This is scenario where ProxySG , ASG , SWGVA makes a POST requests which is visible on firewall or on the default Gateway. But as per the policy (VPM/CPL) setup incoming client request matches with a deny rule and the client request was denied successfully.
ProxySG will show this kind of behavior under following conditions.
There is rule in either VPM or CPL files, which involves a condition based on “response.header“ (i.e response.header.Content-Type="^application/pdf( | )*($|;)" – this checks for PDF MIME type )
According to policy file order or by rule order, “ response.header“ rules is getting evaluated before the deny rule (matched for this transaction). A policy trace will indicate this result.
If both of these conditions are satisfied proxySG will make the outbound POST request to evaluate the response against that “response.header” object. As those objects also has a probability to get match as well . proxySG will not be able to evaluate a “response.header” rule until it makes the actual outbound POST request.
A packet capture in proxySG will appear as below
As it shows the post request came from client (10.167.0.138) to proxySG (10.169.3.139) was denied with a HTTP response 403 forbidden message. But ProxySG made the outbound request to OCS (126.96.36.199).
Information on policy evaluation order can be found here TECH242493
To make sure proxySG is not showing this kind of behavior (leaking POST request when its being denied in policy) following steps can be performed
If the deny rule and "response.header" are in different layers or different policy files (VPM / CPL) , those needs to merged into the same policy file and under same layer for VPM or under same tag for CPL (i.e
According to rule ordering the deny rule should come first then the "response.header" rule should be placed.
By this policy evaluation order will be changed and proxySG will stop making outbound POST when the explicit deny rule matches. Also it will function properly for "response.header" rule as it should.
Note- Solution explained above only applicable for SGOS 6.5.x If the SGOS version is 6.6.5.x or 6.7.x or higher also this can also be avoided with the use of "Web Request Layer" . More details can be found here TECH246261
Imported Document ID: 000016631
Subscribing will provide email updates when this Article is updated. Login is required.