Client on Windows and MacOS using WSS Agent to access internet sites via Cloud SWG.

WSS Agent configuration forwards traffic destined for TCP ports 80, 443, 8080 and 8443 into Cloud SWG only.

SOC identified web web connections on non standard TCP ports, which were confirmed by running reports via the Portal.

How can the WSS Agent send traffic for TCP ports outside what it is configured to send, and how can this be avoided?

Cloud SWG.

PFMS.

PAC files enabled on browsers that send traffic to 199.19.250.205:80. With this setup, all Web requests generated by the browser explicitly go out via TCP port 80, including tunneled requests to non standard TCP ports.

Modify the PAC file pushed out to the Agents to ONLY forward traffic for standard TCP ports into 199.19.250.205:80, and send the request DIRECT (which means being blocked).

The following logic checks for http and https requests to hosts with destination TCP ports of 80. 443, 8080 and 8443 for all URL formats before either sending into Cloud SWG or DIRECT.

if (url.substring(0, 5) === 'http:' || url.substring(0, 6) === 'https:') 
{
if  (shExpMatch(url, "*://" + host + ":8443/") || 
    shExpMatch(url, "*://" + host + ":8080/") ||
    shExpMatch(url, "*://" + host + ":443/") ||
    shExpMatch(url, "*://" + host + ":80/")||
    shExpMatch(url, "*://" + host + "/"))
 
    return "PROXY ep.threatpulse.net:80";
}
return "DIRECT";
}

Online PAC file validation tools can be used to check any logic applied before pushing out to browser - such tools include https://thorsen.pm/proxyforurl, or https://pactester.brdbnt.com/.