mode - Set or get general modes (features)
mode [router | dns | dhcp | snat | firewall | vlan | ha | qos) [(on | off)]
mode [((forward | web) | (rweb | reverse) | (tweb | transparent) | sslmediate | anonymous | ftppassive | guard | waf | antivirus | authenticate | cache | compress | log) [(on | off)]]
This command is used to set or to get general appliance modes. There are two categories: network related modes and feature modes. Network related modes are: router, dns, dhcp, snat (source NAT), firewall, vlan, ha (High Availability) and qos (Quality of Service) modes.
Feature modes are: web, rweb, anonymous, ftppassive, transparent (or tweb), sslmediate, guard, cache, compress, waf, log and authenticate modes. To activate a mode just follow the mode name by the keyword on. The keyword off is used to deactivate the mode.
A basic implementation is to use the appliance as a gateway router to access the Internet (or external worlds). In this situation all traffic is routed via the appliance (the appliance is then the default gateway for all clients). To use the appliance as the gateway to access the Internet, activate the gateway mode of the proxy by using the keyword router.
The appliance may act as a caching-only domain name server. The dns keyword is used to turn on/off the access to the embedded dns. Only clients allowed to access the appliance are allowed to connect to the embedded dns (see the command access).
The appliance may act as a DHCP server. The dhcp keyword is used to turn on/off the embedded DHCP server. See the command dhcp to configure the DHCP server.
The snat mode is used to activate or deactivate the appliance’s Source NAT (Network Address Translation) mode. When the snat is activated, the source IP address of all outgoing packets from the external network interface are translated to the external IP address of the appliance (see the command ip). This is useful when internal clients do not have a public IP address and use the appliance box as their gateway to access the Internet. In a complex network configuration with lots of firewall rules it is preferable to deactivate this mode as it can makes the network configuration more complicated.
By default, the appliance acts as a state full firewall allowing only those connections coming from the internal area (incoming from the internal network interface) and going to the external area (outgoing from the external network interface). When the appliance is used in a gateway mode and an internal object acts as a server for incoming connections from the external area, you may want to deactivate the firewall mode. The deactivation of the firewall mode exposes your internal clients to attacks from the external world. In this case it is highly recommended to use your own firewall. Note that a the appliance acts as an implicit firewall when it is used as a Web Gateway/Proxy and it is not a complete configurable firewall. To turn on/off the Firewall mode use the keyword firewall.
To activate the vlan (Virtual LAN) mode, use the vlan parameter. VLANs are associated to the internal network interface for different types of access. When using VLANs, the real internal network interface is no longer available.
The ha (High Availability) mode provides continuity of service in case of failures. The ha mode requires two or more combined appliances to make a virtual appliance based on redundant appliances using vrrp (Virtual Router Redundancy Protocol). See the command vrrp to configure the HA mode.
The qos (Quality of Service) mode allows you to share the total bandwidth non equitably between different types of flows. See the command qos to configure the QoS mode.
Use the web (or forward) keyword to activate or deactivate the forwarding proxy. In forwarding proxy mode, clients are located in the internal area (behind the appliance) while Web servers are located in the external area (Internet). In this mode, clients are protected against threats comming from the Internet.
Use the tweb (or transparent) keyword to activate or deactivate the transparent proxy traffic interception. When the transparent mode is turned off the proxy IP address and its port number must be set on client browsers (Mozilla, Netscape, Internet explorer...). When the transparent mode is turned on this setting is not required and therefore the network architecture must route Web requests via the appliance. Note that the transparent mode does not operate when the authenticate mode is activated.
Use the sslmediate keyword to activate or deactivate the SSL mediation. The SSL mediation feature allows you to decrypt HTTPS traffic at the gateway point in order to cache, inspect its contents and possibly block unwanted contents. When the SSL mediation mode is turned off the HTTP CONNECT method is used to establish point-to-point tunnels to connect Web users to HTTPS servers across the system. Without the SSL mediation the system fully respects Web users privacy without decrypting the content of HTTPS traffic. The downside of having the SSL mediation off is that as the HTTPS traffic is encrypted unwanted contents like viruses can reach Web users without giving the opportunity to the system to block it. Also because of the HTTPS protocol encrypted objects can’t be cached by the system.
When the SSL mediation mode is turned on the system decrypts HTTPS traffic, inspects its content and re-encrypts it before forwarding to the final client. In the process of re-encrypting the traffic the system uses a dynamically generated SSL certificate signed by its own CA (Certificate Authority) certificate. In this case clients should trust that CA certificate by importing it into their Web browsers. The CA certificate of the system is available at : http://<internal-ip-address> (or http://<web-ip-address> if the vlan mode is activated). CAUTION: please note that as HTTPS aims to give users privacy and security, its decrypting in the middle (before reaching the final client) may violate ethical norms and should be used with caution.
Use the rweb (or reverse) keyword to activate or deactivate the reverse proxy feature. In reverse proxy mode, clients are located in the external area (Internet) while Web servers are located in the internal area (behind the appliance). In this mode, Web servers are protected against Internet attacks.
Please note that at least one of the web, tweb or rweb modes must be activated.
The anonymous mode hides some HTTP headers to make requests and responses anonymous. Hidden headers are: "From", "Referer", "Server" and "Link". In addition when the appliance is configured to use a next peer (see the command peer), the anonymous mode hides local client IP addresses.
When the appliance tries to connect to external FTP servers, it may use the passive or the active mode. The ftppassive mode is used to activate or deactivate the FTP passive mode. To activate the passive mode use the keyword ftppassive followed by the keyword on (recommended).
The guard mode is used to allow or deny access to defined Web sites for Web users. The guard mode is based on black or white lists of domain names, URL or regular expressions (commonly named URL). See the command guard to manage the guard policies. The guarding feature is only available when the appliance is configured in forwarding proxy mode (web mode) and allows you to control acess to requested URLs. To control the content of Web requests (GET and POST methods) in reverse mode (rweb mode) activate the waf mode (see below).
The waf keyword is used to turn on/off the Web Application Firewall used in reverse mode (rweb mode) to protect Web servers. When this mode is activated, the system inspects all inside requests and filters unwanted and/or malicious requests. See the command waf to manage the filtering policy.
The antivirus keyword is used to turn on/off the antivirus mode. In this mode, the system inspects all Web traffic in forwarding mode (web mode) and blocks malware objects (viruses , trojans, worms). You can also combine this mode with the waf mode to block all attempts to upload malware onto your protected webservers (rweb mode). See the command antivirus to manage the filtering policies. Note that activating the antivirus clears the persistent cache (to optimize the virus checking, once an object is verified by the antivirus and cached, it never verified again).
Web accesses may be controlled by an external authentication system. The keyword authenticate allows you to turn on/off this feature. When the authentication is activated, only authenticated Web users are allowed to access the Web. Note that the authenticate mode does not operate in transparent mode. See the command authenticate for further information.
The cache keyword is used to turn on/off the caching mode. The caching mode saves browsed Web objects in an internal cache memory, allowing their use in future requests instead of looking for them on Internet. This method allows you to save bandwidth and in some cases improves performance.
To save the internal bandwidth consumption the "compress" mode can be activated. This is especially interesting when clients and the appliance box are connected via a low level bandwidth WAN. Compression may reduce the size of an HTML file by 80%. Note this mode requires large CPU resources. Use the keyword compress to set the compression mode
The appliance may log all Web accesses or denied accesses to unauthorized contents (virus, blacklisted URLS...). The keyword log allows you to turn on/off this feature (see the command log to fine tune the logging).
access (1) antivirus (1) apply (1) authenticate (1) dhcp (1) ip (1) guard (1) log (1) peer (1) sslmediate (1) tls (1) transparent (1) vlan (1) vrrp (1)
CacheGuard Technologies Ltd <www.cacheguard.com>
Send bug reports or comments to the above author.
Copyright (C) 2009-2018 CacheGuard - All rights reserved