Proxy Forwarding Policy for Web Security Services
Article ID: 169862
Updated On:
Products
Cloud Secure Web Gateway - Cloud SWG
Advanced Secure Gateway Software - ASG
ProxySG Software - SGOS
Issue/Introduction
The purpose of this article is to provide an easily accessible and updated Content Policy Language (CPL) script, which allows for proper connections to the Web Security Services.
This CPL code is based on information gathered from Web Security Services Web guide, the article: Cloud Proxy Forwarding - How to prevent the Local ProxySG from forwarding request to Cloud Services for specific destinations in addition to extensive testing.
Note: Sections of the CPL script that may require admin modification are outlined in the code comments.
Resolution
; ========================================================= Proxy Cloud Forwarding CPL policy =========================================================;Define subnets that should be treated as internal in your environment. Internal traffic should not go through Web Security Services.define subnet BC_Internal_subnets 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 172.16.0.0/12 169.254.0.0/16 192.168.0.0/16 224.0.0.0/3;@@@@@@@ Add any other destination subnet that should not be to the Cloud Service.end;Traffic that will NOT be MODIFIED before being sent to the Cloud Service.define condition BC_Cloud_Proxy_Bypass_Listurl.address=BC_Internal_subnets ; Internal traffic url.domain=portal.threatpulse.com ; Threatpulse portal;@@@@@@@ Add any other public sites that are not be modified by the proxy to be sent to the Cloud Service.end;Traffic that will NOT be FORWARDED to the Cloud Servicedefine condition BC_Cloud_Forward_Bypass_Listserver_url.address=BC_Internal_subnets ; Internal traffichealth_check=yes ; Health Checksserver_url.domain=portal.threatpulse.com ; Threatpulse portal;@@@@@@@ Add any other public sites that are not be forwarded to the Cloud Service.end;---------------------------------------------------------------------; Forward the desired traffic to the cloud.; - HTTP traffic is sent encrypted and sent over port 8443 to the Cloud Service.; - Non SSL-Intercepted HTTPS traffic is forwarded directly over port 8080.; - Requests which are SSL-Intercepted locally are sent to the Cloud Service over port 8084.<Forward Cloud> condition=!BC_Cloud_Forward_Bypass_List[Rule] proxy.port=(443, 8080) url.scheme=https,ssl,tcpurl.scheme=https forward(ThreatPulseInterceptedHTTPS8084) ; SSL-Intercepted trafficforward(ThreatPulseHTTP8080) ; Undecrypted SSL Traffic[Rule]url.scheme=http forward(ThreatPulseSecure8443) ; HTTP Traffic;--------------------------------------------------------------------- ; After user authentication, pass the username and groups to the Web Security Service.<Proxy Cloud_Auth> condition=!BC_Cloud_Proxy_Bypass_List authenticated=yes action.Auth_Cloud(yes); User and Group information are passed to the Web Security Service in special headers added to the request.define action Auth_Cloud set( request.x_header.BC_Auth_User, "$(user:encode_base64)" ) set( request.x_header.BC_Auth_Groups, "$(groups:encode_base64)" )end; If you plan to use the the Web Security Service to enforce appropriate use policies (content filtering and application control), then you must either disable caching or ensure that you always verify access requests with the Web Security Service.<Cache Cloud_Verify_Cached_Authorization> condition=!BC_Cloud_Proxy_Bypass_List always_verify(yes) ; Check for authorization; This layer provides the ability to mark the system (mostly refresh traffic) with a specific userID.; This template marks the traffic with the userID "Refresh User" by setting the BC_Auth_User header to the base-64 encoded version of that string.<Cache Cloud_Tag_System_traffic> condition=!BC_Cloud_Proxy_Bypass_Listhas_client=false action.Cloud_Auth_Refresh_Traffic(yes) ; It is a system request (mostly refresh?)define action Cloud_Auth_Refresh_Trafficset(request.x_header.BC_Auth_User, "UmVmcmVzaCBVc2Vy")end; For reporting purposes, forward the client IP addresses rather than the ProxySG appliance IP address.<Proxy Forwarding_Client_IP> action.Forwarding_Client_IP(yes)define action Forwarding_Client_IP set(request.header.Client-IP, "$(client.address)")end; ========================================================= Proxy Cloud Forwarding CPL policy =========================================================Feedback
Yes
No
Powered by
