Allowing Internet Traffic via Internal Proxy Server Only
This requires the following:
- a static network object for the proxy server,
- a rule that handles the allowed traffic, and
- a rule that blocks all other traffic.
Creating the Static Network Object for the Proxy Server
Create a static network object that characterizes your proxy server.
The following table shows the required settings of the static network object:
||Internal||Included: MAC address of the internal proxy server|
For detailed instructions on how to create a static network object, refer to Creating Static Network Objects.
Creating the Rule Set
Configure a rule set consisting of two global rules:
- Rule 1 allows all HTTP/HTTPS traffic to the proxy server.
- Rule 2 rejects all HTTP/HTTPS traffic in the network that is not directed at the proxy server.
The following table shows the required rule settings:
|Final Action: Allow Traffic and Skip to Next Scenario|
|Final Action: Reject Traffic and Stop Processing|
Click the APPLY CHANGES button in the header to activate your configuration changes.
Threat Defender processes the rule set in a top-down approach, resulting in the workflows detailed below.
Network clients (web browsers) with a configured proxy server:
- Network packages sent via HTTP (or HTTPS) to the network address of the proxy server (handles the website request) hit rule 1.
- The network packages match the rule settings. Therefore, they are allowed to pass.
Network clients (web browsers) with no configured proxy server try to access the company intranet:
- Network packages sent via HTTP (or HTTPS) to the webserver hosting the company intranet hit rule 1.
- The network packages do not meet the rule criteria because their destination is not the proxy server. Therefore, the rule is skipped.
- Threat Defender checks the network packages against the next rule, rule 2.
- The packages match the rule settings and are rejected.
- The client application is notified that the web server cannot be reached.