How To Enable Secure Web Gateway? You might already be using a secure web gateway (SWGW). But did you know that you can also use it to restrict access to your network from the Internet? In addition, you can use it to prevent unauthorized users from accessing sensitive information or data.
Enabling a secure web gateway (or SWG) is a simple process.
You can do it in a few easy steps:
1: Configure your firewall by specifying the ports you want to block.
2: Enable the secure web gateway (SWG).
3: Create access rules for the protected subnets (or hosts) on your network.
Configuration Guide
Step 1: Configure a Local Traffic Policy. Specify which protocols or traffic you want to allow or block. And apply it to all interfaces or specific interfaces on the device. For example, if you want to allow Telnet connections from trusted networks but block them from untrusted networks.
Also, create a Local Traffic Policy that allows Telnet connections from trusted networks but blocks them from untrusted networks. Apply this policy to all interfaces in your device or just the interface(s) that serve your LAN segments.
Step 2: If other users on your network have direct Internet access, configure an outbound ACL (iACL) in order to block traffic that doesn’t match an existing connection. In other words, if a user on your network is trying to reach an Internet host that is not part of a current connection, then it won’t be allowed through the ACL.
In this case, create an outbound ACL that blocks traffic destined. Apply this ACL only to the interface(s) where users have direct Internet access and then apply it according to these criteria: Before applying this ACL, make sure that other ACLs don’t already allow the traffic or deny traffic based on certain criteria
.Step 3: Enable the secure web gateway (SWG) feature and configure access rules for the protected subnets (or hosts) on your network. This can be done by creating an inbound ACL that allows traffic from the Internet and applying it to the interface(s) that connect to your LANs.
Use the following steps to create an inbound ACL:
Step 1: Create an inbound ACL that allows connections based on protocols, ports, source and destination IP addresses, source and destination subnets, etc. An example follows:
Step 2: Enable the secure web gateway (SWG) feature. In order to use SWG, you must enable an interface as a secure web gateway (SWG) interface. For example, if you want to allow connections from the Internet to servers on your LANs, enable the interface connected to your Internet connection as an SWG interface.
If you want to allow connections from trusted hosts on your LANs to hosts on the Internet, enable the interface connected to your trusted network segment as an SWG interface.
Step 3: Create access rules for the protected subnets (or hosts) on your network. This can be done by creating an outbound ACL that allows traffic from the Internet and applying it to the interface(s) that connect to your LANs. An example follows:
If you have specific requirements for securing access to LAN-based resources such as FTP servers or SMTP servers, create an inbound or outbound ACL based on these criteria and apply it accordingly.
In order for SWG features such as iACLs and oACLs to work properly, you must also enable logging. You can do so by enabling logging of denied packets per firewall rule instead of per packet, by enabling Syslog Server or Syslog Client logging, by enabling logging of dropped packets, and so forth.