Manual Chapter :
BIG-IP APM Secure Web Gateway Overview
Applies To:
Show Versions
BIG-IP APM
- 16.0.1, 16.0.0, 15.1.0
BIG-IP APM Secure Web Gateway Overview
About APM Secure Web
Gateway
BIG-IP Access Policy Manager (APM) implements a Secure Web Gateway (SWG) for
outbound access by providing access control based on URL categorization to forward proxy. With
APM, you can create a configuration to protect your network assets and end users from threats,
and enforce a use and compliance policy for Internet access. Users that access the Internet from
the enterprise go through APM, which can allow or block access to URL categories or indicate that
the user should confirm the URL before access can be allowed.
Benefits of using APM
for web access
BIG-IP
Access Policy Manager (APM®) controls basic website access purely based on user-defined URL
categories. This feature is a part of base APM functionality, without requiring an SWG
subscription. The benefits include:
- URL filtering capability for outbound web traffic.
- Monitoring and gating outbound traffic to maximize productivity and meet business needs.
- User identification or authentication (or both) tied to logging, and access control compliance and accountability.
- Visibility into SSL traffic.
- Reports on blocked requests and all requests. (Reports depend on event logging settings.)
- Ability to interactively request additional authentication for sensitive resources and provide time-limited access to them in subsessions.
- Ability to interactively request confirmation before allowing or blocking access to resources that might not, in all instances, provide benefit to the business. Confirmation and access take place in a subsession with its own lifetime and timeout values.
Secure Web Gateway
subscription benefits
A BIG-IP Access Policy Manager (APM) with a Secure Web Gateway (SWG)
subscription provides these benefits over those supplied by APM alone:
- A database with over 150 predefined URL categories and 60 million URLs.
- A service that regularly updates the URL database as new threats and URLs are identified.
- Identification of malicious content and the means to block it.
- Web application controls for application types, such as social networking and Internet communication in corporate environments.
- Support for Safe Search, a search engine feature that can prevent offensive content and images from showing up in search results.
- A dashboard with statistical information about traffic logged by the BIG-IP system for SWG. Graphs, such as Top URLs by Request Count and Top Categories by Blocked Request Count, summarize activities over time and provide access to underlying statistics.
SWG subscription benefits extend these APM benefits:
- URL filtering capability for outbound web traffic.
- Monitoring and gating outbound traffic to maximize productivity and meet business needs.
- User identification or authentication (or both) tied to logging, and access control compliance and accountability.
- Visibility into SSL traffic.
- Reports on blocked requests and all requests. (Reports depend on event logging settings.)
- Ability to interactively request additional authentication for sensitive resources and provide time-limited access to them in subsessions.
- Ability to interactively request confirmation before allowing or blocking access to resources that might not, in all instances, provide benefit to the business. Confirmation and access take place in a subsession with its own lifetime and timeout values.
What happens when the
Secure Web Gateway subscription expires?
Secure Web Gateway (SWG) subscriptions expire periodically depending on the subscription length
your company purchased. The system displays a warning message when the subscription is about to
expire. If you fail to renew the subscription, your organization will lose access to SWG
functionality, including category lookup within the Forcepoint URL database, request analytics,
and response analytics. Depending on how the per-request policies implementing SWG are
configured, requests to access the Internet through the forward proxy may fail.
If the SWG subscription expires and
Reset on Failure
is enabled in the Category
lookup/Analytics agents, a TCP reset occurs whenever the category lookup fails. Clients receive
no response from the server in this case and requests fail. You can configure a per-request
policy to branch on failure and specify what you want to happen (such as Allow, Reject, or
specify another path). For maximum protection, it is recommended that you renew the SWG
subscription before it expires.About the URL database URL categories
The URL database is available
only on a BIG-IP-APM system with an SWG subscription.
The Secure Web Gateway URL database supplies over 150 URL categories and identifies over 60
million URLs that fit within these categories. In addition, you can create custom categories if
needed and add URLs to any category, custom or otherwise. You can also use custom categories to
define blacklists and whitelists.
About user-defined URL categories
Without a URL database, an administrator tasked with treating only a few
URLs differently can specify criteria for matching those few URLs in a simple
URL Branching
action in a per-request policy. An
administrator who must categorize and filter a large number of URLs can, however, do this using
Access Policy Manager (APM) user-defined URL categories. About APM session management cookies and
forward proxy
When Access Policy Manager (APM®) acts as a forward
proxy, APM does not use session management cookies. If presented with an APM session management
cookie while acting as a forward proxy, APM ignores the cookie.
