Create custom Service elements for Sidewinder Proxies

If the default Service elements for Sidewinder Proxies do not meet your needs, add custom Service elements for Sidewinder Proxies.

Add a custom Service element in the following cases:

You want to change the Protocol Parameters of the default Service elements for Sidewinder Proxies.
You want to use combined Protocol elements.
You want to apply the Sidewinder TCP Proxy or the Sidewinder UDP Proxy to TCP or UDP services.

For more details about the product and how to configure features, click Help or press F1.

Steps

Select Configuration.
Browse to Other Elements > Services.
Create the Service element in one of the following ways:
- To create an element with no settings predefined, right-click the branch for the type of Service you want to create, then select New > TCP Service or New > UDP Service.
- To create a Service based on an existing TCP or UDP Service element, right-click the existing Service, then select New > Duplicate.
- To create a Service based on one of the default Service elements for Sidewinder Proxies, browse to With Proxy, right-click the existing Service, then select New > Duplicate.
In the Name field, enter a unique name.
If you did not duplicate one of the default Service elements for Sidewinder Proxies, click Select next to the Protocol field, browse to TCP Proxy or UDP Proxy, then select an SSM Proxy Protocol element or a combined Protocol element.
On the Protocol Parameters tab, select options according to your needs.

Note: There are no configurable Protocol Parameters for the Sidewinder TCP Proxy or the Sidewinder UDP Proxy.
Click OK.

Next steps

Use the custom Service element in the Access rules.

SSM SSH Service Properties dialog box

Use this dialog box to create a custom SSM SSH Service element and define Protocol Parameters.

Option	Definition
General tab
Protocol	Displays the Service protocol.
Name	Specifies the Service name.
Comment	Adds a comment for your own reference.
Dst. Ports (Optional)	Specifies the destination port or port range. To match a single port, enter it in the first field and leave the other field empty. To enter a range, enter a value in both fields. (Either source or destination port is mandatory.)
Src. Ports (Optional)	Specifies the source port or port range. To match a single port, enter it in the first field and leave the other field empty. To enter a range, enter a value in both fields. (Either source or destination port is mandatory.)
Protocol	Shows the assigned protocol. Click Protocol Agent to open the Protocol Agent dialog box.
Category	Shows the assigned category. Click Select to open the Category Selection for New Element dialog box.

Option	Definition
Protocol Parameters tab
Allow X11 Forwarding	When selected, the proxy allows X11 forwarding.
Allow Local Port Forwarding	When selected, the proxy allows local port forwarding.
Allow Remote Port Forwarding	When selected, the proxy allows remote port forwarding.
Allow Remote Command Execution	When selected, the proxy allows remote command execution.
Allow Remote Shell Execution	When selected, the proxy allows remote shell execution.
SFTP Commands section	Contains options for the allowed SFTP commands in SSH traffic.
Allowed SFTP Commands	Specifies the allowed SFTP commands in SSH traffic. All — All SFTP commands are allowed. None — No SFTP commands are allowed. Selected from List — Only the selected SFTP commands are allowed.
Client Authentication section	Contains settings for client authentication.
Client Connection Message	Specifies a message that is shown to clients when they connect to the Sidewinder SSH Proxy.
Allowed Client Authentication Methods	Specifies the allowed client authentication methods. Any — Any of the client connection methods are allowed. Selected from List — Only the selected client authentication methods are allowed.
Client Advanced Settings section	Defines settings for connections between the Sidewinder SSH Proxy and the client.
Preferred Host Key Types	Shows the selected preferred host key types.
Edit	Opens the Preferred Host Key Types dialog box.
Refuse Clients That Cannot Rekey	When selected, the proxy refuses connections from SSH clients that cannot renegotiate the session key.
SSH Cryptographic Profile	Shows the selected SSH Profile element for client connections. Click Select to open the Select SSH Profile dialog box.
Rekey Byte Limit	Specifies the maximum number of bytes that can be transmitted before the session key is renegotiated.
Rekey Time Limit	Specifies the maximum time, in seconds, before the session key is renegotiated.
Server Advanced Settings section	Defines settings for connections between the Sidewinder SSH Proxy and the server.
Accepted Server Key Types	Shows the accepted server key types.
Edit	Opens the Accepted Server Key Types dialog box.
Server Host Key Validation	Specifies which server host keys the proxy accepts. Allow Any Host Key — The proxy accepts host keys for any server. Use Strict Known Hosts List — The proxy accepts host keys only for servers that are in a Known Hosts List.
Refuse Servers That Cannot Rekey	When selected, the proxy refuses connections from SSH servers that cannot renegotiate the session key.
SSH Cryptographic Profile	Shows the selected SSH Profile element for server connections. Click Select to open the Select SSH Profile dialog box.
Rekey Byte Limit	Specifies the maximum number of bytes that can be transmitted before the session key is renegotiated.
Rekey Time Limit	Specifies the maximum time, in seconds, before the session key is renegotiated.
Reset	Discards the changes and reverts to the previously saved default settings.

Preferred Host Key Types dialog box

Use this dialog box to specify the host key types that the Sidewinder SSH Proxy offers to the client when negotiating the key for the SSH connection with the client. The engine automatically selects a host key of the selected type from the host keys specified in the Engine Editor.

Option	Definition
Available	Lists the key types that are not selected.
Selected	Lists the selected key types.
Add	Adds the selected key type to the list.
Remove	Removes the selected key type from the list.
Up	Moves the selected key type up in the list.
Down	Moves the selected key type down in the list.

Accepted Server Key Types dialog box

Use this dialog box to specify the host key types that the SSM SSH Proxy accepts from the server when negotiating the key for the SSH connection with the server.

Option	Definition
Available	Lists the key types that are not selected.
Selected	Lists the selected key types.
Add	Adds the selected key type to the list.
Remove	Removes the selected key type from the list.
Up	Moves the selected key type up in the list.
Down	Moves the selected key type down in the list.

SSM HTTP Service Properties and SSM HTTPS Proxy Service dialog boxes

Use these dialog boxes to create custom SSM HTTP Service elements and define Protocol Parameters for HTTP or HTTPS traffic.

Option	Definition
General tab
Protocol	Shows the Service protocol.
Name	Specifies the Service name.
Comment	An optional comment for your own reference.
Dst. Ports (Optional)	Specifies the destination port or port range. To match a single port, enter it in the first field and leave the other field empty. To enter a range, enter a value in both fields. (Either source or destination port is mandatory.)
Src. Ports (Optional)	Specifies the source port or port range. To match a single port, enter it in the first field and leave the other field empty. To enter a range, enter a value in both fields. (Either source or destination port is mandatory.)
Protocol	Shows the assigned protocol. Click Select to open the Protocol Agent dialog box.
Category	Shows the assigned category. Click Select to open the Category Selection for New Element dialog box.

Option	Definition
Protocol Parameters tab
Enforce Strict Headers	When selected, the proxy blocks HTTP requests and responses that do not comply with the HTTP protocol standards.
Log URLs	When selected, the proxy logs the URLs in HTTP requests.
Request Validation	When selected, the proxy validates HTTP requests. Selecting this option enables options in the following sections: URL Control Options URL Matches Commands
URL Control Options section	Specifies options for validation of URLs.
Disallow Unicode in URL Paths	When selected, unicode-encoded text is not allowed in URL paths.
Disallow Unicode URL Queries	When selected, unicode-encoded text is not allowed in query strings in URLs.
Enforce Strict URL Paths	When selected, the proxy blocks URL paths that contain characters that are not allowed by the HTTP protocol standards.
Enforce Strict URL Queries	When selected, the proxy blocks queries that contain characters that are not allowed by the HTTP protocol standards.
URL Normalization Validation	Specifies how URL normalization is applied to HTTP requests. Allow — Allows the request. Allow and Log — Allows the request and creates a log entry. Block and Log — Blocks the request and creates a log entry. Off — URL normalization is not enabled.
Maximum URL Length	Specifies the maximum number of characters allowed in URLs.
Require HTTP Version	When selected, the proxy requires the HTTP request to include an HTTP version string. Selecting this option enables the following options: Allow HTTP version 1.0 Allow HTTP version 1.1
Allow HTTP version 1.0	When selected, the proxy allows HTTP requests that specify HTTP version 1.0 as the version string.
Allow HTTP version 1.1	When selected, the proxy allows HTTP requests that specify HTTP version 1.1 as the version string.
URL Matches section	Specifies rules for allowing or denying matching URLs.
Allow or Deny Specified URL Matches	Specifies whether matching URLs are allowed or denied. Allow — Matching URLs are allowed. Deny — Matching URLs are denied.
URL Match List	Specifies the criteria for matching URLs.
Match Type	Specifies how the proxy matches the match criteria in the URL. Contains — Matches when the URL contains the specified criteria. Begins with — Matches when the URL begins with the specified criteria. Ends with — Matches when the URL ends with the specified criteria.
Match Parameter	Specifies the part of the URL where the proxy checks for the match criteria. Host — The proxy checks the domain name for the match criteria. Path — The proxy checks the URL path for the match criteria. All — The proxy checks both the host and the path for the match criteria.
URL	The matching criteria for the URL.
Add	Adds a row to the table.
Remove	Removes the selected row from the table.
Commands section	Specifies the commands that the proxy allows in HTTP requests.
Allowed HTTP Commands	Any — The proxy allows any commands in HTTP requests. Selected from List — The proxy allows only the selected commands in HTTP requests.
Content Control	Specifies options for allowing or denying content in HTTP requests.
Deny SOAP	When selected, the proxy denies the use of simple object access protocol (SOAP) in HTTP requests.
Decryption Options section (HTTPS only)	Specifies options for decrypting HTTPS traffic.
Enforce TLS Decryption (HTTPS only)	When selected, the proxy expects HTTPS traffic. Unless the traffic is excluded from decryption by an Access rule, the NGFW Engine decrypts HTTPS traffic, then optionally applies the Sidewinder HTTP Proxy and optionally inspection to the encapsulated HTML. After inspection, the NGFW Engine re-encrypts the HTTPS traffic. This option is selected by default in the SSM HTTPS Proxy Service element.
Enforce Certificate Host Name Check (HTTPS only)	When selected, the proxy rejects the connection if the destination host name does not match the server certificate identity. This option is selected by default in the SSM HTTPS Proxy Service element.
Display Decryption Warning Page (HTTPS only)	When selected, the proxy displays the decryption warning page before decrypting client connections. When the user allows the connection, an entry is added to the decryption warning page cache. The decryption warning page is not shown to the same user again until the entry expires from the cache. By default, the entry stays in the decryption warning page cache for 12 hours. This option is selected by default in the SSM HTTPS Proxy Service element.
HTML (HTTPS only)	The HTML source code for the message to display to the user. You can optionally customize the default message.
Reset	Discards the changes and reverts to the previously saved default settings.