Tunneled traffic using CONNECT is allowed when the destination port is not 443
Article ID: 167034
Updated On:
Products
ProxySG Software - SGOS
Issue/Introduction
Tunneled traffic using CONNECT request is allowed when the destination port is not 443. The traffic should be blocked if the destination port is not 443.
Resolution
If there is no matching policy in the Visual Policy Manager (VPM) or in the Local policy file, the ProxySG appliance enforces the default policy. For security reasons, whether the default policy is Deny or Allow, the appliance does not allow CONNECT on ports other than 443.
If a matching policy rule exists in the VPM or Local policy file, the matching policy overrides the default policy action and changes the default behavior. If the configured policy rule allows the transaction, non-SSL traffic on ports other than 443 are allowed.
To avoid this issue, add the following CPL code in your local policy file.
<Proxy> ;if url port is not 443 AND if the non-standard SSL port is not allowed, then denyDENY http.method=CONNECT url.port=!443 detect_protocol(none)
To allow certain non-standard SSL tcp ports, add an exception condition.
<Proxy> ;if url port is not 443 AND if the non-standard SSL port is not in allowed list, then denyDENY condition=!Allowed_non-standard_SSLport http.method=CONNECT url.port=!443 detect_protocol(none)
define condition Allowed_non-standard_SSLporturl.domain=host1.domain1.tld url.port=1234url.domain=host2.domain2.tld url.port=2345end
Feedback
Yes
No
Powered by
