Watchguard Firebox X20E User Manual page 120

Configuring the HTTP Proxy
HTTP responses
When the remote HTTP server accepts the connection request from the HTTP client, most browser sta-
tus bars show, "Site contacted. Waiting for reply..." Then the HTTP server sends the appropriate
response to the HTTP client. This is usually a file or series of files. The proxy uses valuable network
resources to monitor the network connection to the web server. It could become necessary to limit or
expand how the proxy policy uses these resources in your network.
Timeout
This setting controls how long the HTTP proxy waits for the web server to send the web page.
The idle timeout makes sure that the proxy can use the network resources after the timeout
expires. The default value is 10 minutes.
Maximum line length
This setting controls the maximum allowed length of a line of characters in the HTTP response
headers. The maximum line length limit prevents buffer overflow attacks.
Deny messages
You get a deny message in your web browser from the Edge when you make a request that the HTTP
proxy does not allow. You also get a deny message when your request is allowed, but the HTTP proxy
denies the response from the remote web server. For example, if a user tries to download an ".exe" file
and you have blocked that file type, the user sees a deny message in the web browser. If the user tries
to download a web page that has an unknown content type and the proxy policy is configured to block
unknown MIME types, the user sees an error message in the web browser. You can see the default deny
message in the Deny Message field. To change this to a custom message, use these variables:
%(transaction)%
Puts "Request" or "Response" to show which side of the transaction caused the packet to be
denied.
%(reason)%
Puts the reason the Firebox denied the content.
%(method)%
Puts the request method from the denied request.
%(url-host)%
Puts the server host name from the denied URL. If no host name was included, the IP address of
the server is given.
%(url-path)%
Puts the path component of the denied URL.
HTTP proxy exceptions
If you want a specific web site to bypass the HTTP proxy, you can add it as an HTTP proxy exception.
The HTTP proxy applies no content filter, URL paths, cookies, or Gateway AV/IPS rules to the sites on
this list, but does monitor the connection to the site for basic protocol format. Because the HTTP proxy
works with WebBlocker, any site on the HTTP proxy exception list is not checked by WebBlocker.
To add an HTTP proxy exception:
From the HTTP proxy configuration, select the HTTP Settings tab.
1
2 In the text box to the left of the Add button type the host IP address or domain name of the web site to
allow.
The domain (or host) name is the part of a URL that ends with .com, .net, .org, .biz, .gov, or .edu.
Domain names may also end in a country code, such as .de (Germany) or .jp (Japan).
To add a domain name, type the URL pattern without the leading "http://". For example, to allow
108 Firebox X Edge e-Series