Create a Proxy Server element

Create a Proxy Server element that represents the proxy service.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration.
  2. Browse to Network Elements > Servers.
  3. Right-click Servers, then select New > Proxy Server.
  4. Configure the settings.
  5. On the Services tab, configure the details of the service to which traffic is redirected.
  6. Click OK.

Proxy Server Properties dialog box

Use this dialog box to change the properties of a Proxy Server.

Option Definition
General tab
Name The name of the element.
Address Enter the IPv4 or IPv6 address of the server. You can also add multiple IP addresses, separated by commas. Alternatively, you can enter an FQDN.
Resolve Automatically resolves the IP addresses of the server if you entered a domain name in the Name field.
Location Specifies the location for the server if there is a NAT device between the server and other SMC components.
Balancing Mode If multiple IP addresses or an FQDN is defined, you can select how traffic is balanced.
  • First Available Server — The first IP address listed or resolved by DNS is used by default. Use this option when redirecting to the Forcepoint Web Security Cloud service.
  • According to Source — Traffic is distributed based on the client source. Clients that have the same source IP address are redirected to the same proxy.
  • According to Destination — Traffic is distributed based on the server destination. Clients that attempt to connect to a particular server (the same website, for example) are redirected to the same proxy. A benefit to using this option is that more traffic is cached.
  • According to Source and Destination — Traffic is more evenly balanced among proxies, taking both source and destination into account.
Contact Addresses
  • Default — Used by default whenever a component that belongs to another Location connects to this server.
  • Exceptions — Opens the Exceptions dialog box.
Secondary IP Addresses

(Optional)

 The NGFW Engine associates the secondary IP address to the correct element when the IP address is used as the source or destination address in pass-through communications.
Note: Secondary IP addresses are only used for routing and matching in Access rules. Do not add IP addresses of the proxy server or service.
Click Add to add a row to the table, or Remove to remove the selected row.
Category

(Optional)

 Includes the element in predefined categories. Click Select to select a category.
Tools Profile Adds custom commands to the right-click menu. Click Select to select a Tools Profile.
Comment

(Optional)

 A comment for your own reference.
Option Definition
Services tab
Proxy Service Listening Port The port that the NGFW Engine uses to communicate with the proxy service. This port is used for all protocols, unless overridden in the Protocol-Specific Listening Ports section.

The default port is 8080.
Protocol-Specific Listening Ports If you do not want to use the port defined in the Proxy Service Listening Port field for a particular protocol, select the protocol, then enter the port to use.
  • FTP — The default port is 21.
  • HTTP — The default port is 8080.
  • HTTPS — The default port is 8080.
  • SMTP — The default port is 25.
Proxy Service
  • Forcepoint Web Security Cloud — Traffic is redirected to the Forcepoint Web Security Cloud. A separate license and credentials are needed.
    Note: If you do not have credentials for the Forcepoint Web Security Cloud service, use the Generic Proxy option, and configure the Forcepoint Web Security Cloud to allow connections from Forcepoint NGFW. For more information see the Forcepoint Web Security Cloud documentation at https://⁠support.forcepoint.com/Documentation.
  • Generic Proxy — Traffic is redirected to the proxy service, and you can select to include some additional HTTP headers.
  • Redirect Only — Traffic is redirected to another server without modifying the payload.
Customer ID

(When the Proxy Service is Forcepoint Web Security Cloud)

 Enter the customer ID of your Forcepoint Web Security Cloud account.
Key ID

(When the Proxy Service is Forcepoint Web Security Cloud)

 To avoid downtime when updating the password used to access the Forcepoint Web Security Cloud, you can configure more than one password in the Forcepoint Web Security Cloud service, and assign each password to a Key ID. See the following example of use:
  1. Three NGFW Engines are configured to use Key ID 1. The password for Key ID 1 is 123xxxxxx.
  2. In the Forcepoint Web Security Cloud, an additional password is added (321yyyyyy), and assigned to Key ID 2.
  3. One by one, the three NGFW Engines are configured to use Key ID 2.

    Because both Key ID 1 and Key ID 2 can be used to access the Forcepoint Web Security Cloud, there is no downtime.

  4. After all the NGFW Engines are configured to use Key ID 2, in the Forcepoint Web Security Cloud, the password for Key ID 1 can be removed.
Password

(When the Proxy Service is Forcepoint Web Security Cloud)

 Enter the password used to log on to the service.

When Hide is selected, the password is not shown as plain text. Deselect this option to show the password. This option is selected by default.

Trust Host Header

(When the Proxy Service is Generic Proxy)

When selected, the host header is trusted.

  • HTTP connections — The GET request includes the domain name instead of the original destination IP address. If the domain name is used, DNS resolution is done by the proxy service.
  • HTTPS connections — If the client TLS handshake handled at the NGFW Engine contains the server name indication (SNI) field, the CONNECT request to the proxy service uses the domain name from the SNI field instead of the original destination IP address.
Note: For security reasons, we recommend that you use this option only if both ends involved in the communication are trusted.
Add X-Forwarded-For Header

(When the Proxy Service is Generic Proxy)

 When selected, the X-Forwarded-For header is included in requests. This header reports the original source IP address of the client.
Option Definition
Monitoring tab
Log Server The Log Server that monitors the status of the element.
Status Monitoring When selected, activates status monitoring for the device. You must also select the Probing Profile that contains the definitions for the monitoring. When you select Status Monitoring, the element is added to the tree in the Home view.
Probing Profile Shows the name of the selected Probing Profile. Click Select to select a Probing Profile element.
Log Reception Activates syslog reception from this device. You must select the Logging Profile that contains the definitions for converting the syslog entries to SMC log entries. You must also select the Time Zone in which the device is located. By default, the local time zone of the computer you are using is selected.
Logging Profile Shows the name of the selected Logging Profile. Click Select to select a Logging Profile element.
Time Zone Selects the time zone for the logs.
Encoding Selects the character set for log files.
SNMP Trap Reception Enables the reception of SNMP traps from the third-party device.
NetFlow Reception Enables the reception of NetFlow data from the third-party device. The supported versions are NetFlow v5, NetFlow v9, and IPFIX (NetFlow v10).
Option Definition
NAT tab
Firewall Shows the selected firewall.
NAT Type Shows the NAT translation type: Static or Dynamic.
Private IP Address Shows the Private IP Address.
Public IP Address Shows the defined Public IP Address.
Port Filter Shows the selected Port Filters.
Comment An optional comment for your own reference.
Add NAT Definition Opens the NAT Definition Properties dialog box.
Edit NAT Definition Opens the NAT Definition Properties dialog box for the selected definition.
Remove NAT Definition Removes the selected NAT definition from the list.