Understanding Half Proxy Mode: A Comprehensive Guide

01/05/2026 •

1. Introduction

Half Proxy Mode (also called Semi-Proxy, TCP Proxy, Partial Interception, or Flow-Through Mode) is a network mode where a device intercepts the client connection initially, performs a partial handshake or inspection, and then lets the client and server communicate directly for the rest of the session.

The device does NOT create two independent TCP connections like Full Proxy.
Instead, the device:

Intercepts SYN packets
Validates the client
Performs basic security checks
Possibly rewrites NAT fields
Then becomes a pass-through device

After the initial setup, traffic flows end-to-end, with the middle device enforcing only limited control.

2. High-Level Architecture Diagram

A diagram illustrating Half Proxy Mode in a network, showing a single connection between clients, a load balancer, and backend servers.

Client  ─────────────────────────► Half Proxy ─────────────────────────► Server
        TCP Session (single, end-to-end through device)

Key Difference from Full Proxy:
There is only one TCP session, not two.
The proxy does NOT terminate the session; it only intercepts parts of it.

3. Why Is It Called Half Proxy?

Because the device behaves partly like a proxy and partly like a router/firewall:

Acts as a proxy during connection initialization
Acts as a forwarding device afterwards

Example:
A firewall may inspect the TCP SYN packet (stateful inspection) but will not create an independent TCP session to the server.

4. Detailed Layer-by-Layer Operation

4.1 TCP Layer Behavior (Critical Difference)

Initial Steps: Proxy Intercepts SYN

Client → Half Proxy : SYN
Half Proxy → Client : SYN/ACK  (optional, depends on vendor)
Half Proxy validates client

Then the proxy forwards SYN to server:

Half Proxy → Server : SYN
Server → Half Proxy : SYN/ACK
Half Proxy → Client : ACK

But there is NO second TCP session.
The handshake is still end-to-end.

4.2 Data Flow

Once the connection is established, all traffic flows directly through the device:

Client ───data──► Half Proxy ───data──► Server
Client ◄──data─── Half Proxy ◄──data─── Server

The device can:

Inspect packets
Apply NAT
Apply TCP sequence validation

But it cannot modify L7 content the same way a full proxy can.

4.3 TLS / HTTPS Handling

In Half Proxy mode, the device does not decrypt HTTPS because it does not terminate TLS.

Therefore:

No SSL offloading
No SSL inspection (unless passive/inline)
No WAF L7 rules on decrypted content
Only metadata-based decisions possible

4.4 HTTP Layer

HTTP request is never terminated on the proxy.
The proxy cannot:

Rewrite URLs
Rewrite headers
Enforce cookie security flags
Perform HTTP compression/caching

Only limited L7 inspection (header-only) is possible.

5. Flowchart – Half Proxy Operational Flow

https://i0.wp.com/sanchitgurukul.com/wp-content/uploads/2024/06/tcp-3.jpg?resize=1024%2C557&ssl=1&utm_source=chatgpt.com

Below is a text-based, document-ready flowchart:

                ┌──────────────────────────────┐
                │ Client Initiates Connection  │
                └───────────────┬──────────────┘
                                │
                         (1) Half Proxy
                     Intercepts SYN Packet
                                │
                                ▼
                ┌──────────────────────────────┐
                │ Validate State / NAT / ACL   │
                └───────────────┬──────────────┘
                                │
                      Is traffic allowed?
                         ┌───────────────┬──────────────┐
                         │Yes            │ No           │
                         ▼               ▼              │
               (2) Forward SYN        DROP traffic     
                         │                              
                         ▼                              
                ┌──────────────────────────────┐        
                │ Server Replies SYN/ACK       │        
                └───────────────┬──────────────┘       
                                │                      
                                ▼                       
                 (3) Half Proxy relays ACKs & Data      
                                │
                                ▼
                ┌──────────────────────────────┐
                │  Direct End-to-End Session   │
                │  (Proxy is stateful but not  │
                │        terminating)          │
                └──────────────────────────────┘

6. Real-World Example of Half Proxy Mode

Scenario:

A firewall/load balancer sits between clients and backend servers.

Traffic Steps:

Client sends SYN
Half Proxy inspects and validates the SYN
If valid, SYN is forwarded to server
Server responds with SYN/ACK
Proxy passes the SYN/ACK to client
From now on → traffic flows normally through the device

No secondary TCP session.

As a result:

Proxy cannot decrypt SSL
Proxy cannot modify HTTP content
Proxy cannot cache or compress
Proxy provides only basic security

7. Benefits of Half Proxy Mode (Technical)

Benefit	Explanation
Low latency	No TCP termination → minimal overhead
Lower CPU usage	No SSL decryption, no deep L7 parsing
Higher throughput	Device acts closer to a forwarding engine
Simplicity	Less configuration complexity
Better suited for high-bandwidth L4 traffic	e.g., VoIP, gaming, file transfers

8. Disadvantages (Compared to Full Proxy)

Limitation	Explanation
❌ Cannot do SSL offloading	No TLS termination
❌ Cannot perform full L7 WAF	Cannot inspect decrypted payload
❌ No per-user session control	Proxy doesn’t own the session
❌ No HTTP header/cookie rewriting	L7 manipulation not possible
❌ Weaker DDoS protection	Only L3/L4 mitigation, not full L7
❌ No caching or compression	No application acceleration
❌ Limited bot mitigation	Cannot parse or challenge bots

9. Half Proxy vs Full Proxy (Side-by-Side Comparison)

Feature	Half Proxy	Full Proxy
TCP termination	❌ No	✔ Yes
Independent server-side connection	❌ No	✔ Yes
Deep L7 inspection	Limited	Full
SSL decryption	❌ No	✔ Yes
HTTP rewriting	❌ No	✔ Yes
Caching, compression	❌ No	✔ Yes
Load balancing intelligence	Basic	Advanced
Latency	Very Low	Slightly Higher
CPU usage	Low	High
DDoS protection	L3/L4 only	L3/L4 + L7

10. Where Half Proxy Mode Is Used

Good For:

High-speed L4 traffic
Firewalls doing basic stateful inspection
Simple NAT devices
L4-only load balancers

Not Good For:

WAF
API gateways
TLS inspection
Advanced load balancing
Bot protection
Application security

11. Vendors That Support Half Proxy Mode

Firewalls & Security Devices

FortiGate (Flow Mode / Half Proxy Mode)
Palo Alto Networks (App-ID but partial proxying)
Cisco ASA (stateful but not full proxy)
Check Point (stateful inspection)

Load Balancers

A10 Networks SLB (performance L4 mode)
Kemp LoadMaster (L4 mode)
F5 BIG-IP (FastL4 mode = half proxy)
NGINX (stream module L4)

WAN Optimizers / Others

Silver Peak
Riverbed SteelHead (in pass-through mode)

12. Summary

It offers lower latency, lower resource usage, and high throughput, making it ideal for high-speed L4 traffic. However, it provides limited security, no SSL offloading, no deep inspection, and no application-layer intelligence, making it unsuitable for modern web application protection requiring WAF, TLS inspection, or advanced load balancing.

Half Proxy Mode is a semi-intercepting architecture where a device performs partial TCP handshake inspection but does not terminate or rebuild the connection.

13. Useful Links

Howto

Tutorial

Tools

https://www.youtube.com/@sanchitgurukul

Disclaimer: This article may contain information that was accurate at the time of writing but could be outdated now. Please verify details with the latest vendor advisories or contact us at admin@sanchitgurukul.com.