Create custom Service elements for Sidewinder Proxies

If the default Service elements for Sidewinder Proxies do not meet your needs, add custom Service elements for Sidewinder Proxies.

Add a custom Service element in the following cases:

  • You want to change the Protocol Parameters of the default Service elements for Sidewinder Proxies.
  • You want to use combined Protocol elements.
  • You want to apply the Sidewinder TCP Proxy or the Sidewinder UDP Proxy to TCP or UDP services.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration.
  2. Browse to Other Elements > Services.
  3. Create the Service element in one of the following ways:
    • To create an element with no settings predefined, right-click the branch for the type of Service you want to create, then select New > TCP Service or New > UDP Service.
    • To create a Service based on an existing TCP or UDP Service element, right-click the existing Service, then select New > Duplicate.
    • To create a Service based on one of the default Service elements for Sidewinder Proxies, browse to With Proxy, right-click the existing Service, then select New > Duplicate.
  4. In the Name field, enter a unique name.
  5. If you did not duplicate one of the default Service elements for Sidewinder Proxies, click Select next to the Protocol field, browse to TCP Proxy or UDP Proxy, then select an SSM Proxy Protocol element or a combined Protocol element.
  6. On the Protocol Parameters tab, select options according to your needs.
    Note: There are no configurable Protocol Parameters for the Sidewinder TCP Proxy or the Sidewinder UDP Proxy.
  7. Click OK.

Next steps

Use the custom Service element in the Access rules.

SSM SSH Service Properties dialog box

Use this dialog box to create a custom SSM SSH Service element and define Protocol Parameters.

Option Definition
General tab
Protocol Displays the Service protocol.
Name Specifies the Service name.
Comment Adds a comment for your own reference.
Dst. Ports

(Optional)

Specifies the destination port or port range. To match a single port, enter it in the first field and leave the other field empty. To enter a range, enter a value in both fields.

(Either source or destination port is mandatory.)

Src. Ports

(Optional)

Specifies the source port or port range. To match a single port, enter it in the first field and leave the other field empty. To enter a range, enter a value in both fields.

(Either source or destination port is mandatory.)

Protocol Shows the assigned protocol. Click Protocol Agent to open the Protocol Agent dialog box.
Category Shows the assigned category. Click Select to open the Category Selection for New Element dialog box.
Option Definition
Protocol Parameters tab
Allow X11 Forwarding When selected, the proxy allows X11 forwarding.
Allow Local Port Forwarding When selected, the proxy allows local port forwarding.
Allow Remote Port Forwarding When selected, the proxy allows remote port forwarding.
Allow Remote Command Execution When selected, the proxy allows remote command execution.
Allow Remote Shell Execution When selected, the proxy allows remote shell execution.
SFTP Commands section Contains options for the allowed SFTP commands in SSH traffic.
Allowed SFTP Commands Specifies the allowed SFTP commands in SSH traffic.
  • All — All SFTP commands are allowed.
  • None — No SFTP commands are allowed.
  • Selected from List — Only the selected SFTP commands are allowed.
Client Authentication section Contains settings for client authentication.
Client Connection Message Specifies a message that is shown to clients when they connect to the Sidewinder SSH Proxy.
Allowed Client Authentication Methods Specifies the allowed client authentication methods.
  • Any — Any of the client connection methods are allowed.
  • Selected from List — Only the selected client authentication methods are allowed.
Client Advanced Settings section Defines settings for connections between the Sidewinder SSH Proxy and the client.
Preferred Host Key Types Shows the selected preferred host key types.
Edit Opens the Preferred Host Key Types dialog box.
Refuse Clients That Cannot Rekey When selected, the proxy refuses connections from SSH clients that cannot renegotiate the session key.
SSH Cryptographic Profile Shows the selected SSH Profile element for client connections. Click Select to open the Select SSH Profile dialog box.
Rekey Byte Limit Specifies the maximum number of bytes that can be transmitted before the session key is renegotiated.
Rekey Time Limit Specifies the maximum time, in seconds, before the session key is renegotiated.
Server Advanced Settings section Defines settings for connections between the Sidewinder SSH Proxy and the server.
Accepted Server Key Types Shows the accepted server key types.
Edit Opens the Accepted Server Key Types dialog box.
Server Host Key Validation Specifies which server host keys the proxy accepts.
  • Allow Any Host Key — The proxy accepts host keys for any server.
  • Use Strict Known Hosts List — The proxy accepts host keys only for servers that are in a Known Hosts List.
Refuse Servers That Cannot Rekey When selected, the proxy refuses connections from SSH servers that cannot renegotiate the session key.
SSH Cryptographic Profile Shows the selected SSH Profile element for server connections. Click Select to open the Select SSH Profile dialog box.
Rekey Byte Limit Specifies the maximum number of bytes that can be transmitted before the session key is renegotiated.
Rekey Time Limit Specifies the maximum time, in seconds, before the session key is renegotiated.
Reset Discards the changes and reverts to the previously saved default settings.

Preferred Host Key Types dialog box

Use this dialog box to specify the host key types that the Sidewinder SSH Proxy offers to the client when negotiating the key for the SSH connection with the client. The engine automatically selects a host key of the selected type from the host keys specified in the Engine Editor.

Option Definition
Available Lists the key types that are not selected.
Selected Lists the selected key types.
Add Adds the selected key type to the list.
Remove Removes the selected key type from the list.
Up Moves the selected key type up in the list.
Down Moves the selected key type down in the list.

Accepted Server Key Types dialog box

Use this dialog box to specify the host key types that the SSM SSH Proxy accepts from the server when negotiating the key for the SSH connection with the server.

Option Definition
Available Lists the key types that are not selected.
Selected Lists the selected key types.
Add Adds the selected key type to the list.
Remove Removes the selected key type from the list.
Up Moves the selected key type up in the list.
Down Moves the selected key type down in the list.

SSM HTTP Service Properties and SSM HTTPS Proxy Service dialog boxes

Use these dialog boxes to create custom SSM HTTP Service elements and define Protocol Parameters for HTTP or HTTPS traffic.

Option Definition
General tab
Protocol Shows the Service protocol.
Name Specifies the Service name.
Comment An optional comment for your own reference.
Dst. Ports

(Optional)

Specifies the destination port or port range. To match a single port, enter it in the first field and leave the other field empty. To enter a range, enter a value in both fields.

(Either source or destination port is mandatory.)

Src. Ports

(Optional)

Specifies the source port or port range. To match a single port, enter it in the first field and leave the other field empty. To enter a range, enter a value in both fields.

(Either source or destination port is mandatory.)

Protocol Shows the assigned protocol. Click Select to open the Protocol Agent dialog box.
Category Shows the assigned category. Click Select to open the Category Selection for New Element dialog box.
Option Definition
Protocol Parameters tab
Enforce Strict Headers When selected, the proxy blocks HTTP requests and responses that do not comply with the HTTP protocol standards.
Log URLs When selected, the proxy logs the URLs in HTTP requests.
Request Validation When selected, the proxy validates HTTP requests. Selecting this option enables options in the following sections:
  • URL Control Options
  • URL Matches
  • Commands
URL Control Options section Specifies options for validation of URLs.
Disallow Unicode in URL Paths When selected, unicode-encoded text is not allowed in URL paths.
Disallow Unicode URL Queries When selected, unicode-encoded text is not allowed in query strings in URLs.
Enforce Strict URL Paths When selected, the proxy blocks URL paths that contain characters that are not allowed by the HTTP protocol standards.
Enforce Strict URL Queries When selected, the proxy blocks queries that contain characters that are not allowed by the HTTP protocol standards.
URL Normalization Validation Specifies how URL normalization is applied to HTTP requests.
  • Allow — Allows the request.
  • Allow and Log — Allows the request and creates a log entry.
  • Block and Log — Blocks the request and creates a log entry.
  • Off — URL normalization is not enabled.
Maximum URL Length Specifies the maximum number of characters allowed in URLs.
Require HTTP Version When selected, the proxy requires the HTTP request to include an HTTP version string. Selecting this option enables the following options:
  • Allow HTTP version 1.0
  • Allow HTTP version 1.1
Allow HTTP version 1.0 When selected, the proxy allows HTTP requests that specify HTTP version 1.0 as the version string.
Allow HTTP version 1.1 When selected, the proxy allows HTTP requests that specify HTTP version 1.1 as the version string.
URL Matches section Specifies rules for allowing or denying matching URLs.
Allow or Deny Specified URL Matches Specifies whether matching URLs are allowed or denied.
  • Allow — Matching URLs are allowed.
  • Deny — Matching URLs are denied.
URL Match List Specifies the criteria for matching URLs.
Match Type Specifies how the proxy matches the match criteria in the URL.
  • Contains — Matches when the URL contains the specified criteria.
  • Begins with — Matches when the URL begins with the specified criteria.
  • Ends with — Matches when the URL ends with the specified criteria.
Match Parameter Specifies the part of the URL where the proxy checks for the match criteria.
  • Host — The proxy checks the domain name for the match criteria.
  • Path — The proxy checks the URL path for the match criteria.
  • All — The proxy checks both the host and the path for the match criteria.
URL The matching criteria for the URL.
Add Adds a row to the table.
Remove Removes the selected row from the table.
Commands section Specifies the commands that the proxy allows in HTTP requests.
Allowed HTTP Commands
  • Any — The proxy allows any commands in HTTP requests.
  • Selected from List — The proxy allows only the selected commands in HTTP requests.
Content Control Specifies options for allowing or denying content in HTTP requests.
Deny SOAP When selected, the proxy denies the use of simple object access protocol (SOAP) in HTTP requests.
Decryption Options section

(HTTPS only)

Specifies options for decrypting HTTPS traffic.
Enforce TLS Decryption

(HTTPS only)

When selected, the proxy expects HTTPS traffic. Unless the traffic is excluded from decryption by an Access rule, the NGFW Engine decrypts HTTPS traffic, then optionally applies the Sidewinder HTTP Proxy and optionally inspection to the encapsulated HTML. After inspection, the NGFW Engine re-encrypts the HTTPS traffic.

This option is selected by default in the SSM HTTPS Proxy Service element.

Enforce Certificate Host Name Check

(HTTPS only)

When selected, the proxy rejects the connection if the destination host name does not match the server certificate identity.

This option is selected by default in the SSM HTTPS Proxy Service element.

Display Decryption Warning Page

(HTTPS only)

When selected, the proxy displays the decryption warning page before decrypting client connections.

When the user allows the connection, an entry is added to the decryption warning page cache. The decryption warning page is not shown to the same user again until the entry expires from the cache. By default, the entry stays in the decryption warning page cache for 12 hours.

This option is selected by default in the SSM HTTPS Proxy Service element.

HTML

(HTTPS only)

The HTML source code for the message to display to the user. You can optionally customize the default message.
Reset Discards the changes and reverts to the previously saved default settings.