The purpose of this article is to provide explanations for some vulnerabilities found when using the Qualys vulnerability scanner against a Edge SWG (ProxySG).
This is not a vulnerability, it's expected behavior. Refer to this Security Advisor for more information:
SA29: ProxySG in transparent deployments intercepting HTTP/HTTPS traffic
We are dealing with a proxy server which deals with different kind of protocols which are sometime tunneled over the proxy. They use HTTP Method of "CONNECT" to get through the proxy. Typical example is HTTPS. Through an explicit proxy, browser uses CONNECT method to get to an https website. We can't deny this blindly.
Reference this article for more information:
SA20 : Denial of CONNECT Request May Be Ignored
This vulnerability is covered in the following Security Advisory:
This is related to vulnerability CVE-2011-3389
A possible workaround is to enable only TLS 1.1 and 1.2 in the ProxySG(Edge SWG) default device profile, however, as some sites support only TLS 1.0 this may be undesirable.
The CONNECT vulnerability is most likely being reported because proxy will respond with a 200 OK. When protocol detection is enabled on the SG, it responds with a "200 OK" to all CONNECT requests, but it doesn't actually open a connection to the upstream server unless the client sends the start of an SSL handshake. Attempts to tunnel non-SSL data over CONNECT are denied by default. This is just a false positive.
This is merely informational. More information can be found here: