Create custom Service elements for Sidewinder Proxies
If the default Service elements for Sidewinder Proxies do not meet your needs, add custom Service elements for Sidewinder Proxies.
Add a custom Service element in the following cases:
- You want to change the Protocol Parameters of the default Service elements for Sidewinder Proxies.
- You want to use combined Protocol elements.
- You want to apply the Sidewinder TCP Proxy or the Sidewinder UDP Proxy to TCP or UDP services.
For more details about the product and how to configure features, click Help or press F1.
Steps
Next steps
SSM SSH Service Properties dialog box
Use this dialog box to create a custom SSM SSH Service element and define Protocol Parameters.
Option | Definition |
---|---|
General tab | |
Protocol | Displays the Service protocol. |
Name | Specifies the Service name. |
Comment | Adds a comment for your own reference. |
Dst. Ports
(Optional) |
Specifies the destination port or port range. To match a single port, enter it in the first field and leave the
other field empty. To enter a range, enter a value in both fields. (Either source or destination port is mandatory.) |
Src. Ports
(Optional) |
Specifies the source port or port range. To match a single port, enter it in the first field and leave the other
field empty. To enter a range, enter a value in both fields. (Either source or destination port is mandatory.) |
Protocol | Shows the assigned protocol. Click Protocol Agent to open the Protocol Agent dialog box. |
Category | Shows the assigned category. Click Select to open the Category Selection for New Element dialog box. |
Option | Definition |
---|---|
Protocol Parameters tab | |
Allow X11 Forwarding | When selected, the proxy allows X11 forwarding. |
Allow Local Port Forwarding | When selected, the proxy allows local port forwarding. |
Allow Remote Port Forwarding | When selected, the proxy allows remote port forwarding. |
Allow Remote Command Execution | When selected, the proxy allows remote command execution. |
Allow Remote Shell Execution | When selected, the proxy allows remote shell execution. |
SFTP Commands section | Contains options for the allowed SFTP commands in SSH traffic. |
Allowed SFTP Commands | Specifies the allowed SFTP commands in SSH traffic.
|
Client Authentication section | Contains settings for client authentication. |
Client Connection Message | Specifies a message that is shown to clients when they connect to the Sidewinder SSH Proxy. |
Allowed Client Authentication Methods | Specifies the allowed client authentication methods.
|
Client Advanced Settings section | Defines settings for connections between the Sidewinder SSH Proxy and the client. |
Preferred Host Key Types | Shows the selected preferred host key types. |
Edit | Opens the Preferred Host Key Types dialog box. |
Refuse Clients That Cannot Rekey | When selected, the proxy refuses connections from SSH clients that cannot renegotiate the session key. |
SSH Cryptographic Profile | Shows the selected SSH Profile element for client connections. Click Select to open the Select SSH Profile dialog box. |
Rekey Byte Limit | Specifies the maximum number of bytes that can be transmitted before the session key is renegotiated. |
Rekey Time Limit | Specifies the maximum time, in seconds, before the session key is renegotiated. |
Server Advanced Settings section | Defines settings for connections between the Sidewinder SSH Proxy and the server. |
Accepted Server Key Types | Shows the accepted server key types. |
Edit | Opens the Accepted Server Key Types dialog box. |
Server Host Key Validation | Specifies which server host keys the proxy accepts.
|
Refuse Servers That Cannot Rekey | When selected, the proxy refuses connections from SSH servers that cannot renegotiate the session key. |
SSH Cryptographic Profile | Shows the selected SSH Profile element for server connections. Click Select to open the Select SSH Profile dialog box. |
Rekey Byte Limit | Specifies the maximum number of bytes that can be transmitted before the session key is renegotiated. |
Rekey Time Limit | Specifies the maximum time, in seconds, before the session key is renegotiated. |
Reset | Discards the changes and reverts to the previously saved default settings. |
Preferred Host Key Types dialog box
Use this dialog box to specify the host key types that the Sidewinder SSH Proxy offers to the client when negotiating the key for the SSH connection with the client. The engine automatically selects a host key of the selected type from the host keys specified in the Engine Editor.
Option | Definition |
---|---|
Available | Lists the key types that are not selected. |
Selected | Lists the selected key types. |
Add | Adds the selected key type to the list. |
Remove | Removes the selected key type from the list. |
Up | Moves the selected key type up in the list. |
Down | Moves the selected key type down in the list. |
Accepted Server Key Types dialog box
Use this dialog box to specify the host key types that the SSM SSH Proxy accepts from the server when negotiating the key for the SSH connection with the server.
Option | Definition |
---|---|
Available | Lists the key types that are not selected. |
Selected | Lists the selected key types. |
Add | Adds the selected key type to the list. |
Remove | Removes the selected key type from the list. |
Up | Moves the selected key type up in the list. |
Down | Moves the selected key type down in the list. |
SSM HTTP Service Properties and SSM HTTPS Proxy Service dialog boxes
Use these dialog boxes to create custom SSM HTTP Service elements and define Protocol Parameters for HTTP or HTTPS traffic.
Option | Definition |
---|---|
General tab | |
Protocol | Shows the Service protocol. |
Name | Specifies the Service name. |
Comment | An optional comment for your own reference. |
Dst. Ports
(Optional) |
Specifies the destination port or port range. To match a single port, enter it in the first field and leave the
other field empty. To enter a range, enter a value in both fields. (Either source or destination port is mandatory.) |
Src. Ports
(Optional) |
Specifies the source port or port range. To match a single port, enter it in the first field and leave the other
field empty. To enter a range, enter a value in both fields. (Either source or destination port is mandatory.) |
Protocol | Shows the assigned protocol. Click Select to open the Protocol Agent dialog box. |
Category | Shows the assigned category. Click Select to open the Category Selection for New Element dialog box. |
Option | Definition |
---|---|
Protocol Parameters tab | |
Enforce Strict Headers | When selected, the proxy blocks HTTP requests and responses that do not comply with the HTTP protocol standards. |
Log URLs | When selected, the proxy logs the URLs in HTTP requests. |
Request Validation | When selected, the proxy validates HTTP requests. Selecting this option enables options in the following sections:
|
URL Control Options section | Specifies options for validation of URLs. |
Disallow Unicode in URL Paths | When selected, unicode-encoded text is not allowed in URL paths. |
Disallow Unicode URL Queries | When selected, unicode-encoded text is not allowed in query strings in URLs. |
Enforce Strict URL Paths | When selected, the proxy blocks URL paths that contain characters that are not allowed by the HTTP protocol standards. |
Enforce Strict URL Queries | When selected, the proxy blocks queries that contain characters that are not allowed by the HTTP protocol standards. |
URL Normalization Validation | Specifies how URL normalization is applied to HTTP requests.
|
Maximum URL Length | Specifies the maximum number of characters allowed in URLs. |
Require HTTP Version | When selected, the proxy requires the HTTP request to include an HTTP version string. Selecting this option enables
the following options:
|
Allow HTTP version 1.0 | When selected, the proxy allows HTTP requests that specify HTTP version 1.0 as the version string. |
Allow HTTP version 1.1 | When selected, the proxy allows HTTP requests that specify HTTP version 1.1 as the version string. |
URL Matches section | Specifies rules for allowing or denying matching URLs. |
Allow or Deny Specified URL Matches | Specifies whether matching URLs are allowed or denied.
|
URL Match List | Specifies the criteria for matching URLs. |
Match Type | Specifies how the proxy matches the match criteria in the URL.
|
Match Parameter | Specifies the part of the URL where the proxy checks for the match criteria.
|
URL | The matching criteria for the URL. |
Add | Adds a row to the table. |
Remove | Removes the selected row from the table. |
Commands section | Specifies the commands that the proxy allows in HTTP requests. |
Allowed HTTP Commands |
|
Content Control | Specifies options for allowing or denying content in HTTP requests. |
Deny SOAP | When selected, the proxy denies the use of simple object access protocol (SOAP) in HTTP requests. |
Decryption Options section (HTTPS only) |
Specifies options for decrypting HTTPS traffic. |
Enforce TLS Decryption (HTTPS only) |
When selected, the proxy expects HTTPS traffic. Unless the traffic is excluded from decryption by an Access rule,
the NGFW Engine decrypts HTTPS traffic, then optionally applies the Sidewinder HTTP Proxy and optionally inspection to the encapsulated HTML. After inspection, the
NGFW Engine re-encrypts the HTTPS traffic. This option is selected by default in the SSM HTTPS Proxy Service element. |
Enforce Certificate Host Name Check (HTTPS only) |
When selected, the proxy rejects the connection if the destination host name does not match the server certificate
identity. This option is selected by default in the SSM HTTPS Proxy Service element. |
Display Decryption Warning Page (HTTPS only) |
When selected, the proxy displays the decryption warning page before decrypting client connections. When the user allows the connection, an entry is added to the decryption warning page cache. The decryption warning page is not shown to the same user again until the entry expires from the cache. By default, the entry stays in the decryption warning page cache for 12 hours. This option is selected by default in the SSM HTTPS Proxy Service element. |
HTML (HTTPS only) |
The HTML source code for the message to display to the user. You can optionally customize the default message. |
Reset | Discards the changes and reverts to the previously saved default settings. |