5 Replies Latest reply on May 31, 2013 6:18 AM by mathew.d.hailey

    Modify HTTP Application

    gooru4speed

      I'm installing a new S4016 with version 8.3.1 and my customer has two servers that receive external connections, one of them dedicated to HTTP aplications only and the other to HTTPS aplications only. When I configure the HTTPS ACL I select "override port" and remove port 80. When I submit the ACL the firewall returns the following error:

       

      Mod_HTTP_Appl.jpg

       

      What do you suggest? Do I have to configure a "custom HTTPS" application with port TCP 443 only?

       

      Regards!

      JR

       

      on 23/05/13 17:05:34 ART
        • 1. Re: Modify HTTP Application
          sliedl

          Use the SSL/TLS (HTTPS) application instead.

          • 2. Re: Modify HTTP Application
            gooru4speed

            Sliedl, Thanks for your reply. And if I need an HTTP only application (TCP 80)? When I tried to override port on HTTP application with TCP 80 only in this case firewall returns almost same warning message telling you that HTTPS (TCP/443) is needed in order to properly work. What do you suggest?

             

            Thanks very much!

            JR

            • 3. Re: Modify HTTP Application
              sliedl

              Here is how I understand what the firewall is presenting to us:


              The HTTP application includes TCP/80 and SSL/443.  The 'SSL/443' part simply means 'This application can also function on SSL port 443'.  It says this so that the administrator can decide if he/she wants to decrypt the traffic

               

              There is a very good section in the Firewall Enterprise Product Guide called 'Policy in Action' and in that section are two setups, one for inbound HTTPS decrypt/reencrypt and one for only decrypt (I suggest everyone read them if you have not yet).  There are these two statements in that section:

               

              Create access control rules to control inbound HTTPS:
              If an inbound SSL decryption rule is in place, you can use access control rules to allow and deny most
              applications that use SSL if they include SSL ports (SSL/nn).

               

              Because the HTTP application includes port SSL/443, it matches decrypted HTTPS in addition to normal
              HTTP connections.

               

              The 'Applications' on the firewall include the old smart proxies, like HTTP, SMTP, etc., and new Applications (signatures basically) for (mostly) HTTP-based 'applications' like Facebook Chat, etc.  These are almost always 'wrapped' in SSL, so if that can happen, the signature says that and you can decide to decrypt it.

               

              What is confusing is that the HTTP application includes TCP/80 and SSL/443 but it will not pass traffic on port 443.  You must use the SSL/TLS (HTTPS) application to pass that traffic.  If you use only the HTTP application is will pass TCP/80 only.

              1 of 1 people found this helpful
              • 4. Re: Modify HTTP Application
                gooru4speed

                Sliedl,

                Thanks very much for your reply. Your experience in firewalls is a great contribution to this forum. I really appreciate that!.

                 

                Best Regards

                 

                Julio.

                • 5. Re: Modify HTTP Application
                  mathew.d.hailey

                  Agreed it is confusing.  I wish they would specify that somehow.   What i ended up doing is to modify the existing Internet Services as follows:   add HTTPS and then select "override ports" with the following: TCP/80 SSL/80,443.   This has worked for me.