I'm installing a new S4016 with version 8.3.1 and my customer has two servers that receive external connections, one of them dedicated to HTTP aplications only and the other to HTTPS aplications only. When I configure the HTTPS ACL I select "override port" and remove port 80. When I submit the ACL the firewall returns the following error:
What do you suggest? Do I have to configure a "custom HTTPS" application with port TCP 443 only?
JRon 23/05/13 17:05:34 ART
Solved! Go to Solution.
Sliedl, Thanks for your reply. And if I need an HTTP only application (TCP 80)? When I tried to override port on HTTP application with TCP 80 only in this case firewall returns almost same warning message telling you that HTTPS (TCP/443) is needed in order to properly work. What do you suggest?
Thanks very much!
Here is how I understand what the firewall is presenting to us:
The HTTP application includes TCP/80 and SSL/443. The 'SSL/443' part simply means 'This application can also function on SSL port 443'. It says this so that the administrator can decide if he/she wants to decrypt the traffic
There is a very good section in the Firewall Enterprise Product Guide called 'Policy in Action' and in that section are two setups, one for inbound HTTPS decrypt/reencrypt and one for only decrypt (I suggest everyone read them if you have not yet). There are these two statements in that section:
Create access control rules to control inbound HTTPS:
If an inbound SSL decryption rule is in place, you can use access control rules to allow and deny most
applications that use SSL if they include SSL ports (SSL/nn).
Because the HTTP application includes port SSL/443, it matches decrypted HTTPS in addition to normal
The 'Applications' on the firewall include the old smart proxies, like HTTP, SMTP, etc., and new Applications (signatures basically) for (mostly) HTTP-based 'applications' like Facebook Chat, etc. These are almost always 'wrapped' in SSL, so if that can happen, the signature says that and you can decide to decrypt it.
What is confusing is that the HTTP application includes TCP/80 and SSL/443 but it will not pass traffic on port 443. You must use the SSL/TLS (HTTPS) application to pass that traffic. If you use only the HTTP application is will pass TCP/80 only.
Agreed it is confusing. I wish they would specify that somehow. What i ended up doing is to modify the existing Internet Services as follows: add HTTPS and then select "override ports" with the following: TCP/80 SSL/80,443. This has worked for me.