Seeing CONNECT transaction in proxy policy trace not getting denied.
search cancel

Seeing CONNECT transaction in proxy policy trace not getting denied.

book

Article ID: 263505

calendar_today

Updated On:

Products

ISG Proxy ProxySG Software - SGOS

Issue/Introduction

The default proxy policy is 'Deny'.

There is no rule or policy to allow the HTTP CONNECT method.

The policy trace is showing the HTTP CONNECT method getting allowed like in the below transaction.

<Proxy>
...
CONNECT tcp://www.example.com:443/
...
verdict: ALLOWED

Cause

The proxy policy does not have a rule that explicitly denies the HTTP method CONNECT. However, if there is a specific rule to deny it, then the verdict will be 'Denied' as shown in the policy trace below.

<Proxy>
MATCH:         DENY http.method=CONNECT 
...
CONNECT tcp://www.example.com:443/
...
verdict: DENIED: Either 'deny' or 'exception' was matched in policy


The document below further confirms the behavior on the proxy for the CONNECT method where as you can see below by default, it gets allowed.

https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/edge-swg/7-3/about-ssl-proxy/ssl-proxy-troubleshooting-intro/process-connect-method.html

Resolution

This is an expected behavior or by design due to how the proxy handles the HTTP CONNECT method.