If your network environment does not allow direct HTTP or HTTPS communication with the Internet through a firewall from a secure location in which the Grid Master or standalone appliance resides, you can configure your appliance to use a proxy server so you can receive automatic updates, such as threat protection rulesets and threat insight bundles, through this connection. You can also configure a proxy server to perform AWS related communication, such as using a proxy server as the AWS API Proxy, performing vDiscovery on AWS endpoints, and pulling DNS data from Amazon Route 53. For information about AWS deployments, refer to the Installation Guide for vNIOS for AWS. For information about vDiscovery, seeConfiguring vDiscovery Jobs.
...
Depending on the updates you want to download, you may need to install the respective licenses in your Grid. For example, to download threat protection ruleset updates, the Grid must have the Threat Protection Update license installed. To download threat insight bundles, you must install the Threat Insight license. When you configure your appliance to obtain periodic ruleset updates, all updates go through the MGMT port on the Grid Master by default. You can, however, delegate this function to a Grid member using a different interface such as LAN1 or LAN2. For information about how to delegate updates to a Grid member and configure the interface, see Configuring Members and Interfaces for Automatic Updates below.
To configure proxy settings for the Grid, complete the following steps:
From the Grid tab, select the Grid Manager tab, and then click Edit -> Grid Properties from the Toolbar.
In the Grid Properties editor, select the Proxy Settings tab -> Basic tab, and complete the following:
Use Proxy Server: When you select this checkbox, the appliance uses the connection that has been established with the proxy server to establish connection with endpoints or download automatic updates, such as threat protection rulesets and threat insight bundles. The reporting member sends API requests to the proxy server for threat details. For more information, see Threat Protection Reports. Similarly, the Grid Master sends API requests to the proxy server for all threat context details. For more information, see Viewing the RPZ Threat Details. This setting applies to the entire Grid. When you clear this checkbox, the appliance does not use the proxy server; however, the configuration will not be affected.
Name or IP Address and Port: Enter the name or IP address and port number of the proxy server you plan to use for this connection.
HTTPS Proxy Content Inspection: From the drop-down list, select one of the following methods the proxy server uses to inspect packet content. Note that this section does not apply to AWS deployments.
None: Select this to use HTTP for the connection. This method does not allow certificate authentication for the proxy server.
Allow Deep Packet Inspection: This option is not supported for AWS deployments. To eliminate man-in-the-middle attacks, select this to allow deep pack inspection and information extraction for non-compliant protocol, intrusions, or other criteria that determine whether the packets should be routed to an alternate destination. When you select this, you must click Proxy Server Certificate and navigate to the proxy server certificate to upload it to the Grid, or you must ensure that a trusted chain has been established before the proxy server can perform deep packet inspection. When you have uploaded a certificate, the appliance displays Loaded.
Enable Strict Host Name Checking: This option is enabled only when you select Allow Deep Packet Inspection. As part of the SSL handshake process, the appliance verifies that the CN (Common Name) of the public certificate of the proxy server exactly matches the host name of the proxy server.
...