Create a custom Service element for redirecting traffic

Before you can redirect traffic to a proxy service, you must create a custom Service element. Create separate elements for each protocol.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration.
  2. Browse to Other Elements > Services.
  3. Right-click Services, then select New > TCP Service.
  4. Configure the settings.
  5. Click Select next to the Protocol field, then select the TCP Protocol Agent.
    You can use the FTP, SMTP, HTTP, or HTTPS Protocol Agent.
  6. On the Protocol Parameters tab, select the Proxy Server that represents the proxy service.
  7. Click OK.

TCP Service Properties dialog box

Use this dialog box to configure a custom TCP Service element.

Option Definition
General tab
Protocol Displays the protocol.
Name The name of the element.
Comment

(Optional)

 A comment for your own reference.
Dst. Ports

(Optional)

Specifies the destination port or port range. To match a single port, enter it in the first field and leave the other field empty. To enter a range, enter a value in both fields.

(Either source or destination port is mandatory.)

Src. Ports

(Optional)

Specifies the source port or port range. To match a single port, enter it in the first field and leave the other field empty. To enter a range, enter a value in both fields.

(Either source or destination port is mandatory.)

Protocol Shows the assigned protocol. Click Select to select a Protocol Agent.
Category

(Optional)

 Includes the element in predefined categories. Click Select to select a category.
Option Definition
Protocol Parameters tab, common options
Reset Discards the changes and reverts to the previously saved default settings. Not available for all protocols.
Option Definition
Protocol Parameters tab, when Protocol is DNS or SSM DNS Proxy (TCP)
Enforce DNS protocol usage
  • On — The engine terminates traffic that is not using the DNS protocol.
  • Off — The engine allows traffic to pass even if the traffic is not DNS-related.
Deny DDNS updates
  • On — The engine terminates traffic that is not using the DNS protocol.
  • Off — The engine allows traffic to pass even if the traffic is not DNS-related.
Deny DNS zone transfers
  • On — The engine terminates DNS zone transfer messages.
  • Off — The engine allows DNS zone transfer messages to pass.
Enforce SafeSearch
  • On — The engine modifies DNS replies for Google search engines to enforce Google's SafeSearch feature.
  • Off — The engine does not modify DNS replies.
Option Definition
Protocol Parameters tab, when Protocol is FTP or SSM FTP Proxy
Allow related connections
  • On — Allows data connections to be opened with the control connection.
  • Off — Disables the Protocol Agent.
Allow active mode
  • Yes — Server is allowed to open data connections to the client (according to information exchanged in the control connection).
  • No — Server-initiated data connections are forbidden.
Allow passive mode
  • Yes — Client is allowed to open data connections to the server (according to information exchanged in the control connection).
  • No — Client-initiated data connections are forbidden.
Control data inspection mode

(Firewall only)
  • Strict — If commands that do not comply with the RFC 959 FTP standard are used, the connection is dropped.
  • Loose — The Protocol Agent tries to identify information for opening the data connection even if the communications do not strictly follow the FTP standards. Sometimes needed with non-standard FTP configurations.

Highest allowed source port for Active data connection

or

Lowest allowed source port for Active data connection

(Firewall only)

 Enter a port value to limit the range of allowed source ports for active data connections on the server.

Value 0 for the lowest port means that the server always uses the port number immediately preceding the destination port. If the server uses a standard port, both the lowest and highest port number must be 0.

Redirect to Proxy Server

(Firewall only)

Select the Proxy Server to which the connections are redirected.

(Optional if the NGFW Engine version is 6.4 or higher) Specify the IP Address Translation Range (IPv4 only) and the Port Translation Range for the redirection. To specify a single IP address, enter the same IP address in both fields.

Note: This option is not supported for SSM Proxies.
Option Definition
Protocol Parameters tab, when Protocol is HTTP or HTTPS
Logging of Accessed URLs
  • Yes — The URLs of sites that users access are included in generated log entries.
    Note: With HTTPS traffic, requires that the traffic is decrypted.
  • No — URLs are not included in generated log entries.
Optimized server stream fingerprinting
  • Yes — When matching connections to the Inspection rules, the server stream matching is done only for patterns that are valid for the client’s browser type and version.
  • No — All server stream patterns are matched.
Enforce SafeSearch
  • On — The engine modifies DNS replies for Google search engines to enforce Google's SafeSearch feature.
  • Off — The engine does not modify DNS replies.
HTTPS decryption and inspection

(HTTPS only)

Controls whether to decrypt HTTPS traffic.
  • For Application Identification — HTTPS traffic is decrypted for inspection only when application detection is used.
  • Yes — Enables HTTPS decryption and inspection.
  • No — HTTPS traffic is not decrypted for inspection.
HTTPS Inspection Exceptions

(HTTPS only)

Specifies the HTTPS Inspection Exceptions according to which traffic is decrypted and inspected or allowed to pass without decryption.

Click Select to select an HTTP Inspection Exceptions element.
(Firewall only)  
Redirect to Proxy Server

(Firewall only)

Select the Proxy Server to which the connections are redirected.

(Optional if the NGFW Engine version is 6.4 or higher) Specify the IP Address Translation Range (IPv4 only) and the Port Translation Range for the redirection. To specify a single IP address, enter the same IP address in both fields.

Note: This option is not supported for SSM Proxies.
Option Definition
Protocol Parameters tab, when Protocol is HTTP with SSM HTTP Proxy
Logging of Accessed URLs
  • Yes — The URLs of sites that users access are included in generated log entries.
    Note: With HTTPS traffic, requires that the traffic is decrypted.
  • No — URLs are not included in generated log entries.
Optimized server stream fingerprinting
  • Yes — When matching connections to the Inspection rules, the server stream matching is done only for patterns that are valid for the client’s browser type and version.
  • No — All server stream patterns are matched.
Redirect to Proxy Server This option is not supported for SSM Proxies.
Enforce SafeSearch
  • On — The engine modifies DNS replies for Google search engines to enforce Google's SafeSearch feature.
  • Off — The engine does not modify DNS replies.
Enforce Strict Headers When selected, the proxy blocks HTTP requests and responses that do not comply with the HTTP protocol standards.
Log URLs When selected, the proxy logs the URLs in HTTP requests.
Request Validation When selected, the proxy validates HTTP requests. Selecting this option enables options in the following sections:
  • URL Control Options
  • URL Matches
  • Commands
URL Control Options section Specifies options for validation of URLs.
Disallow Unicode in URL Paths When selected, unicode-encoded text is not allowed in URL paths.
Disallow Unicode URL Queries When selected, unicode-encoded text is not allowed in query strings in URLs.
Enforce Strict URL Paths When selected, the proxy blocks URL paths that contain characters that are not allowed by the HTTP protocol standards.
Enforce Strict URL Queries When selected, the proxy blocks queries that contain characters that are not allowed by the HTTP protocol standards.
URL Normalization Validation Specifies how URL normalization is applied to HTTP requests.
  • Allow — Allows the request.
  • Allow and Log — Allows the request and creates a log entry.
  • Block and Log — Blocks the request and creates a log entry.
  • Off — URL normalization is not enabled.
Maximum URL Length Specifies the maximum number of characters allowed in URLs.
Require HTTP Version When selected, the proxy requires the HTTP request to include an HTTP version string. Selecting this option enables the following options:
  • Allow HTTP version 1.0
  • Allow HTTP version 1.1
Allow HTTP version 1.0 When selected, the proxy allows HTTP requests that specify HTTP version 1.0 as the version string.
Allow HTTP version 1.1 When selected, the proxy allows HTTP requests that specify HTTP version 1.1 as the version string.
URL Matches section Specifies rules for allowing or denying matching URLs.
Allow or Deny Specified URL Matches Specifies whether matching URLs are allowed or denied.
  • Allow — Matching URLs are allowed.
  • Deny — Matching URLs are denied.
URL Match List Specifies the criteria for matching URLs.
Match Type Specifies how the proxy matches the match criteria in the URL.
  • Contains — Matches when the URL contains the specified criteria.
  • Begins with — Matches when the URL begins with the specified criteria.
  • Ends with — Matches when the URL ends with the specified criteria.
Match Parameter Specifies the part of the URL where the proxy checks for the match criteria.
  • Host — The proxy checks the domain name for the match criteria.
  • Path — The proxy checks the URL path for the match criteria.
  • All — The proxy checks both the host and the path for the match criteria.
URL The matching criteria for the URL.
Add Adds a row to the table.
Remove Removes the selected row from the table.
Commands section Specifies the commands that the proxy allows in HTTP requests.
Allowed HTTP Commands
  • Any — The proxy allows any commands in HTTP requests.
  • Selected from List — The proxy allows only the selected commands in HTTP requests.
Content Control Specifies options for allowing or denying content in HTTP requests.
Deny SOAP When selected, the proxy denies the use of simple object access protocol (SOAP) in HTTP requests.
Option Definition
Protocol Parameters tab, when Protocol is HTTP with SSM TCP Proxy or HTTPS with SSM TCP Proxy
Logging of Accessed URLs
  • Yes — The URLs of sites that users access are included in generated log entries.
    Note: With HTTPS traffic, requires that the traffic is decrypted.
  • No — URLs are not included in generated log entries.
Optimized server stream fingerprinting
  • Yes — When matching connections to the Inspection rules, the server stream matching is done only for patterns that are valid for the client’s browser type and version.
  • No — All server stream patterns are matched.
Redirect to Proxy Server

(Firewall only)

Select the Proxy Server to which the connections are redirected.

(Optional if the NGFW Engine version is 6.4 or higher) Specify the IP Address Translation Range (IPv4 only) and the Port Translation Range for the redirection. To specify a single IP address, enter the same IP address in both fields.

Note: This option is not supported for SSM Proxies.
Enforce SafeSearch
  • On — The engine modifies DNS replies for Google search engines to enforce Google's SafeSearch feature.
  • Off — The engine does not modify DNS replies.
HTTPS decryption and inspection

(HTTPS only)

Controls whether to decrypt HTTPS traffic.
  • For Application Identification — HTTPS traffic is decrypted for inspection only when application detection is used.
  • Yes — Enables HTTPS decryption and inspection.
  • No — HTTPS traffic is not decrypted for inspection.
HTTPS Inspection Exceptions

(HTTPS only)

Specifies the HTTPS Inspection Exceptions according to which traffic is decrypted and inspected or allowed to pass without decryption.

Click Select to select an HTTP Inspection Exceptions element.
Option Definition
Protocol Parameters tab, when Protocol is H232
Allow related connections
  • On — The Protocol Agent monitors the H.323 connection and allows the related connections in Access and NAT rules.
  • Off — Disables the Protocol Agent.
Allow special logical channels through (No NAT)
  • Yes — Allows H.323 clients to open a special logical channel for audio and video without NAT.
  • No — Special logical channels are not allowed.
Option Definition
Protocol Parameters tab, when Protocol is IMAPS
IMAPS decryption and inspection Controls whether to decrypt SSL/TLS encryption.
  • For Application Identification — SSL/TLS traffic is decrypted for inspection only when application detection is used.
  • No — SSL/TLS traffic is not decrypted for inspection.
  • Yes — Enables SSL/TLS decryption and inspection.
IMAPS Inspection Exceptions Specifies the HTTPS Inspection Exceptions according to which traffic is decrypted and inspected or allowed to pass without decryption. Click Select to select an HTTP Inspection Exceptions element.
Option Definition
Protocol Parameters tab, when Protocol is MSRPC
Allow related connections
  • On — Allows responses sent by the endpoint mapper (EPM) service.
  • Off — Disables the Protocol Agent.
Allow MS Exchange Remote administration service
  • Yes — Allows remote administration of the Microsoft Exchange server through the Exchange System Attendant service.
  • No — Prevents remote administration.
Allow MS Exchange user services
  • Yes — Allows the normal use of the Microsoft Outlook client; the Protocol Agent allows the use of Exchange Database service, Directory service, Information Store service, MTA service, and Store service.
  • No — Prevents end-user services.
Allow any UUID in endpoint mapping
  • Yes — Allows other MSRPC requests in addition to Outlook/Exchange.
  • No — The Service allows only Outlook/Exchange traffic.
Allow other RPC traffic
  • Yes — Allows message types that are not supported by the Protocol Agent to bypass the control connection.
  • No — Allows only supported message types (bind, bind ack, request, and response).
Option Definition
Protocol Parameters tab, when Protocol is Oracle
Allow related connections
  • On — Allows database connection based on information in the listener connection.
  • Off — Disables the Protocol Agent.
Max. length allowed for one TNS packet Enter the maximum amount of TCP payload data that each Oracle TNS packet is allowed to carry.
Netmask for allowed server addresses Enter a netmask for limiting the allowed traffic. The value 255.255.255.255 allows the database connection only to the address in which the Oracle Listener service is located. The value 0.0.0.0 allows database connections to all addresses.
Set checksum to zero for modified TNS packets
  • Yes — Resets the header and packet checksums to zero when the Protocol Agent modifies the packet payload data.
  • No — Checksums remain even when the packet is changed.
Option Definition
Protocol Parameters tab, when Protocol is POP3S
POP3S decryption and inspection Controls whether to decrypt SSL/TLS encryption.
  • For Application Identification — SSL/TLS traffic is decrypted for inspection only when application detection is used.
  • No — SSL/TLS traffic is not decrypted for inspection.
  • Yes — Enables SSL/TLS decryption and inspection.
POP3S Inspection Exceptions Specifies the HTTPS Inspection Exceptions according to which traffic is decrypted and inspected or allowed to pass without decryption. Click Select to select an HTTP Inspection Exceptions element.
Option Definition
Protocol Parameters tab, when Protocol is Protocol Identification
SSL/TLS decryption and inspection Controls whether to decrypt SSL/TLS encryption.
  • For Application Identification — SSL/TLS traffic is decrypted for inspection only when application detection is used.
  • No — SSL/TLS traffic is not decrypted for inspection.
  • Yes — Enables SSL/TLS decryption and inspection.
HTTPS Inspection Exceptions Specifies the HTTPS Inspection Exceptions according to which traffic is decrypted and inspected or allowed to pass without decryption.
Option Definition
Protocol Parameters tab, when Protocol is RTSP
Allow related connections
  • On — Related RTP and RTCP connections initiated with RTSP are allowed through the engine.
  • Off — Disables the Protocol Agent.
Option Definition
Protocol Parameters tab, when Protocol is Shell
Allow related connections
  • On — Standard error (stderr) stream is allowed through the firewall as a response to an RSH command.
  • Off — Disables the Protocol Agent.
Option Definition
Protocol Parameters tab, when Protocol is SIP
Allow related connections

(Firewall only)

  • On — Allows SIP media connections based on the signaling connection.
  • Off — Disables the Protocol Agent.
Enforce client side media
  • Yes — Requires that the media stream uses the same client-side address as the transport layer.
  • No — Media stream can use any address.
Enforce server side media
  • Yes — Requires that the media stream uses the same server-side address as the transport layer.
  • No — Media stream can use any address.
Maximum number of calls The maximum number of calls allowed by the Access rule. If the value is 0, no limit is set for the number of calls.
Option Definition
Protocol Parameters tab, when Protocol is SMTP
Redirect to Proxy Server

(Firewall only)

Select the Proxy Server to which the connections are redirected.

(Optional if the NGFW Engine version is 6.4 or higher) Specify the IP Address Translation Range (IPv4 only) and the Port Translation Range for the redirection. To specify a single IP address, enter the same IP address in both fields.

Note: This option is not supported for SSM Proxies.
Option Definition
Protocol Parameters tab, when Protocol is SSH or SSH with SSM TCP Proxy
Make protocol validation
  • On — Validates the SSH transfers according to the parameters defined in this dialog.
  • Off — Disables the Protocol Agent.
Bytes allowed from client before Server ID Amount of data that the client is allowed to send to the server before the server sends its own identification string.
Bytes allowed from server before Client ID Amount of data that the server can send to the client before the client sends its own identification string.
Bytes allowed from server before Server ID Amount of data that the server can send to the client before the server sends its own identification string.
Option Definition
Protocol Parameters tab, when Protocol is SunRPC
Learn RPC program number to port mapping for future RPC service matches When selected, Protocol Agent is enabled.
Option Definition
Protocol Parameters tab, when Protocol is TCP Proxy
Abort on close Timeout in seconds for aborting a connection counted from when one of the communicating parties initiates the connection closing. The connection is aborted by sending TCP Reset packets to the unresponsive endpoint. Setting this value to 0 disables this timeout (connections are left open).
Idle timeout Timeout in seconds for closing a connection after the latest transmission. Setting this value to 0 disables this timeout (connections are left open).
Use proxy
  • On — Enables the Protocol Agent.
  • Off — Disables the Protocol Agent.