IQ Server and Firewall for Artifactory

Important: Nexus Firewall for Artifactory 2.0 fixes an issue with the 'Repository Name' attribute when viewed from IQ. Please see the "1.x to 2.0 Migration" section below for further details.


The Nexus Firewall for Artifactory plugin uses audit and quarantine features to help protect your development environment from risky or undesirable components. These features use IQ Server policy management to identify, and if desired, prevent proxy repositories from serving unwanted components.


Requirements to use Nexus Firewall for Artifactory:


  1. Download the latest version of the plugin from here
  2. Extract the contents of the plugin zip file into artifactory's /plugins directory (see table below). The zip file includes an example configuration file for the plugin, and all necessary files for the operation of the plugin.

  3. Rename to to use as a base for your configuration.

    The final folder structure should resemble:

    Artifactory 7.xArtifactory 6.x
  4. Configure which repositories you would like to enable in the file.


To upgrade to the latest version of the plugin, simply repeat the installation steps above and overwrite the nexusFirewallForArtifactoryPlugin.groovy file and the lib/nexus-iq-artifactory-plugin.jar file. The sample configuration file can be extracted as well, but is not required. Your actual configuration file will be named so there is no danger of overwriting your configuration.

1.x to 2.0 Migration

Nexus Firewall for Artifactory 2.0 fixes an issue in the 1.x series where the 'Repository Manager' column in the 'Repositories' view in IQ displayed a hash value instead of the Repository Manager name.

1.x plugin

2.0 plugin

In order to complete the migration and properly display the repository manager identifier, the following three required steps must be performed:

Ensure a backup of the IQ database is performed as part of this update. See Backing up the IQ Server.

  1. Install Nexus IQ Server 1.104 or higher
  2. Install Nexus Firewall for Artifactory Plugin version 2.0 or higher
  3. Update the file and configure the property

Once these three requirements are completed the migration will automatically happen on Artifactory startup. If any of the three are not completed then the plugin will continue to work as it did in the 1.x plugin series where the Repository Manager identifier is shown as a hashed value.


All plugin configuration is done through the When changes are made to this file they can be applied by restarting Artifactory.

# These properties are to configure the connection to the IQ server.
# The values below are example values and should be updated with your own.

# This property identifies this Artifactory instance in the IQ 'Repositories' view

# The URL that users will use to connect to the IQ Server.
# This URL will be preprended to the Application Composition report URI.
# For example,

# Define http proxy settings if applicable

# Define repositories with a 'firewall.repo.' prefix. Possible options are 'quarantine', 'audit',
# and 'disabled'.
# If quarantine is enabled and later disabled, all quarantined components will be made available
# in the repository; those components cannot be re-quarantined.
# firewall.repo.<example-repository-name>=quarantine
# firewall.repo.<other-example-repository-name>=audit
# firewall.repo.<another-example-repository-name>=disabled

The username defined here must exist in IQ and have the "Component Evaluator" role. See Role Management for further information.

The plugin only supports the 'remote' repository type , usually configured as a remote proxy of Maven Central at The 'virtual' repository type is indirectly supported in that if your virtual repository includes a remote repository that has Firewall enabled, then components can be quarantined or audited.

Removing the with the plugin installed will cause all download requests to be denied until the file is restored and Artifactory is restarted.

If quarantine is enabled and later disabled, all currently quarantined components will be made available in the repository; those components cannot be re-quarantined.

Using an HTTP Proxy for Outbound Traffic

If your Artifactory instance needs to reach IQ Server via an HTTP proxy server, use the following configuration options.

# The host running the proxy server.

# The port which the proxy server listens on.

# The username used to access the proxy server (if necessary).

# The password used to access the proxy server (if necessary).


If your proxy server uses NT LAN Manager (NTLM) authentication, additionally configure the domain and workstation

# The Windows domain used for authentication
# The name of the local computer running Artifactory


When the plugin is configured and Artifactory is restarted, the following events will take place

  1. When Artifactory is started, the configuration file will be read and any configured repositories will be enabled in IQ. The enabled repositories can be viewed in IQ in the 'Repositories' view under 'Organization and Policies'.
  2. The Firewall quarantine feature only applies to new components that are added after quarantine is enabled. When a new component violates policy, Firewall prevents it from being served from the remote repository.
  3. When repositories are enabled in audit mode, new components added to remote repositories are evaluated against IQ policy. This information is then included in the repository results.

Reviewing Results

Every repository that has Firewall enabled will receive its own Application Composition report URL. To obtain this URL, make the following call to the Artifactory server:

curl -u yourusername:yourpassword ""

In the above example you will need to substitute your appropriate username, password, Artifactory URL, and virtual repository name.

The result is a JSON response with details on the repository:


The  reportUrl is a url that can be opened in a browser. You will be forwarded to the static policy report URL which can be bookmarked for future access.

In addition, each repository enabled for Firewall has a property, firewall.iqRepositoryUrl that is a copy-paste url to the same Application Composition report URL.

IQ Repository URL property for a repository with Firewall enabled:

About Timestamps

The plugin will only process components which are new to the repository since Firewall was enabled on it. Components that have been served by Artifactory prior to this will always be allowed regardless of their policy status. This is to prevent any existing builds from breaking.


The Nexus Firewall for Artifactory plugin ships with some basic informative logging by default, and additional logs are available for debugging if necessary. Specifically per component blocking is not logged by default as this can result in an excessive amount of log entries.

Artifactory uses the Logback library for logging. To understand Artifactory logging and how to change what is logged, see the JFrog documentation here: Artifactory Log Files - Configuring Log Verbosity

In order to increase logging for the Firewall plugin, add this section to the logback.xml file:

<logger name="">
    <level value="debug"/>


  1. To disable the Nexus Firewall for Artifactory plugin remove the nexusFirewallForArtifactoryPlugin.groovy file from the plugins directory. Depending on your Artifactory license or version you might have to restart the Artifactory server for this change to take effect.

    Artifactory 7.xArtifactory 6.x

  2. After you have confirmed that the plugin is no longer active (see logging above) you can optionally clean up files that are no longer used.
    1. remove backup files created by Artifactory: nexusFirewallForArtifactoryPlugin.groov?~ and firewall.propertie?~ (where ? is a character used to indicate the version of the config file)
    2. remove the lib/nexus-iq-artifactory-plugin.jar
  3. Attributes on repository objects created by Nexus Firewall for Artifactory are safe to delete. All attributes the Firewall for Artifactory plugin creates use the prefix firewall. The screenshot below shows a typical example of firewall repository attributes in Artifactory:

Release notes





  • Fixed issue with 'Repository Manager' name in the 'Repositories' view in IQ. See the "1.x to 2.0 Migration" for more information.



  • Ability to re-quarantine a component



  • Fixed CSRF issue with IQ url



  • Audit the entire repository when enabled

  • Improved how to access the IQ policy report URL

  • Improved IQ connection handling

  • More graceful handling if the configuration file goes missing

  • Fixed issue when using a web application path



  • Added support for proxies

  • Improved IQ summary report URL

  • Allow readers to access the Evaluation Summary



  • Initial release

Known Limitations

  • The plugin is currently untested on highly available (HA) environments