Download the certificate authority for web filtering
When you create a firewall rule for web filtering in web proxy mode, you must download the built-in SecurityAppliance_SSL_CA certificate authority (CA) and install it on endpoints.
Create a firewall rule for web filtering
Here's an example of a firewall rule for web filtering.
To create a firewall rule, do as follows:
- Go to Rules and policies > Firewall rules, select IPv4 or IPv6, and click Add firewall rule.
- Select New firewall rule.
- Enter a name for the rule.
- In Source zones, select a zone. For example, LAN.
- In Source networks and devices, select a network.
- In Destination zones, select a zone. For example, WAN.
- In Destination networks, select a network.
-
Under Security features, expand Web filtering.
-
Select a web policy, and turn on Scan HTTP and decrypted HTTPS and Use web proxy instead of DPI engine.
- Click Save.
Download the certificate authority
To download the CA, do as follows:
- Go to Certificates > Certificate authorities.
- Click Default, and make sure you've configured all the settings for the default CA.
-
On the Certificate authorities page, download the SecurityAppliance_SSL_CA certificate authority.
Alternatively, go to Web > General settings, under HTTPS scanning certificate authority (CA), select SecurityAppliance_SSL_CA, and download it.
Install the CA on the endpoints
You must install the SecurityAppliance_SSL_CA certificate authority on the endpoints of the source network you selected in the firewall rule. See Add a CA manually to endpoints.