Tunneled traffic using CONNECT request is allowed when the destination port is not 443. The traffic should be blocked if the destination port is not 443.
If there is no matching policy in the Visual Policy Manager (VPM) or in the Local policy file, the ProxySG appliance enforces the default policy. For security reasons, whether the default policy is Deny or Allow, the appliance does not allow CONNECT on ports other than 443.
<Proxy> ;if url port is not 443 AND if the non-standard SSL port is not allowed, then deny
DENY http.method=CONNECT url.port=!443 detect_protocol(none)
<Proxy> ;if url port is not 443 AND if the non-standard SSL port is not in allowed list, then deny
DENY condition=!Allowed_non-standard_SSLport http.method=CONNECT url.port=!443 detect_protocol(none)
define condition Allowed_non-standard_SSLport
url.domain=host1.domain1.tld url.port=1234
url.domain=host2.domain2.tld url.port=2345
end