GFI WebMonitor is an awarded gateway monitoring and internet access control solution designed to help organizations deal with user internet traffic, monitor and control bandwidth consumption, protect computers from internet malware/viruses and other internet-based threats plus much more. GFI WebMonitor supports two different installation modes: Gateway mode and Simple Proxy mode. We’ll be looking into each mode and help administrators and engineers understand which is best, along with the prerequisites and caveats of each mode.

Proxy vs Gateway Mode

Proxy mode, also named Simple Proxy mode is the simplest way to install GFI WebMonitor. You can deploy this on any computer that has access to the internet. In Simple Proxy mode, all client web-browser traffic (HTTP/HTTPS) is directed through GFI WebMonitor. To enable this type of setup, you will need an internet facing router that can forward traffic and block ports.

With GFI WebMonitor functioning in Simple Proxy mode, each client machine must also be configured to use the server as a web proxy for HTTP and HTTPS protocols. GFI WebMonitor comes with built-in Web Proxy Auto-Discovery (WPAD) server functionality that makes the process easy - simply enable automatic discovery of proxy server for each of your client machines and they should automatically find and use WebMonitor as a proxy. In case of a domain environment, it is best to regulate this setting using a Group Policy Object (GPO).

When WebMonitor is configured to function in Internet Gateway mode, all inbound and outbound client traffic will pass through GFI WebMonitor, irrespective of whether the traffic is HTTP or non-HTTP. With Internet Gateway mode, the client browser does not need to point to any specific proxy – all that’s required is to enable the Transparent Proxy function in GFI WebMonitor.

WebMonitor Download: Control internet resources available to your organization's users. Get complete control on how users and applications access the internet. Application level blocking and malware protection.

Supported OS & Architectures

Whether functioning as a gateway or a web proxy, GFI WebMonitor processes all web traffic. For a smooth operation that amounts to using a server architecture capable of handling all the requests every day. When the environment is small (10-20 nodes), for instance, a 2 GHz processor and 4 GB RAM minimum with a 32-bit Windows operating system architecture will suffice.

Larger environments, such as those running the Windows Server operating system on a minimum of 8 GB RAM and multi-core CPU will require the 64-bit architecture. GFI WebMonitor works with both 32- as well as 64-bit Windows operating system architectures starting from Windows 2003 and Windows Vista.

Installation and Upgrading

When installing for the first time, GFI WebMonitor starts by detecting its prerequisites. If the business is already using GFI WebMonitor, the process determines the prerequisites according to the older product instance. If the installation kit encounters an older instance, it imports the previous settings and redeploys them after completing the installation.

Whether installing for the first time or upgrading an older installation, the installation kit looks for any setup prerequisites necessary and installs them automatically. However, some prerequisites may require user interaction and these will come up as separate installation processes with their own user interfaces.

Installing GFI WebMonitor

As with all GFI products, installation is a very easy follow-the-bouncing-ball process. Once the download of GFI WebMonitor is complete, execute the installer using an account with administrative privileges.

If WebMonitor has been recently downloaded, you can safely skip the newer build check. When ready, click Next to proceed:

Figure 1. Optional check for a new WebMonitor edition during installation

Our previous article examined the benefits of Palo Alto Networks Firewall Single Pass Parallel Processing (SP3) architecture and how its combine with the separate Data and Control planes to boost firewall performance and handle large amounts of traffic without and performance impact. This article focuses on the traffic flow logic inside the Palo Alto Firewall and two unique features that separate it from the competition: Application-based policy enforcement (App-ID) & User Identification (User-ID).

For more Technical articles on Palo Alto Networks Firewalls, visit our Palo Alto Networks Firewall Section

Flow Logic of the Next-Generation Firewall

The diagram below is a simplified version of the flow logic of a packet travelling through a Palo Alto Networks Next-Generation Firewall and this can be always used a reference to study the packet processing sequence:

Figure 1. Flow Logic of a packet inside the Palo Alto Networks Next Generation Firewall

Palo Alto Networks Next-Generation Firewalls works with the concepts of zones not interfaces, once a packet enters the firewall, the Palo Alto Networks Next-Generation Firewalls identifies from which zone the packet came and where it is destined to go. This is similar to Cisco IOS Routers Zone-based Firewalls and Cisco ASA Firewalls.

Users interested can also download for free the Palo Alto Networks document “Day in the Life of a Packet” found in our Palo Alto Networks Download section which explains in great detail the packet flow sequence inside the Palo Alto Networks Firewall.

App-ID & User-ID – Features That Set Palo Alto Apart from the Competition

App-ID and User-ID are two really interesting features not found on most competitors’ firewalls and really help set Palo Alto Networks apart from the competition. Let’s take a look at what App-ID and User-ID are and how they help protect the enterprise network.

App-ID: Application-based Policy Enforcement

App-ID is the biggest asset of Palo Alto Networks Next-Generation Firewalls. Traditional firewalls block traffic based on protocol and/or ports, which years ago seemed to be the best way of securing the network perimeter, however this approach today is inadequate as applications (including SSL VPNs) can easily bypass a port-based firewall by hopping between ports or using well-known open ports such as tcp-http (80) or tcp/udp-dns (53) normally found open.

A traditional firewall that allows the usage of TCP/UDP port 53 for DNS lookups, will allow any application using that port to pass through without asking second questions. This means that any application can use port 53 to send/receive traffic, including evasive applications like BitTorrent for P2P file sharing, which is quite dangerous:

Figure 2. Palo Alto Network’s App-ID effectively blocks unwanted BitTorrent traffic

With App-ID, Palo Alto Networks Next-Generation Firewalls uses multiple identification mechanisms to determine the exact identity of applications traversing the network. Following is the order in which traffic is examined and classified: