Virtual Secure Web Gateway

I am doing a POC for customer, please advise on the following

1) If I were to block https website eg https://facebook.com , then I would need to configure inline + proxy mode. Please advise.

2) For inline + proxy mode ,I understand that we need 1 Ip address for LAN 1 and another IP address for LAN 2 and both IP addresses must be on different subnet. Can someone confirm this ?

3) If I use  proxy mode only , ie the SWG act as proxy ( ie 1 leg to LAN ) and configure users browser proxy setting pointing to SWG appliance, can the SWG block https website eg https://facebook.com

Thanks.

Hi,

Some answers here

1) In order to block HTTPS traffic you need the proxy, so proxy only OR inline + proxy modes are OK. Is the proxy feature that will allow SWG to block HTTPS.

2) Any configuration that involves the proxy, so proxy only OR inline + proxy requires separate MGMT and Inline networks, so 2 IP addresses in different subnets.

3) Yes, in proxy only mode, you can block HTTPS websites.

Make sure the browser is properly configured and always check Custom Reports in SWG to troubleshoot if the result is unexpected. Try to always use either "monitor" or "block" actions. "Allow" does not produce entries on the custom reports.

Also, have a look at this article as it contains some useful tips for SWG deployments.

SWG : Best Practices - New Deployments

HTH,

Federico

Thanks.

For inline+proxy mode

1. So to use proxy, the browser proxy ip address should point to SWG LAN/WAN inline IP address ? ( Management IP address is only for user access to manage SWG )
2. And on firewall we need to setup to accept traffic from LAN/WAN inline IP address ?

Regards

Hi,

- the browsers must use the SWG LAN/WAN inline IP address as the proxy address.

- the external firewall must allow traffic from that IP address. The browsers will connect to the proxy IP address and the proxy will re-generate new connections to the inteded URLs on the internet.

Regards,

Federico