Operational Defect Database
BugZero found this defect 502 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
WatchGuard Technologies | kA16S000000Bc3kSAC
Non-HTTPS traffic over port 443 denied by cloud-managed Firebox
Last update date:
1/4/2023
Affected products:
Firebox M200
Firebox M300
Firebox M270
Firebox M370
Firebox M470
Firebox M570
Firebox M670
Firebox M290
Firebox M390
Firebox M400
Firebox M500
Firebox M440
Affected releases:
All
Fireware
11.x
11.1.x
11.10.x
11.10
11.10.1
11.10.2
11.10.3
11.10.4
11.10.5
11.10.6
Fixed releases:
All
Description:
Issue
Default policies strictly enforce HTTPS-protocol traffic sent over port 443. Other traffic sent over the web port might be denied. Sample log:Deny 192.168.100.100 203.0.113.2 https/tcp 57140 443 Trusted External ProxyDeny: IP protocol (Outgoing) proc_id="tcp-udp-proxy" rc="595" msg_id="2DFF-0004" proxy_act="TCP-UDP-out.fpol_385925_x"geo_dst="USA" rule_name="Default" Examples of applications that might send non-HTTPS traffic over port 443 include but are not limited to: ConnectWise ScreenConnectDatto RMMiDriveN-able Take Control Panda Remote Management toolsOpenVPN / SSLVPNRing LiveSolarwinds TakeControlTelegram
Workaround/Solution
In WatchGuard Cloud, add a policy to the Firebox configuration with these properties: Policy type: First RunSource: The internal or guest networks to allow connections from. Examples: Internal, Guest, Any-Internal, Any-GuestTraffic type: HTTPSDestination: The address/FQDN of the server you want to allow connections to. Example: sslvpn.example.com
