You configure reverse proxy rules at the global-portal reverse-proxy-rules level. For more details on the command structure, see Configuring Rules Using UPL.
To create a reverse proxy rule, use the following command:
Admin@nodename# create global-portal reverse-proxy-rules <position> upl-rule <parameters>
Reverse proxy rule parameters:
|
Parameter |
Description |
|---|---|
|
PASS OK |
Action to create a rule using UPL. |
|
enabled |
Enable/disable a rule:
|
|
name |
Name of the reverse proxy rule. Example: name("Reverse proxy rule example"). |
|
desc |
A description of the rule. Example: desc("Reverse proxy rule example set via CLI"). |
|
profile |
Reverse proxy server for NGFW to forward requests to. Example: profile("Reverse proxy server example"). |
|
url.port |
Port on which NGFW will listen for inbound requests, e.g. url.port = 80. |
|
is_https |
HTTPS support:
|
|
ssl_profile |
SSL profile; specify when HTTPS is used: ssl_profile("Default SSL profile"). For more details about working with SSL profiles using the CLI, see Configuring SSL Profiles. |
|
certificate |
The certificate used to support HTTPS connections. Specify when using HTTPS: certificate("Certificate example"). |
|
cert_auth_enabled |
Authentication via certificate:
|
|
src.zone |
Traffic source zone. To specify a source zone, such as Untrusted: src.zone = Untrusted. For more details about how to configure zones using CLI, see the Zones section. |
|
src.ip |
Add source IP address or domain lists. To specify a list of IP addresses: src.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section. To specify a source domain list: src.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section. |
|
src.geoip |
Source GeoIP. Specify a country code (for example, src.geoip = AE). Click here for the list of ISO 3166-1 country codes. Important! The maximum number of GeoIPs that can be specified is limited to 15. |
|
user |
Users and user groups for which the reverse proxy rule applies. You can only add users if authorization via certificate is enabled. To add LDAP groups and users, you need to have a correctly configured LDAP connector (for more information about configuring LDAP connectors via the CLI, see the Configuring LDAP Connectors section). The following line describes how to add a local user (local_user) and group (Local Group), a user (example.local\AD_user), and an LDAP group (AD group): user = (local_user, "CN=Local Group, DC=LOCAL", "example.loc\\AD_user", "CN=AD group, OU=Example, DC= example, DC=loc") The Active Directory domain example.loc has been already configured. When adding LDAP users and groups, you can specify a list of paths on the server, starting from which the system will search for users and groups. |
|
dst.ip |
One of the external IP addresses of NGFW, which is available from the Internet and is the destination for the external client traffic. To specify a list of IP addresses: dst.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section. To specify a destination domain list: dst.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section. |
|
dst.geoip |
Destination GeoIP. Specify a country code (for example, dst.geoip = AE). Click here for the list of ISO 3166-1 country codes. Important! The maximum number of GeoIPs that can be specified is limited to 15. |
|
request.header.User-Agent |
The user browser useragents for which this rule will be applied. To specify a useragent: request.header.User-Agent = lib.useragent(). Provide the useragent browser category in parentheses. For more details about how to create and configure your own lists using CLI, see Configuring Useragents. |
|
rewrite_path |
Substitute a URL domain and/or path in the user request. For example, this allows requests at http://www.example.com/path1 to be converted into requests at http://www.example.loc/path2. Specify: rewrite_path("http://www.example.com/path1", "http://www.example.loc/path2"). |
To edit a reverse proxy rule, use the following command:
Admin@nodename# set global-portal reverse-proxy-rules <position> upl-rule <parameters>
To view parameters of a reverse proxy rule, use the following command:
Admin@nodename# show global-portal reverse-proxy-rules <position>
Example of creating a reverse proxy rule:
Admin@nodename# create global-portal reverse-proxy-rules 1 upl-rule OK \ ...url.port = 80 \ ...src.zone = Untrusted \ ...profile("Reverse proxy server1") \ ...rewrite_path("example.com/path1", "example.local/path2") \ ...name("Test reverse proxy rule") \ ...desc("Test reverse proxy rule description") \ ...enabled(true) ... Admin@nodename# show global-portal reverse-proxy-rules 1 % ----------------- 1 ----------------- OK \ url.port = 80 \ src.zone = Untrusted \ desc("Test reverse proxy rule description") \ profile("Reverse proxy server1") \ rewrite_path("example.com/path1", "example.local/path2") \ enabled(true) \ id("7dc7041a-6538-400b-8f1e-9b18287218ac") \ name("Test reverse proxy rule")
To remove a reverse proxy rule, use the following command:
Admin@nodename# delete global-portal reverse-proxy-rules <position>