Sidewinder HTTP Proxy

You can use the Sidewinder HTTP Proxy with HTTP and HTTPS traffic to enforce strict protocol standards, log URLs in requests, validate requests, and block some types of content in requests.

You can use the Sidewinder HTTP Proxy with or without decryption.

• When decryption is enabled, the NGFW Engine decrypts HTTPS traffic, then applies the Sidewinder HTTP Proxy and optionally inspection to the encapsulated HTML. After inspection, the NGFW Engine re-encrypts the HTTPS traffic.
• When decryption is not enabled, the Sidewinder HTTP Proxy only validates HTTPS traffic to make sure that the traffic contains valid HTTPS protocol messages.

Using the Sidewinder HTTP Proxy with decryption for HTTPS traffic provides the following benefits compared to the standard TLS inspection feature:

• The Sidewinder HTTP Proxy can remove TCP options from HTTPS traffic.
• The Sidewinder HTTP Proxy can present a configurable warning page to inform users that their traffic is being decrypted.

Decrypting and re-encrypting HTTPS traffic requires the following configurations:

• You must have a Client Protection CA and other elements required for TLS inspection. To avoid certificate-related warnings in end users’ web browsers, the client protection CA certificate must be imported as a trusted certificate in the browsers.
  Note: The Sidewinder HTTP Proxy only provides client protection. The Sidewinder HTTP Proxy does not provide server protection for servers in the internal network. The Sidewinder HTTP Proxy is not compatible with servers that use client certificates for authentication.
• You must configure an external DNS resolver, and select one or more DNS IP addresses in the Engine Editor. The DNS resolver must be functioning and available to provide DNS results to the engine.
• To allow the certificate manager to communicate with an external certificate revocation list (CRL) server, you must add an Access rule that allows HTTP traffic on port 80 between the firewall and the Internet for making online certificate status protocol (OCSP) queries and fetching CRLs.

The Decryption option in the Allow Action Options in Access rules defines whether traffic that matches the rule is decrypted. To exclude specific traffic from decryption by the SSM HTTP Proxy, add the following type of Access rule: