ProxySG is sending outbound HTTP POST request while inbound client request is denied by policy

book

Article ID: 167622

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

This is scenario where ProxySG , ASG , SWGVA makes a POST requests which is visible on firewall or on the default Gateway. But as per the policy (VPM/CPL) setup incoming client request matches with a  deny rule and the client request was denied successfully. 

Cause

ProxySG will show this kind of behavior under following conditions.

  1. There is rule in either VPM or CPL files, which involves a condition based on “response.header“ (i.e response.header.Content-Type="^application/pdf( | )*($|;)" – this checks for PDF MIME type )  
  2. According to policy file order or by rule order, “ response.header“ rules is getting evaluated before the deny rule (matched for this transaction). A policy trace will indicate this result.

If both of these conditions are satisfied proxySG will make the outbound POST request to evaluate the response against that “response.header” object. As those objects also has a probability to get  match as well . proxySG will not be able to evaluate a “response.header” rule until it makes the actual outbound POST request.

A packet capture in proxySG will appear as below 
 

As it shows the post request came from client (10.167.0.138) to proxySG (10.169.3.139) was denied with a HTTP response 403 forbidden message. But ProxySG made the outbound request to OCS (50.19.220.67).

Information on policy evaluation order can be found here TECH242493

Resolution

To make sure proxySG is not showing this kind of behavior (leaking POST request when its being denied in policy) following steps can be performed

  1. If the deny rule and "response.header" are in different layers or different policy files (VPM / CPL) , those needs to merged into the same policy file and under same layer for VPM or under same tag for CPL (i.e )
  2. According to rule ordering the deny rule should come first then the "response.header" rule should be placed.

By this policy evaluation order will be changed and proxySG will stop making outbound POST when the explicit deny rule matches. Also it will function properly for "response.header" rule as it should. 

Note- Solution explained above only applicable for SGOS 6.5.x If the SGOS version is 6.6.5.x or 6.7.x or higher also this can also be avoided with the use of "Web Request Layer"  . More details can be found here TECH246261

.

Attachments