WSM User Guide - WatchGuard Technologies
WSM User Guide - WatchGuard Technologies WSM User Guide - WatchGuard Technologies
Configuring the HTTP ProxyBrowsers usually use POST operations to send data to a web site. Many web pages get information fromthe end user such as location, e-mail address, and name. If you disable the POST command, the Fireboxdenies all POST operations to web servers on the external network. This features can prevent your usersfrom sending information to a web site on the external network.The HTTP proxy supports request methods: HEAD, GET, POST, OPTIONS, PUT, and DELETE. (For HTTP-Server, the proxy supports these request methods by default: HEAD, GET, and POST. OPTIONS, PUT, andDELETE are added but are disabled.) You can also add CONNECT and TRACE, but no other request methodsare supported at this time. If you configure a rule to allow other request methods and your browsertries to use them, you get an error with the text: “Method unsupported.”1 From the Categories section, select Request Methods.2 Do the steps used to create rules. For more information, see “Defining Rules” on page 79.Setting HTTP request URL pathsYou use URL path rules to filter the content of the host, path, and query-string components of a URL.Here are examples of how to block content using HTTP request URL paths:• To block all pages that have the host name www.test.com, type the pattern:www.test.com*• To block all paths containing the word “sex”, on all web sites: *sex*• To block URL paths ending in “*.test”, on all web sites: *.testNoteUsually, if you filter URLs with the HTTP request URL path ruleset, you must configure a complex patternthat uses full regular expression syntax and the advanced view of a ruleset. It is easier and gives betterresults to filter based on header or body content type than it is to filter by URL path.1 From the Categories section, select URL paths.2 Do the steps used to create rules. For more information, see “Defining Rules” on page 79.Setting HTTP request header fieldsThis ruleset supplies content filtering for the full HTTP header. By default, the Firebox uses exact matchingrules to strip Via and From headers, and allows all other headers. This ruleset matches against the fullheader, not only the name. Thus, to match all values of a header, type the pattern: “[header name]:*”. Tomatch only some values of a header, replace the asterisk (*) wildcard with a pattern. If your pattern doesnot start with an asterisk (*) wildcard, include one space between the colon and the pattern when typingin the Pattern text box. For example, type: [header name]: [pattern] and not [header name]:[pattern].Note that the default rules do not strip the Referer header, but do include a disabled rule to strip thisheader. To enable the rule, select Change View. Some web browsers and software applications mustuse the Referer header to operate correctly.1 From the Categories section, select Header Fields.2 Do the steps used to create rules. For more information, see “Defining Rules” on page 79.Setting HTTP request authorizationThis rule sets the criteria for content filtering of HTTP Request Header authorization fields. When a webserver starts a “WWW-Authenticate” challenge, it sends information about which authentication methodsit can use. The proxy puts limits on the type of authentication sent in a request. It uses only the176 WatchGuard System Manager
Configuring the HTTP Proxyauthentication methods that the web server accepts. With a default configuration, the Firebox allowsBasic, Digest, NTLM, and Passport1.4 authentication, and strips all other authentication.1 From the Categories section, select Authorization.2 Do the steps used to create rules. For more information, see “Defining Rules” on page 79.Configuring general settings for HTTP responsesYou use the General Settings fields to configure basic HTTP parameters such as idle time-out and limitsfor line and total length. If you set a check box to 0 bytes, the Firebox does not check the parameter.1 From the Categories section, select General Settings.2 To set limits for HTTP parameters, select the applicable check boxes. Use the arrows to set the limits:Idle timeoutControls how long the Firebox HTTP proxy waits for the web server to send the web page. Thedefault value is 600 seconds.Maximum line lengthControls the maximum allowed length of a line of characters in the HTTP response headers. Usethis property to protect your computers from buffer overflow exploits.Maximum total lengthControls the maximum length of the HTTP response headers. If the total header length is morethan this limit, the HTTP response is denied. The default value is 0 (no limit).Setting header fields for HTTP responsesThis property controls which HTTP response header fields the Firebox allows. RFC 2616 includes many ofthe HTTP response headers that are allowed in the default configuration. For more information, see:http://www.ietf.org/rfc/rfc2616.txt1 From the Categories section, select Header Fields.2 Do the steps used to create rules. For more information, see “Defining Rules” on page 161.Setting content types for HTTP responsesWhen a web server sends HTTP traffic, it usually adds a MIME type to the response. The HTTP header onthe data stream contains this MIME type. It is added before the data is sent.This ruleset sets rules for looking for content type (MIME type) in HTTP response headers. By default theFirebox allows some safe content types, and denies MIME content that has no specified content type.Some web servers supply incorrect MIME types to get around content rules.1 From the Categories section, select Content Types.2 Do the steps used to create rulesets. For more information, see “Defining Rules” on page 161.Setting cookies for HTTP responsesHTTP cookies are small files of alphanumeric text put by web servers on web clients. Cookies monitorthe page a web client is on to enable the web server to send more pages in the correct sequence. Webservers also use cookies to collect information about an end user. Many web sites use cookies forauthentication and other legitimate functions and cannot operate correctly without cookies.User Guide 177
- Page 144 and 145: Configuring the Firebox as an Authe
- Page 146 and 147: Configuring SecurID Authentication6
- Page 148 and 149: Configuring LDAP Authentication3 In
- Page 150 and 151: Configuring a Policy with User Auth
- Page 152 and 153: Configuring a Policy with User Auth
- Page 154 and 155: Using Default Packet Handling Optio
- Page 156 and 157: Setting Blocked Sitesconfigure the
- Page 158 and 159: Setting Blocked SitesUsing an exter
- Page 160 and 161: Blocking PortsBlocking PortsYou can
- Page 162 and 163: Blocking Ports144 WatchGuard System
- Page 164 and 165: Adding Policies• Attacks that use
- Page 166 and 167: Adding Policies4 Click Add.The New
- Page 168 and 169: Configuring Policy Properties- ESP-
- Page 170 and 171: Configuring Policy Properties2 To a
- Page 172 and 173: Configuring Policy PropertiesRepeat
- Page 174 and 175: Configuring Policy PropertiesSettin
- Page 176 and 177: Setting Policy Precedence2 Traffic
- Page 178 and 179: Setting Policy Precedence160 WatchG
- Page 180 and 181: Defining RulesThe fields you use fo
- Page 182 and 183: Customizing Logging and Notificatio
- Page 184 and 185: Configuring the SMTP ProxyConfiguri
- Page 186 and 187: Configuring the SMTP Proxyand 8-bit
- Page 188 and 189: Configuring the SMTP ProxyDefining
- Page 190 and 191: Configuring the FTP Proxy2 For info
- Page 192 and 193: Configuring the HTTP ProxyConfiguri
- Page 196 and 197: Configuring the HTTP ProxyThis rule
- Page 198 and 199: Configuring the DNS ProxyConfigurin
- Page 200 and 201: Configuring the DNS ProxyAdding a n
- Page 202 and 203: Configuring the TCP Proxy184 WatchG
- Page 204 and 205: Creating and Editing ReportsStartin
- Page 206 and 207: Setting Report Properties“yesterd
- Page 208 and 209: Exporting ReportsSetting report pro
- Page 210 and 211: Using Report FiltersExcludeTo make
- Page 212 and 213: Report Sections and Consolidated Se
- Page 214 and 215: Report Sections and Consolidated Se
- Page 216 and 217: WatchGuard Management Server Passph
- Page 218 and 219: Changing the Management Server Conf
- Page 220 and 221: Configuring the Certificate Authori
- Page 222 and 223: Backing up or Restoring the Managem
- Page 224 and 225: Moving the WatchGuard Management Se
- Page 226 and 227: Managing Devices with the Managemen
- Page 228 and 229: Managing Devices with the Managemen
- Page 230 and 231: Managing Devices with the Managemen
- Page 232 and 233: Adding Devices to the Management Se
- Page 234 and 235: Using the Device Management Page17
- Page 236 and 237: Using the Device Management PageCon
- Page 238 and 239: Monitoring VPNsAdding a Firebox VPN
- Page 240 and 241: PKI in a WatchGuard VPNPKI in a Wat
- Page 242 and 243: Managing the Certificate Authority2
Configuring the HTTP ProxyBrowsers usually use POST operations to send data to a web site. Many web pages get information fromthe end user such as location, e-mail address, and name. If you disable the POST command, the Fireboxdenies all POST operations to web servers on the external network. This features can prevent your usersfrom sending information to a web site on the external network.The HTTP proxy supports request methods: HEAD, GET, POST, OPTIONS, PUT, and DELETE. (For HTTP-Server, the proxy supports these request methods by default: HEAD, GET, and POST. OPTIONS, PUT, andDELETE are added but are disabled.) You can also add CONNECT and TRACE, but no other request methodsare supported at this time. If you configure a rule to allow other request methods and your browsertries to use them, you get an error with the text: “Method unsupported.”1 From the Categories section, select Request Methods.2 Do the steps used to create rules. For more information, see “Defining Rules” on page 79.Setting HTTP request URL pathsYou use URL path rules to filter the content of the host, path, and query-string components of a URL.Here are examples of how to block content using HTTP request URL paths:• To block all pages that have the host name www.test.com, type the pattern:www.test.com*• To block all paths containing the word “sex”, on all web sites: *sex*• To block URL paths ending in “*.test”, on all web sites: *.testNoteUsually, if you filter URLs with the HTTP request URL path ruleset, you must configure a complex patternthat uses full regular expression syntax and the advanced view of a ruleset. It is easier and gives betterresults to filter based on header or body content type than it is to filter by URL path.1 From the Categories section, select URL paths.2 Do the steps used to create rules. For more information, see “Defining Rules” on page 79.Setting HTTP request header fieldsThis ruleset supplies content filtering for the full HTTP header. By default, the Firebox uses exact matchingrules to strip Via and From headers, and allows all other headers. This ruleset matches against the fullheader, not only the name. Thus, to match all values of a header, type the pattern: “[header name]:*”. Tomatch only some values of a header, replace the asterisk (*) wildcard with a pattern. If your pattern doesnot start with an asterisk (*) wildcard, include one space between the colon and the pattern when typingin the Pattern text box. For example, type: [header name]: [pattern] and not [header name]:[pattern].Note that the default rules do not strip the Referer header, but do include a disabled rule to strip thisheader. To enable the rule, select Change View. Some web browsers and software applications mustuse the Referer header to operate correctly.1 From the Categories section, select Header Fields.2 Do the steps used to create rules. For more information, see “Defining Rules” on page 79.Setting HTTP request authorizationThis rule sets the criteria for content filtering of HTTP Request Header authorization fields. When a webserver starts a “WWW-Authenticate” challenge, it sends information about which authentication methodsit can use. The proxy puts limits on the type of authentication sent in a request. It uses only the176 <strong>WatchGuard</strong> System Manager