topic Re: HTTP Proxy setup - bypass in Firewall and Security Management

HTTP Proxy setup - bypass

Frank_Fausch_sr — Mon, 22 Mar 2021 11:16:57 GMT

Hello,

I've setup the Security Gateway as HTTP Proxy in Transparent Mode on all internal Interfaces.

Now I want to set it up that the Clients (coming from Interface 2) do not use Proxy when doing HTTP to Interface 1 (LAN), but to Interface 3 (external). Unfortunatly I don't understand how I could configure this one.
Can i configure this per Interface or is there a Proxy bypass List I can use?
Any help would be appreciated.

Many thanks and best regards

Frank

Re: HTTP Proxy setup - bypass

_Val_ — Mon, 22 Mar 2021 12:08:54 GMT

You can configure which interfaces on the client side will be proxied by not on the destination side.

Re: HTTP Proxy setup - bypass

Frank_Fausch_sr — Mon, 22 Mar 2021 12:31:16 GMT

Hello Val,
many thanks for your reply, but exactly this is what is not clear to me.
I want to have it Proxied comming from Client (eth2) to Internet (eth3) but not to LAN (eth1).

Means from eth2 to eth1 it should not be proxyfied.
But from eth2 to eth3 it should be.
So it's both times the Client is on eth2, but the outgoing interface is different.
So which one Interface I have to specify here?

I'm sorry for the stupied question - this is just not clear for me

Many thanks and best regards

Frank

Re: HTTP Proxy setup - bypass

_Val_ — Mon, 22 Mar 2021 12:51:34 GMT

This setting is for client side. If you have clients coming from several internal interfaces, you can configure just some of them being proxied. This is not want you are trying to achieve, if I understand correctly. In your case, you want the same clients to be proxied when going to internet, and having direct connections to your DMZ servers. If that is your goal, my answer above stands

Re: HTTP Proxy setup - bypass

Frank_Fausch_sr — Mon, 22 Mar 2021 13:07:44 GMT

Hi Val,
Many thankks for your fast relpy.
So if I understand you corrently, what I'm trying to do (YES --> same clients to be proxied when going to internet, and having direct connections to your DMZ servers) is not possible. Is that correct?

Re: HTTP Proxy setup - bypass

_Val_ — Mon, 22 Mar 2021 13:54:39 GMT

not with the transparent proxy, afaik

Re: HTTP Proxy setup - bypass

PhoneBoy — Mon, 22 Mar 2021 14:00:10 GMT

Why precisely are you trying to proxy and not just use NAT to achieve what you're after?

Re: HTTP Proxy setup - bypass

Frank_Fausch_sr — Mon, 22 Mar 2021 14:00:22 GMT

Would it be possible in explicit Proxy mode?
and if yes, how?

Re: HTTP Proxy setup - bypass

Frank_Fausch_sr — Mon, 22 Mar 2021 14:25:48 GMT

we're using NAT for all what is going to Internet, of course.
the Point is, that from CISO point of view we have to proxify traffic going to Internet and not just URL filtering.
That's why I'm trying to find a way to use Proxy if it comes to Client -> Internte Traffic, but not if it comes to Client->LAN traffic.
Trying to do that without external Services like proxy Pac file on another web server.

Re: HTTP Proxy setup - bypass

PhoneBoy — Mon, 22 Mar 2021 15:16:26 GMT

Transparent proxy applies to all web traffic passing through the gateway based on the origin interface.
There is, to my knowledge, no way to configure this based on destination interface.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk110013
What you're asking for is likely an RFE.

That said, what you're asking for can easily be achieved with NAT.
From a security perspective, I don't see a significant benefit to going with proxy mode (transparent or otherwise).