The Upstream Proxy feature of NGFW allows redirecting incoming HTTP(S) traffic to another proxy, which makes it possible to create a cascaded hierarchy where one proxy's traffic is sent to another proxy in a proxy chain. This kind of cascading is typically used to ensure the privacy of communications or provide access to region-locked content. In addition, cascading makes it easier to integrate new regional offices into an existing global corporate network hierarchy.
Upstream proxy will only work if NGFW is operated in the Explicit Proxy mode. On the client side, the IP address and port of the NGFW proxy are specified explicitly in the web browser or other applications.
When the client requests an external resource, two TCP sessions are created:
-
The first session: client --- NGFW. The client accesses NGFW directly, and the session starts with an HTTP Connect message.
-
The second session: unlike the classical scenario with an explicit proxy, the session is established between NGFW and next (upstream) proxy instead of the end server. The traffic from NGFW to the upstream proxy has a transit status for the Firewall section. Note that in the Upstream proxy mode, the traffic will have the upstream proxy's IP as its destination IP. If a deny rule was configured earlier for the destination IP addresses, that rule will not trigger.
The traffic processing algorithm (packet flow) is similar to the processing algorithm in explicit proxy server mode.
An incoming packet is matched against the zone rules in theDoS, Spoofing block. For the Upstream Proxy feature in NGFW to work correctly, the HTTP(s) proxy service must be enabled in the zone settings, otherwise the packets will be dropped.
After that, the packet is processed in the Gateways, PBR block where it is marked for subsequent use in routing rules.
After that, the packets arrive unmodified to the CHECK section where all traffic is checked for matching the inspection and content filtering rules as well as for belonging to the ICAP, reverse proxy, web portal, SCADA, or mail security services. The check is done by analyzing the traffic step by step in accordance with the algorithm settings for the CHECK section (see the "UserGate NGFW Packet Flow" article for details). Having passed the CHECK section, the traffic will be sent to the License, Routing, and subsequent sections.