Proxy policy security profiles
Web proxy policies support most security profile types.
Security profiles must be created before they can be used in a policy, see Security Profiles for information. |
Explicit web proxy policy
The security profiles supported by explicit web proxy policies are:
-
AntiVirus
-
Web Filter
-
Video Filter
-
DNS Filter
-
Application Control
-
IPS
-
DLP Profile
-
ICAP
-
Web Application Firewall
-
File Filter
-
SSL Inspection
To configure security profiles on an explicit web proxy policy in the GUI:
-
Go to Policy & Objects > Proxy Policy.
-
Click Create New.
-
Set the following:
Proxy Type
Explicit Web
Outgoing Interface
port1
Source
all
Destination
all
Schedule
always
Service
webproxy
Action
ACCEPT
-
In the Firewall / Network Options section, set Protocol Options to default.
-
In the Security Profiles section, make the following selections (for this example, these profiles have all already been created):
AntiVirus
av
Web Filter
urlfiler
Application Control
app
IPS
Sensor-1
DLP Profile
dlp
ICAP
default
Web Application Firewall
default
SSL Inspection
deep-inspection
-
Click OK to create the policy.
To configure security profiles on an explicit web proxy policy in the CLI:
config firewall proxy-policy edit 1 set proxy explicit-web set dstintf "port1" set srcaddr "all" set dstaddr "all" set service "web" set action accept set schedule "always" set utm-status enable set av-profile "av" set webfilter-profile "urlfilter" set dlp-profile "dlp" set ips-sensor "sensor-1" set application-list "app" set icap-profile "default" set waf-profile "default" set ssl-ssh-profile "deep-inspection" next end
Transparent proxy
The security profiles supported by transparent proxy policies are:
-
AntiVirus
-
Web Filter
-
Video Filter
-
DNS Filter
-
Application Control
-
IPS
-
DLP Profile
-
ICAP
-
Web Application Firewall
-
File Filter
-
SSL Inspection
To configure security profiles on a transparent proxy policy in the GUI:
-
Go to Policy & Objects > Proxy Policy.
-
Click Create New.
-
Set the following:
Proxy Type
Transparent Web
Incoming Interfae
port2
Outgoing Interface
port1
Source
all
Destination
all
Schedule
always
Service
webproxy
Action
ACCEPT
-
In the Firewall / Network Options section, set Protocol Options to default.
-
In the Security Profiles section, make the following selections (for this example, these profiles have all already been created):
AntiVirus
av
Web Filter
urlfiler
Application Control
app
IPS
Sensor-1
DLP Profile
dlp
ICAP
default
Web Application Firewall
default
SSL Inspection
deep-inspection
-
Click OK to create the policy.
To configure security profiles on a transparent proxy policy in the CLI:
config firewall proxy-policy edit 2 set proxy transparent-web set srcintf "port2" set dstintf "port1" set srcaddr "all" set dstaddr "all" set service "webproxy" set action accept set schedule "always" set utm-status enable set av-profile "av" set webfilter-profile "urlfilter" set dlp-profile "dlp" set ips-sensor "sensor-1" set application-list "app" set icap-profile "default" set waf-profile "default" set ssl-ssh-profile "certificate-inspection" next end
FTP proxy
The security profiles supported by FTP proxy policies are:
- AntiVirus
- Application Control
- IPS
- File Filter
- DLP Profile
To configure security profiles on an FTP proxy policy in the GUI:
-
Go to Policy & Objects > Proxy Policy.
-
Click Create New.
-
Set the following:
Proxy Type
FTP
Outgoing Interface
port1
Source
all
Destination
all
Schedule
always
Action
ACCEPT
-
In the Firewall / Network Options section, set Protocol Options to default.
-
In the Security Profiles section, make the following selections (for this example, these profiles have all already been created):
AntiVirus
av
Application Control
app
IPS
Sensor-1
DLP Profile
dlp
-
Click OK to create the policy.
To configure security profiles on an FTP proxy policy in the CLI:
config firewall proxy-policy edit 3 set proxy ftp set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set utm-status enable set av-profile "av" set dlp-profile "dlp" set ips-sensor "sensor-1" set application-list "app" next end