WSM User Guide - WatchGuard Technologies

CHAPTER 13Configuring Proxied PoliciesProxy filters do much more than packet filters. A proxy examines the contents of a packet, not only theheader. As a result, the proxy finds forbidden content hidden or embedded in the data payload. Forexample, an SMTP proxy examines all incoming SMTP packets (e-mail) to find forbidden content, suchas executable programs or files written in scripting languages. Attackers frequently use these methodsto send computer viruses. The SMTP proxy knows these content types are not allowed, while a packetfilter cannot detect the unauthorized content in the packet’s data payload.WatchGuard® proxies also look for application protocol anomalies and stop packets that are not madecorrectly. If an SMTP packet is not made correctly or contains unexpected content, it cannot go throughthe Firebox®.Proxy policies operate at the application, network, and transport protocol levels. Packet filter policiesoperate at only the network and transport protocol level. In other words, a proxy gets each packet,removes the network layer, and examines its payload. The proxy then puts the network informationback on the packet and sends it to its destination on your trusted and optional networks. This addsmore work for your firewall for the same volume of network traffic. But a proxy uses methods thatpacket filters cannot to catch dangerous packets.Defining RulesA ruleset is a group of rules based on one feature of a proxy. When you configure a proxy, you can seethe rulesets for that proxy in the Categories list. The rulesets you see change when you change theproxy action on the Properties tab of a proxy configuration window.A proxy can have more than one proxy action associated with it. For example, you can use one rulesetfor packets sent to an e-mail server protected by the Firebox® and a different ruleset to apply to e-mailmessages being sent out through the Firebox to the Internet. You can use the existing proxy actions, orclone an existing proxy action and change it to create a new proxy action.A rule includes a type of content, pattern, or expression and the action the Firebox does when a componentof the packet’s content matches a rule. Rules also include settings for when the Firebox sendsalarms or if it sends events to the log file.For most proxy features, the Firebox has a preinstalled ruleset. But you can edit the rules in a ruleset tochange the action for the rules. You can also add your own rules.User Guide 161