TCP Service Properties dialog box

Use this dialog box to configure a custom TCP Service element.

Option Definition
General tab
Protocol Displays the protocol.
Name The name of the element.
Comment

(Optional)

 A comment for your own reference.
Dst. Ports

(Optional)

Specifies the destination port or port range. To match a single port, enter it in the first field and leave the other field empty. To enter a range, enter a value in both fields.

(Either source or destination port is mandatory.)

Src. Ports

(Optional)

Specifies the source port or port range. To match a single port, enter it in the first field and leave the other field empty. To enter a range, enter a value in both fields.

(Either source or destination port is mandatory.)

Protocol Shows the assigned protocol. Click Select to select a Protocol Agent.
Category

(Optional)

 Includes the element in predefined categories. Click Select to select a category.
Option Definition
Protocol Parameters tab, common options
Reset Discards the changes and reverts to the previously saved default settings. Not available for all protocols.
Option Definition
Protocol Parameters tab, when Protocol is DNS or SSM DNS Proxy (TCP)
Enforce DNS protocol usage
  • On — The engine terminates traffic that is not using the DNS protocol.
  • Off — The engine allows traffic to pass even if the traffic is not DNS-related.
Deny DDNS updates
  • On — The engine terminates traffic that is not using the DNS protocol.
  • Off — The engine allows traffic to pass even if the traffic is not DNS-related.
Deny DNS zone transfers
  • On — The engine terminates DNS zone transfer messages.
  • Off — The engine allows DNS zone transfer messages to pass.
Enforce Google SafeSearch
  • On — The engine modifies DNS replies for Google search engines to enforce Google's SafeSearch feature.
  • Off — The engine does not modify DNS replies.
Enforce strict Bing SafeSearch
  • On — The engine modifies DNS replies for Bing search engines to enforce Bing’s SafeSearch feature.
  • Off — The engine does not modify DNS replies.
Enforce strict DuckDuckGo SafeSearch
  • On — The engine modifies DNS replies for DuckDuckGo search engines to enforce DuckDuckGo’s SafeSearch feature.
  • Off — The engine does not modify DNS replies.
Enable YouTube Safesearch
Select the safesearch mode from the drop-down list:
  • Strict: Filter out inappropriate videos from your search results.
  • Moderate: This setting is similar to Strict Mode but makes a much larger collection of videos available.
  • Off: Use this setting to turn off both Modes (Strict and Moderate). Only apply this setting if you want to let users in your organization to have unrestricted YouTube access.
DNS Sinkholing

Specify the domain name or URL list in the Domain Names column, and the response value (NXDOMAIN, or IPv4 address, or IPv6 address) in the Response column. If the Response column is left empty, no sinkholing action is performed. When the engine detects a DNS request that matches the entry in the Domain Names column, the request is allowed, or blocked, or a DNS response is returned for the IP address as per the response value that is specified.

To add a domain name or URL list to the DNS Sinkholing table, do the following:
  1. Click Add. A row is added with the None element under the Domain Name column.
  2. Right-click the None element, and then select Edit Domain Name. The Select Element dialog-box is displayed.
  3. Select the Domain Name or the URL List applications element.
    Note: If you want to add a new domain name or a URL list, then right-click in the Select Element dialog-box and then select the New Domain Name or the New URL List Application option. For more details on domain name or URL list, refer to Defining Domain Name elements or Add URL List Application elements to manually block or allow URLs sections in the Forcepoint Network Security Platform Product Guide.
  4. Select a domain name or a URL list.
  5. Click OK.
To remove a domain name or URL list from the DNS Sinkholing table, do the following:
  1. Select the row that you want to remove from the DNS Sinkholing table.
  2. Click Remove.
  3. Click OK.

Similar to access rules, the rows in the DNS Sinkholing table are processed in the order top to down. Hence, rows to process first to match traffic must be placed above other rows in the table.

To move a row up or down in the Sinkholing table, select the row and click Up or Down.

Note:
  1. Policy installation to engine must be done after the domain names or URL lists are added or updated.
  2. The DNS Sinkholing feature is used for user DNS requests and the safe search feature is used for modifying DNS responses. If both the DNS Sinkholing and the safe search features are enabled, then DNS sinkholing is performed and safe search is ignored.
Option Definition
Protocol Parameters tab, when Protocol is FTP or SSM FTP Proxy
Allow related connections
  • On — Allows data connections to be opened with the control connection.
  • Off — Disables the Protocol Agent.
Allow active mode
  • Yes — Server is allowed to open data connections to the client (according to information exchanged in the control connection).
  • No — Server-initiated data connections are forbidden.
Allow passive mode
  • Yes — Client is allowed to open data connections to the server (according to information exchanged in the control connection).
  • No — Client-initiated data connections are forbidden.
Control data inspection mode

(Engine only)
  • Strict — If commands that do not comply with the RFC 959 FTP standard are used, the connection is dropped.
  • Loose — The Protocol Agent tries to identify information for opening the data connection even if the communications do not strictly follow the FTP standards. Sometimes needed with non-standard FTP configurations.

Highest allowed source port for Active data connection

or

Lowest allowed source port for Active data connection

(Engine only)

 Enter a port value to limit the range of allowed source ports for active data connections on the server.

Value 0 for the lowest port means that the server always uses the port number immediately preceding the destination port. If the server uses a standard port, both the lowest and highest port number must be 0.

Redirect to Proxy Server

(Engine only)

Select the Proxy Server to which the connections are redirected.

Note: The recommended method for forwarding traffic to a proxy service is to use Access rules.

(Optional) Specify the IP Address Translation Range (IPv4 only) and the Port Translation Range for the redirection. To specify a single IP address, enter the same IP address in both fields.

Note: This option is not supported for SSM Proxies.
Option Definition
Protocol Parameters tab, when Protocol is HTTP or HTTPS
Logging of Accessed URLs
  • Yes — The URLs of sites that users access are included in generated log entries.
    Note: With HTTPS traffic, requires that the traffic is decrypted.
  • No — URLs are not included in generated log entries.
Optimized server stream fingerprinting
  • Yes — When matching connections to the Inspection rules, the server stream matching is done only for patterns that are valid for the client’s browser type and version.
  • No — All server stream patterns are matched.
Enforce Google SafeSearch
  • On — The engine modifies DNS replies for Google search engines to enforce Google's SafeSearch feature.
  • Off — The engine does not modify DNS replies.
HTTPS decryption and inspection

(HTTPS only)

Controls whether to decrypt HTTPS traffic.
  • For Application Identification — HTTPS traffic is decrypted for inspection only when application detection is used.
  • Yes — Enables HTTPS decryption and inspection.
  • No — HTTPS traffic is not decrypted for inspection.
HTTPS Inspection Exceptions

(HTTPS only)

Specifies the HTTPS Inspection Exceptions according to which traffic is decrypted and inspected or allowed to pass without decryption.

Click Select to select an HTTP Inspection Exceptions element.
(Engine only)  
Strip QUIC support from server replies Specifies the following options:
  • Yes: HTTP header that indicates the server support for HTTP3/QUIC is stripped away.
  • No: HTTP header that indicates the server support for HTTP3/QUIC is not stripped away.
Note: For HTTPS, stripping can be done only if HTTPS is being decrypted with TLS Inspection.
Redirect to Proxy Server

(Engine only)

Select the Proxy Server to which the connections are redirected.

Note: The recommended method for forwarding traffic to a proxy service is to use Access rules.

(Optional) Specify the IP Address Translation Range (IPv4 only) and the Port Translation Range for the redirection. To specify a single IP address, enter the same IP address in both fields.

Note: This option is not supported for SSM Proxies.
Enable HTTP proxy

(HTTP only)

 Enables or disables the Explicit HTTP Proxy feature.
Note: This feature is only supported on Engine version 7.2.3 and later.
HTTP proxy auth by IWA

(HTTP only)

(Optional)

 Enables or disables Integrated Windows Authentication via the browser for users that have the Explicit Proxy feature enabled.
Note: This is only supported on Engine version 7.2.3 and later.
Cache authenticated proxy users

(HTTP only)

(Optional)

 Enables the IP-based user identification caching to allow cached proxy users to get authenticated automatically when each connection is authenticated separately. The cached user does not need to re-authenticate when using the browser.
Option Definition
Protocol Parameters tab, when Protocol is HTTP with SSM HTTP Proxy
Logging of Accessed URLs
  • Yes — The URLs of sites that users access are included in generated log entries.
    Note: With HTTPS traffic, requires that the traffic is decrypted.
  • No — URLs are not included in generated log entries.
Optimized server stream fingerprinting
  • Yes — When matching connections to the Inspection rules, the server stream matching is done only for patterns that are valid for the client’s browser type and version.
  • No — All server stream patterns are matched.
Redirect to Proxy Server This option is not supported for SSM Proxies.
Enforce Google SafeSearch
  • On — The engine modifies DNS replies for Google search engines to enforce Google's SafeSearch feature.
  • Off — The engine does not modify DNS replies.
Enforce Strict Headers When selected, the proxy blocks HTTP requests and responses that do not comply with the HTTP protocol standards.
Log URLs When selected, the proxy logs the URLs in HTTP requests.
Request Validation When selected, the proxy validates HTTP requests. Selecting this option enables options in the following sections:
  • URL Control Options
  • URL Matches
  • Commands
URL Control Options section Specifies options for validation of URLs.
Disallow Unicode in URL Paths When selected, unicode-encoded text is not allowed in URL paths.
Disallow Unicode URL Queries When selected, unicode-encoded text is not allowed in query strings in URLs.
Enforce Strict URL Paths When selected, the proxy blocks URL paths that contain characters that are not allowed by the HTTP protocol standards.
Enforce Strict URL Queries When selected, the proxy blocks queries that contain characters that are not allowed by the HTTP protocol standards.
URL Normalization Validation Specifies how URL normalization is applied to HTTP requests.
  • Allow — Allows the request.
  • Allow and Log — Allows the request and creates a log entry.
  • Block and Log — Blocks the request and creates a log entry.
  • Off — URL normalization is not enabled.
Maximum URL Length Specifies the maximum number of characters allowed in URLs.
Require HTTP Version When selected, the proxy requires the HTTP request to include an HTTP version string. Selecting this option enables the following options:
  • Allow HTTP version 1.0
  • Allow HTTP version 1.1
Allow HTTP version 1.0 When selected, the proxy allows HTTP requests that specify HTTP version 1.0 as the version string.
Allow HTTP version 1.1 When selected, the proxy allows HTTP requests that specify HTTP version 1.1 as the version string.
URL Matches section Specifies rules for allowing or denying matching URLs.
Allow or Deny Specified URL Matches Specifies whether matching URLs are allowed or denied.
  • Allow — Matching URLs are allowed.
  • Deny — Matching URLs are denied.
URL Match List Specifies the criteria for matching URLs.
Match Type Specifies how the proxy matches the match criteria in the URL.
  • Contains — Matches when the URL contains the specified criteria.
  • Begins with — Matches when the URL begins with the specified criteria.
  • Ends with — Matches when the URL ends with the specified criteria.
Match Parameter Specifies the part of the URL where the proxy checks for the match criteria.
  • Host — The proxy checks the domain name for the match criteria.
  • Path — The proxy checks the URL path for the match criteria.
  • All — The proxy checks both the host and the path for the match criteria.
URL The matching criteria for the URL.
Add Adds a row to the table.
Remove Removes the selected row from the table.
Commands section Specifies the commands that the proxy allows in HTTP requests.
Allowed HTTP Commands
  • Any — The proxy allows any commands in HTTP requests.
  • Selected from List — The proxy allows only the selected commands in HTTP requests.
Content Control Specifies options for allowing or denying content in HTTP requests.
Deny SOAP When selected, the proxy denies the use of simple object access protocol (SOAP) in HTTP requests.
Option Definition
Protocol Parameters tab, when Protocol is HTTP with SSM TCP Proxy or HTTPS with SSM TCP Proxy
Logging of Accessed URLs
  • Yes — The URLs of sites that users access are included in generated log entries.
    Note: With HTTPS traffic, requires that the traffic is decrypted.
  • No — URLs are not included in generated log entries.
Optimized server stream fingerprinting
  • Yes — When matching connections to the Inspection rules, the server stream matching is done only for patterns that are valid for the client’s browser type and version.
  • No — All server stream patterns are matched.
Redirect to Proxy Server

(Engine only)

Select the Proxy Server to which the connections are redirected.

Note: The recommended method for forwarding traffic to a proxy service is to use Access rules.

(Optional) Specify the IP Address Translation Range (IPv4 only) and the Port Translation Range for the redirection. To specify a single IP address, enter the same IP address in both fields.

Note: This option is not supported for SSM Proxies.
Enforce Google SafeSearch
  • On — The engine modifies DNS replies for Google search engines to enforce Google's SafeSearch feature.
  • Off — The engine does not modify DNS replies.
HTTPS decryption and inspection

(HTTPS only)

Controls whether to decrypt HTTPS traffic.
  • For Application Identification — HTTPS traffic is decrypted for inspection only when application detection is used.
  • Yes — Enables HTTPS decryption and inspection.
  • No — HTTPS traffic is not decrypted for inspection.
HTTPS Inspection Exceptions

(HTTPS only)

Specifies the HTTPS Inspection Exceptions according to which traffic is decrypted and inspected or allowed to pass without decryption.

Click Select to select an HTTP Inspection Exceptions element.
Option Definition
Protocol Parameters tab, when Protocol is H232
Allow related connections
  • On — The Protocol Agent monitors the H.323 connection and allows the related connections in Access and NAT rules.
  • Off — Disables the Protocol Agent.
Allow special logical channels through (No NAT)
  • Yes — Allows H.323 clients to open a special logical channel for audio and video without NAT.
  • No — Special logical channels are not allowed.
Option Definition
Protocol Parameters tab, when Protocol is IMAPS
IMAPS decryption and inspection Controls whether to decrypt SSL/TLS encryption.
  • For Application Identification — SSL/TLS traffic is decrypted for inspection only when application detection is used.
  • No — SSL/TLS traffic is not decrypted for inspection.
  • Yes — Enables SSL/TLS decryption and inspection.
IMAPS Inspection Exceptions Specifies the HTTPS Inspection Exceptions according to which traffic is decrypted and inspected or allowed to pass without decryption. Click Select to select an HTTP Inspection Exceptions element.
Option Definition
Protocol Parameters tab, when Protocol is MSRPC
Allow related connections
  • On — Allows responses sent by the endpoint mapper (EPM) service.
  • Off — Disables the Protocol Agent.
Allow MS Exchange Remote administration service
  • Yes — Allows remote administration of the Microsoft Exchange server through the Exchange System Attendant service.
  • No — Prevents remote administration.
Allow MS Exchange user services
  • Yes — Allows the normal use of the Microsoft Outlook client; the Protocol Agent allows the use of Exchange Database service, Directory service, Information Store service, MTA service, and Store service.
  • No — Prevents end-user services.
Allow any UUID in endpoint mapping
  • Yes — Allows other MSRPC requests in addition to Outlook/Exchange.
  • No — The Service allows only Outlook/Exchange traffic.
Allow other RPC traffic
  • Yes — Allows message types that are not supported by the Protocol Agent to bypass the control connection.
  • No — Allows only supported message types (bind, bind ack, request, and response).
Option Definition
Protocol Parameters tab, when Protocol is Oracle
Allow related connections
  • On — Allows database connection based on information in the listener connection.
  • Off — Disables the Protocol Agent.
Max. length allowed for one TNS packet Enter the maximum amount of TCP payload data that each Oracle TNS packet is allowed to carry.
Netmask for allowed server addresses Enter a netmask for limiting the allowed traffic. The value 255.255.255.255 allows the database connection only to the address in which the Oracle Listener service is located. The value 0.0.0.0 allows database connections to all addresses.
Set checksum to zero for modified TNS packets
  • Yes — Resets the header and packet checksums to zero when the Protocol Agent modifies the packet payload data.
  • No — Checksums remain even when the packet is changed.
Option Definition
Protocol Parameters tab, when Protocol is POP3S
POP3S decryption and inspection Controls whether to decrypt SSL/TLS encryption.
  • For Application Identification — SSL/TLS traffic is decrypted for inspection only when application detection is used.
  • No — SSL/TLS traffic is not decrypted for inspection.
  • Yes — Enables SSL/TLS decryption and inspection.
POP3S Inspection Exceptions Specifies the HTTPS Inspection Exceptions according to which traffic is decrypted and inspected or allowed to pass without decryption. Click Select to select an HTTP Inspection Exceptions element.
Option Definition
Protocol Parameters tab, when Protocol is Protocol Identification
SSL/TLS decryption and inspection Controls whether to decrypt SSL/TLS encryption.
  • For Application Identification — SSL/TLS traffic is decrypted for inspection only when application detection is used.
  • No — SSL/TLS traffic is not decrypted for inspection.
  • Yes — Enables SSL/TLS decryption and inspection.
HTTPS Inspection Exceptions Specifies the HTTPS Inspection Exceptions according to which traffic is decrypted and inspected or allowed to pass without decryption.
Option Definition
Protocol Parameters tab, when Protocol is RTSP
Allow related connections
  • On — Related RTP and RTCP connections initiated with RTSP are allowed through the engine.
  • Off — Disables the Protocol Agent.
Option Definition
Protocol Parameters tab, when Protocol is Shell
Allow related connections
  • On — Standard error (stderr) stream is allowed through the engine as a response to an RSH command.
  • Off — Disables the Protocol Agent.
Option Definition
Protocol Parameters tab, when Protocol is SIP
Allow related connections

(Engine only)

  • On — Allows SIP media connections based on the signaling connection.
  • Off — Disables the Protocol Agent.
Enforce client side media
  • Yes — Requires that the media stream uses the same client-side address as the transport layer.
  • No — Media stream can use any address.
Enforce server side media
  • Yes — Requires that the media stream uses the same server-side address as the transport layer.
  • No — Media stream can use any address.
Maximum number of calls The maximum number of calls allowed by the Access rule. If the value is 0, no limit is set for the number of calls.
Option Definition
Protocol Parameters tab, when Protocol is SMTP
Redirect to Proxy Server

(Engine only)

Select the Proxy Server to which the connections are redirected.

Note: The recommended method for forwarding traffic to a proxy service is to use Access rules.

(Optional) Specify the IP Address Translation Range (IPv4 only) and the Port Translation Range for the redirection. To specify a single IP address, enter the same IP address in both fields.

Note: This option is not supported for SSM Proxies.
Option Definition
Protocol Parameters tab, when Protocol is SSH or SSH with SSM TCP Proxy
Make protocol validation
  • On — Validates the SSH transfers according to the parameters defined in this dialog.
  • Off — Disables the Protocol Agent.
Bytes allowed from client before Server ID Amount of data that the client is allowed to send to the server before the server sends its own identification string.
Bytes allowed from server before Client ID Amount of data that the server can send to the client before the client sends its own identification string.
Bytes allowed from server before Server ID Amount of data that the server can send to the client before the server sends its own identification string.
Option Definition
Protocol Parameters tab, when Protocol is SunRPC
Learn RPC program number to port mapping for future RPC service matches When selected, Protocol Agent is enabled.
Option Definition
Protocol Parameters tab, when Protocol is TCP Proxy
Abort on close Timeout in seconds for aborting a connection counted from when one of the communicating parties initiates the connection closing. The connection is aborted by sending TCP Reset packets to the unresponsive endpoint. Setting this value to 0 disables this timeout (connections are left open).
Idle timeout Timeout in seconds for closing a connection after the latest transmission. Setting this value to 0 disables this timeout (connections are left open).
Use proxy
  • On — Enables the Protocol Agent.
  • Off — Disables the Protocol Agent.