Operational Defect Database
BugZero found this defect 2620 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
WatchGuard Technologies | kA10H000000g3UMSAY
Connections with WebSocket protocol (RFC6455) fail through HTTP Proxy and HTTPS Proxy with Content Inspection
Last update date:
3/31/2017
Affected products:
Firebox M200
Firebox M300
Firebox M270
Firebox M370
Firebox M470
Firebox M570
Firebox M670
Firebox M290
Firebox M390
Firebox M400
Firebox M500
Firebox M440
Affected releases:
All
Fireware
11.x
11.1.x
11.10.x
11.10
11.10.1
11.10.2
11.10.3
11.10.4
11.10.5
11.10.6
Fixed releases:
v12.10
Description:
Issue
If you use the HTTP proxy or HTTPS proxy with Content Inspection, connections through the proxy with the Websocket protocol will fail. The proxy action log message includes the reason HTTP Invalid Request-Line Format. 2019-08-29 17:00:00 Deny 10.0.1.25 198.51.100.32 https/tcp 65056 443 1-Trusted0-External ProxyDeny: HTTP Invalid Request-Line format (HTTPS-proxy-00) HTTP-Client.Standard proc_id="http-proxy" rc="595" msg_id="1AFF-0005" proxy_act="HTTP-Client.Standard" line="\x81\x9c\xb4_\x0e\xa8\xe60m\xc3\x946z\x88\xc36z\xc0\x94\x17Z\xe5\x" geo_dst="USA" TrafficSome interactive websites and web based applications transmit data with the websocket protocol. Websocket is commonly used for chat, trivia games, educational exercises, and file uploaders. Websocket is very similar to HTTP/HTTPS and uses the same headers an HTTP/HTTPS request would. Once the connection is established, Websocket connections freely transmit data between the client and server. The HTTPS proxy is unable to apply content filtering or subscription services to this traffic.
Workaround/Solution
To allow connections to a specific site or service that requires WebSocket, you can: (HTTPS only) In the Domain Names section of the HTTPS Proxy configuration, configure a rule for the specific domain to Allow connections. To learn more, see HTTPS-Proxy: Domain Names.Create a packet filter policy to allow the HTTP or HTTPS connection from your internal network to the specific external host or domain name. If you use a domain name, see About Policies by Domain Name (FQDN) If you are unsure if the webpage or web based application uses websockets, consult the web application’s help page for firewall requirements. Most web-based applications will list the URLs required to use the site. Any URL that begins with wss:// uses Websocket over SSL. If no help or firewall requirements are provided, you can use the developer tools in your browser to analyze the URL. Open the developer tools in your browser then attempt to access the website. When an error occurs, search for wss:// to locate a URL that uses Websocket To learn how to use your web browser developer tools see: Chrome: https://developers.google.com/web/tools/chrome-devtools/Firefox: https://developer.mozilla.org/en-US/docs/ToolsEdge: https://docs.microsoft.com/en-us/microsoft-edge/devtools-guide
