server (handles the website request) hit rule 1.

  2. The network packages match the rule settings. Therefore, they are allowed to pass.

Network clients (web browsers) with no configured proxy server try to access the company intranet:

  1. Network packages sent via HTTP (or HTTPS) to the webserver hosting the company intranet hit rule 1.

  2. The network packages do not meet the rule criteria because their destination is not the proxy server. Therefore, the rule is skipped.

  3. Threat Defender checks the network packages against the next rule, rule 2.

  4. The packages match the rule settings and are rejected.

  5. The client application is notified that the web server cannot be reached.