Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 14 replies
  • Subscribers 27 subscribers
  • Views 13363 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Disallow all http/https traffic except through the proxy?

mark57165

I'm trying to figure out the best way to prevent all http/https traffic from going through the firewall except if it's going through the proxy.  This way I can be sure all http/https traffic, regardless of port, is filtered.  I have the proxy working fine, I'm just looking for the firewall rule(s) that I need.



This thread was automatically locked due to age.
  • 0 in reply to mark57165

    I was just experimenting with my mac by putting in the XG proxy and failed every connection, that is a side issue.

    Those that don't use the proxy configuration you setup a rule at the top.

    source LAN, network any, destination wan, network any, services http/s choose the rule type to drop or reject which is ever your choice.

    Ian

  • 0 in reply to rfcat_vk

    So a couple of things here. First, I do not want to block by service.  I thought I had been clear on that. When you block by service, it only blocks by TCP port and can be easily bypassed.  I want to block using deep packet inspection so HTTP and HTTPS are blocked no matter what the destination port is.

    Second, when I add a firewall rule to apply to anyone that isn't using the proxy, it also applies to people using the proxy.  How do I determine, in a firewall rule, that a user is going through the web proxy?

  • 0 in reply to mark57165
    You need to add udp for https in the list. Blocking by deep packet inspection requires you to install a certificate on every device and then setup application lists you want to block. At this stage I am not aware of how you differentiate a proxy user from a firewall user. I tried the proxy user setup and there is a rule I cannot identify that blocks all proxy traffic even with the firewall rule I have in place. Flosupport would you please provide some assistance with the thread. Thank you Ian
  • 0 in reply to rfcat_vk

    Yup.  I have DPI working and HTTPS scanning working on the clients I'm testing on with the CA certificate from the device.  OK.  I'll keep messing around and if/when I find an answer, I'll post it here for reference.

    Once I gain more experience with this thing, if I discover that it truly seems impossible, I'll add a suggestion in the other forum.