FortiOS fails to block malformed HTTP/S traffic when transparent proxy is enabled
Summary
When traffic other than HTTP/S (eg: SSH traffic, etc...) traverses the FortiOS on port 80/443, it is not redirected to the transparent proxy policy for processing, as it doesn't have a valid HTTP header.
Affected Products
Issue is observed only when the traffic is redirected to transparent proxy policy.
FortiOS versions 6.4.2 and below.
FortiOS versions 6.2.5 and below.
Solutions
Please upgrade to FortiOS version 6.4.3 or above.
Workaround:
To block invalid HTTP traffic on port 80, disable the tunnel-non-http setting:
config web-proxy global
set tunnel-non-http disable
end
To block invalid HTTPS traffic on port 443, set the unsupported-ssl setting to "block":
config firewall ssl-ssh-profile
edit [profile-name]
config https set ports 443
set unsupported-ssl block
end
end