Do you use HTTP and HTTPS proxies?

How many here are using HTTP and HTTPS proxies and why do you use them? Are you concerned they may have a negative effect? I've been back and forth on whether or not to use them, I'm not sure exactly what they protect or how well they protect. I am using a M300.

What are the potential negative effects or services that may have an issue when they are in use?


  • Options

    Why - many reasons - here are the most important ones for me:
    1) to block undesired content, such as selected file types
    2) to do AV scans on content accessed via web browsers
    3) to block access to specific web sites or web site categories

    Issues that come to mind
    1) with the HTTPS proxy to implement Inspect, you need to add a certificate (from the firewall or your own CA) to web browsers to do the HTTPS content inspections.
    2) with HTTPS Inspect, there will be some sites which will not work, and thus will need an added Allow entry to access those sites.
    3) with the HTTP & HTTPS proxies - some apps/programs will use TCP port 80 and/or 443, but will not be true HTTP protocol, so you will need to add packet filter policies for access needed by these.
    4) with the HTTP proxy, some sites will need a HTTP proxy Exception entry in order to be accessed

  • Options

    Yes, I have several HTTP/HTTPS Proxies setup to control all HTTP/HTTPS traffic.
    Bruce hits on all the main problems.
    The only other problems that come to mind are when a URL is too long or if your box is sized too small and you are Proxing/inspecting (DPI) lots. With an M300, you shouldn't have any performance issues.

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    In addition to the above, using the proxies will be the only way to get web traffic reports Dimension/Report servers. Packet filters only show IP addresses, where proxies will log where the client is going to.

    -James Carson
    WatchGuard Customer Support

  • Options

    We have literally, hundreds of Fireboxes (boxen?) out there - and we always turn on proxies by default for all of the above reasons (security services, and reporting).. and just stick in a proxy bypass packet filter for specifics, should it be required (getting rarer).

    All Fireboxes (T-Series, M-Series, FireboxV, Firebox Cloud etc.); EPDR, Advanced EPDR/Cytomic, Orion (Threat Hunting); WiFi, AuthPoint. WSC/Cloud. Management of a few hundred Fireboxes, and a few thousand EPDR endpoints. Platinum Partner. Views my own (if any!).

Sign In to comment.