When is the Upstream Proxy used?

In Transparent Mode:

In order for the port 80/443 traffic that flows through the XG firewall to be automatically directed to an upstream proxy, it must go through the on-box Web Proxy.

If the port 80/443 traffic is flowing through the XG firewall based on a firewall rule alone (with no Web Proxy) then there is no way to modify the requests to send to an upstream proxy.

To flow through the Web Proxy, you need to have the Services include HTTP/HTTPS, and you need to either have HTTP and HTTPS malware scanning on, or you need to have a Web Policy specified (anything except None).

In Standard/Explicit/Direct Mode, anything that goes to Port 3128 will go through the proxy.  You still need to have a firewall rule for port 80/443 through.

Higher level rule with destination set to your internal servers on WAN and no scanning or web policy.

Lower level rile for all destinations, with a web policy.

Another option would be to use a WPAD mechanism and "Automatically detect my settings" in the browser's proxy config.  Your WPAD could specify which sites can be access directly and which ones need to go through a specified proxy (the XG).  The firewall rule would not specify any policy so transparent access direct to the WAN sites don't go to upstream, while standard mode would.

I would highly recommend turning on the malware scanning as well.

The Upstream Proxy is used in the following cases:

- Port 80 and 443 traffic, as long as the either a Web Policy or Malware Scanning is on

- Port 3128 traffic.  This can also include FTP if your client is configured that way (for example look at IE Proxy Settings).  This is FTP-over-HTTP.

- All HTTP/HTTPS traffic that is generated by the XG itself (for example to get updates)

Other traffic is not sent, because by definition an upstream proxy only handles HTTP and HTTPS (and FTP-over-HTTP).

If you want to route other ports, those are firewall routing rules, which is a different topic.

A firewall rule is required for any traffic to flow across the firewall.  Make sure you set the Service correctly (Service maps to ports).  Do not use the Any service (except when troubleshooting).  User/Network Rules are for outgoing traffic.  Business Application Rules are for incoming.

I have the same problem.

We have two WAN Intefaces.

WAN #1 works only with a upstream proxy

WAN #2 work only without a upstram proxy

but i need a web policy rule for both wan ports. i can specify the gateway (WAN#2 Gateway) in the web policy but can not say that he not use the upstream proxy for this web policy / firewall rule! 

Because the upstream proxy can not be reached over wan#2. Since this is a direct internet access.

Have any one a idea?

A slightly hacky solution, but in v18 the DPI mode does not support upstream proxy, however proxy mode does.  So you can have two firewall rules, one with and one without.

XG does not currently support what is sometimes called selective upstream proxy, though SG does.  This would allow for different proxies (or no proxy) based on the destination.  It is in the feature backlog, with no planned release.

A slightly hacky solution, but in v18 the DPI mode does not support upstream proxy, however proxy mode does.  So you can have two firewall rules, one with and one without.

XG does not currently support what is sometimes called selective upstream proxy, though SG does.  This would allow for different proxies (or no proxy) based on the destination.  It is in the feature backlog, with no planned release.