Configuring Proxy Policies - TCP Proxy

Procedure

1. Choose Policy > Proxy Policy.
2. Click Add.
3. Configure a proxy policy.

   Parameter	Description
   Name	Enter a name for the proxy policy.
   Description	Describe the proxy policy in a way that helps you understand the use of the policy.
   Tag	The tag identifies and categorizes the policy. You can query policies based on tags and delete, move, enable, or disable policies in batches based on the query results. For the tag description and configuration, see Tag.
   Source Zone	The security zone from which traffic is originated.
   Destination Zone	The security zone to which traffic is destined.
   Source Address	Source IP address of the traffic. You can manually enter an IP or select an existing address object from the drop-down list. The drop-down list includes the following types of address objects: stands for an IP or an IP address range. stands for an address group. You can use address groups to include IP ranges that cannot be specified using subnet masks. For details, see Address Object and Address Group. NOTE: You can specify source addresses or address groups to be excluded from the policy (namely, these addresses or address groups are not subject to the policy). Excluded source addresses or address groups are usually used to exclude specific addresses from a wide network segment. Select the corresponding address or address group, click Invert, and then click OK. The address or address group can not contain IPv6 address and MAC address.
   Destination Address	Destination IP address of the traffic. Destination addresses define the hosts and servers that can be accessed. You can manually enter IP addresses or select an existing address object from the dropdown list. The drop-down list includes the following types of address objects: Address and address group: You can specify a single IP/MAC address, an IP address range, or an IP address range and a MAC address set that cannot be represented by a single mask. For details, see Address Object and Address Group. Domain group: When the domain name that a user wants to access matches a domain group, TCP proxy will be implemented for the traffic of the user. For detailed information on domain groups, see Domain Group. NOTE: You can specify destination addresses or address groups to be excluded from the policy (namely, these addresses or address groups are not subject to the policy). Excluded destination addresses or address groups are usually used to exclude specific addresses from a wide network segment. Select the corresponding address or address group, click Invert, and then click OK. The address or address group can not contain IPv6 address and MAC address. When an IP address corresponds to multiple domain names, an IP address can be used to search for a maximum of 16 domain names. If the domain name to be searched is not in the policy rule, the policy cannot be matched. You are advised to configure multiple domain names with the same IP address in the same policy rule.
   User	A user indicates from whom traffic is originated. The parameter value can be User, User Group, or Security Group. The FW can accurately identify users and control their network behavior based on their permissions. Users and user groups reflect the horizontal organizational structure. Users and security groups reflect the vertical organization structure. You can configure users and user groups based on company departments or add users from different departments to one security group for management. For details, see User and User Authentication. You can reference local users, user groups, or security groups or create new ones. If the server has a great number of users, user groups, or security groups and only some of them need to be imported to the FW to implement policy control, select Server Import from the matching conditions of User, online query and import the desired users, user groups, or security groups, and then reference them in policies. NOTE: Only the AD and AD LDAP servers support online query and import of users, user groups, or security groups. Before that, you need to configure a server import policy in the New User Authentication Options and associate an authentication domain with the configured server import policy. The server import policy determines the target groups, online query path, and filtering parameter. However, the import type configured in the server import policy does not take effect in this function. The user name (cn value) on the server is suggested to be the same as the login name (sAMAccountName value). A policy can reference a maximum of 64 users, user groups, or security groups. Select Import from Server from the matching conditions of User. If Type is set to User, the device will imports only the names of users, not the user groups or security groups to which the users belong.
   Service	The protocol type of the traffic. Services can be predefined or user-defined. Predefined services exist in the system by default and be selected directly. Predefined services are well-known services, such as HTTP, FTP, and Telnet. You can also define services as needed. User-defined services are configured by specifying information such as port number. User-defined services fall into three types and the configuration methods are described as follows: For TCP/UDP packets, you must specify the source and destination ports. For ICMP packets, you must specify the ICMP message type and code. For IP packets, you must specify the protocol number in the IP header. You can also create a service group and add predefined and user-defined services to the group. For service and service group configurations, see Service and Service Group. NOTE: You can specify services or service groups to be excluded from the policy (namely, these services or service groups are not subject to the policy). Select the corresponding service or service group, click Invert, and click then OK.
   Action	The value can be either TCP proxy or No proxy. TCP proxy: The FW implements TCP proxy for the data flows matching the policy. No proxy: The FW does not implement TCP proxy for the data flows matching the policy. No proxy is used to configure special clients. For example, to implement TCP proxy for the traffic from all hosts on subnet 192.168.1.0/24 except a host at 192.168.1.2, configure a rule for exempting traffic of the host at 192.168.1.2 from TCP proxy and a rule for implementing TCP proxy for the traffic of the other hosts on subnet 192.168.1.0/24.

4. Click OK.