Applies To:
Show Versions
BIG-IP APM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Overview: Controlling forward proxy traffic with SWG
With an SWG subscription, when you configure a per-request policy to control forward proxy access using URL categories, the Category Lookup agent can use standard categories (from the URL database) or any custom URL categories that you might have created or both. For non-encrypted traffic, Category Lookup can also be configured to return safe search results to your users. Additional analytics agents are available to scan URL responses for malware and scan URL requests for further filtering.
Task summary
Example policy: Categorize and scan traffic for malware
In this example per-request policy, a Category Lookup item obtains a list of categories and a response web page. If Category Lookup returns a value that specifies the response needs to be scanned to determine the appropriate category, Response Analytics runs.
Response Analytics scans the response for malicious embedded content and passes an analysis to the URL Filter Assign item. URL Filter Assign uses the analysis, if provided, and the specified filter to determine whether to allow the request.

Process of Response Analytics contributing analysis results to URL filter assign
Example policy: URL database category-specific access control
This example uses two standard URL categories, Entertainment and Jobsearch, that are available on a BIG-IP system with an SWG subscription. In this per-request policy example, only recruiters are allowed to access URLs in the job search category. The policy also restricts access to entertainment sites during business hours.

Category-specific access restrictions
Configuring an access policy for forward proxy with SWG
Creating a per-request policy
Configuring a policy to scan for malware and provide safe search
Blocking outgoing social media requests

Adding a per-request policy to the virtual server
To add per-request processing to a configuration, associate the per-request policy with the virtual server.
Virtual server Access Policy settings for forward proxy
F5 recommends multiple virtual servers for configurations where Access Policy Manager® (APM®) acts as an explicit or transparent forward proxy. This table lists forward proxy configurations, the virtual servers recommended for each, and whether an access profile and per-request policy should be specified on the virtual server.
Forward proxy | Recommended virtual servers (by purpose) | Specify access profile? | Specify per-request policy? |
---|---|---|---|
Explicit | Process HTTP traffic | Yes | Yes |
Process HTTPS traffic | Yes | Yes | |
Reject traffic other than HTTP and HTTPS | N/A | N/A | |
Transparent Inline | Process HTTP traffic | Yes | Yes |
Process HTTPS traffic | Only when a captive portal is also included in the configuration | Only when a captive portal is also included in the configuration | |
Forward traffic other than HTTP and HTTPS | N/A | N/A | |
Captive portal | Yes | No | |
Transparent | Process HTTP traffic | Yes | Yes |
Process HTTPS traffic | Only when a captive portal is also included in the configuration | Only when a captive portal is also included in the configuration | |
Captive portal | Yes | No |
About Response Analytics and the order of policy items
The Response Analytics per-request policy item makes an HTTP request and waits for the HTTP response before it completes. As a result to function properly, any policy items that rely on the information in the HTTP request or that attempt to modify the HTTP request must always precede the Response Analytics item. Specifically, the Category Lookup and HTTP Headers items must not follow a Response Analytics item.
About Safe Search and supported search engines
Safe Search is a search engine feature that can prevent offensive content and images from showing up in search results. Safe Search can also protect video searches on Google, Bing, and Yahoo search engines.
Safe Search can be enabled in a per-request policy using the Category Lookup item. Secure Web Gateway (SWG) with Safe Search enabled supports these search engines: Ask, Bing, DuckDuckGo, Google, Lycos, and Yahoo. Some search engines, such as Google and Yahoo, use SSL by default; in this case, Safe Search works only when SWG is configured with SSL forward proxy.