Manage Secure Web Gateway
  • 03 Nov 2024
  • 3 Minutes to read
  • Contributors

    Manage Secure Web Gateway


      Article summary

      Understanding Secure Web Gateway (SWG)

      Elevate your organization's web security with the Secure Web Gateway feature.

      Using predefined categories constantly updated by Harmony SASE, or your own custom configurations.

      Administrators and IT managers can use our SWG to enforce organization security policies directly on endpoint devices to control the web traffic generated by each Member and device while managing the actual Rules, the Members on which they apply,

      The Web Security feature provides the ability to control Member or Member Groups' access to URLs and/or IP addresses based on predefined categories, custom URLs, used devices, time-based conditions, and more.  

      TLS / SSL Inspection
      The SWG feature inspects TLS traffic through the Harmony SASE agent on port 443.
      Granular Activation
      Secure Web Gateway rules will only apply to the users and groups explicitly specified in the Secure Web Gateway rule.

      How to Set Up Secure Web Gateway

      The Secure Web Gateway is pre-configured with default Bypass rules. You can use or modify these rules as needed.

      Configure Web Filter Rules

      To configure Web Filter Rules, go to the Internet Access tab in the Harmony SASE Management Console platform:

      1. Navigate to Internet Access > Web Filter Rules.
      2. Add the relevant Web Filter Rules by clicking on (+) Add New Rule:
        • Name - The name of the Rule to identify its purpose
        • Action - The type of Action that should be applied on the web traffic when the Rule is matched (Allow, Deny, or Warn).
          • Deny - Web traffic is blocked.
          • Allow - Web traffic is allowed.
          • Warn - Web traffic is allowed, and an alert is triggered in the Monitoring Logs.
        • Source - The specific Groups or Members to which the Web Filter Rule should be applied.
        • Destination - The destination of the web traffic generated by the Source (Managed categories and/or Custom URLs)
        • Conditions - When the Web Filter Rule should be enforced (Anytime / At specific days and times)
      3. Once the Web Filter Rules are defined, Click on the blue Apply button at the bottom of the screen.
      4. Toggle the Status indicator to the right (it should become green) and click the blue Enable button.

        Disclaimer
        The Secure Web Gateway (SWG) does not support wildcards. However, you can block the domain and its subdomains within the same object. URLs containing protocols, queries, parameters, or anchors are not supported.

      Bypass Rules

      All Rules in the Bypass Rules section will override the rules defined in the Web Filtering Rules.

      In other words, traffic that matches a Bypass Rule (i.e., sensitive data, private browsing, etc.) will not be inspected by SWG and will be routed directly to its destination. 

      A vital component of the Bypass Rules is allowing web traffic for Groups or Members and specific OS processes running on the client device as they may experience the certificate pinning issue.

      Configure Bypass Rules

      1. Navigate to Internet Access > Bypass Rules.
      2. Click on (+) Add New Rule
      3. Add the relevant Web Filter Rules by clicking on (+) Add New Rule:
        • Name - The name of the Rule to identify its purpose
        • Source - The specific Group or a Member on whose web traffic the rule should be applied.
          SWG Bypass rules
          In the Bypass Rules section, you can define which Groups or Members are generating the web traffic and allow specific OS processes (such as Slack, Zoom, Teams, etc.) to bypass your Web Filter Rules.
        • Destination - The destination of the web traffic that is generated by the Source (Managed Catagories, Domains, and/or Custom URLs)

      4. Once you've defined the Bypass Rules, Click on the blue Apply button at the bottom of the screen.

      Bypass criteria

      Programs - Configure a specific program, application, or process name to be ignored by SWG.
      Web Categories - Choose from a list of predefined categories, which are updated daily.
      Domains - Configure specific domains which will be bypassed and not inspected by SWG.

      Prioritizing Rules

      All Web Filter and Bypass Rules are prioritized based on order (#1 being the top priority). All web traffic packets are checked against the Rules in a top-down approach until matched (i.e., once the inspected packet is matched to a Rule, it's not being verified against Rules with a lower priority). 

      The Web Filter Rule Default Action (if no rule is defined) is set to ALLOW.

      Changing Rule Prioritization

      1. Navigate toInternet Access -> Web Filter Rules / Bypass Rules

      2. Drag the right-hand side of the desired Rule up or down to change its prioritization.

      3. Once you've defined the Rules priorities, click the blue Apply button at the bottom of the screen.

      Troubleshooting

      If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.

      Support Contacts

      If you have any difficulties or questions, don't hesitate to contact Harmony SASE's support team. We offer 24/7 chat support on our website at Perimeter81.com, or you can email us at sase-support@checkpoint.com. We're here to assist you and ensure your VPN tunnel setup is a success


      Was this article helpful?