Allowing Internet Traffic via Internal Proxy Server Only

Objective

In a company there is a proxy server with detailed URL-based rule sets. Therefore, all HTTP/HTTPS traffic which is not handled by the proxy server should be blocked.

This requires the following:

This example configuration only handles HTTP/HTTPS communication. Other protocols, such as QUIC, are not blocked.

Creating the Static Network Object for the Proxy Server

Create a static network object that characterizes your proxy server.

The following table shows the required settings of the static network object:

Name Network MAC Addresses
Proxy Server Internal Included: MAC address of the internal proxy server

For detailed instructions on how to create a static network object, refer to Creating Static Network Objects.

Creating the Rule Set

Configure a rule set consisting of two global rules:

The following table shows the required rule settings:

Rule Source Destination Condition Actions
1. Any Proxy Server Classification
Included Applications/Protocols: http, ssl
Final Action: Allow Traffic and Skip to Next Scenario
2. Any Any Classification
Included Applications/Protocols: http, ssl
Final Action: Reject Traffic and Stop Processing

For detailed instructions on how to create a rule, refer to Creating Global Rules.

Click the APPLY CHANGES button in the header to activate your configuration changes.

Result

Threat Defender processes the rule set in a top-down approach, resulting in the workflows detailed below.

Network clients (web browsers) with a configured proxy server:

  1. Network packages sent via HTTP (or HTTPS) to the network address of the proxy server (handles the website request) hit rule 1.
  2. The network packages match the rule settings. Therefore, they are allowed to pass.

Network clients (web browsers) with no configured proxy server try to access the company intranet:

  1. Network packages sent via HTTP (or HTTPS) to the webserver hosting the company intranet hit rule 1.
  2. The network packages do not meet the rule criteria because their destination is not the proxy server. Therefore, the rule is skipped.
  3. Threat Defender checks the network packages against the next rule, rule 2.
  4. The packages match the rule settings and are rejected.
  5. The client application is notified that the web server cannot be reached.

results matching ""

    No results matching ""