HTTP Request and Authorization rules

denholm
denholm
in Firebox - Proxies

Hello.

The defaults for Authorization in HTTP Proxy settings includes: Basic, Digest, NTLM and Passport1.4. All other authorization headers are stripped.

I started looking at the HTTP Request Authorization list on a freshly installed WG when I couldn't access onedrive.live.com/login page on a computer with HTTPS inspection on. I got "All proposed authentication schemes denied" error page.

WG has a KB article 000020811 about this problem, with tracking ID FBX-22385. It recommends adding Bearer as an allowed type. It didn't help.

Checking with browser web tools (F12) without HTTPS inspection revealed that Microsoft's live.com would very much like to use wlid1.1 authorization. Adding this header solved the problem immediately.

Bearer is used both in Azure/Entra logins and also consumer products (outlook.com etc). wlid1.1 is being deprecated but looks like it will take years before a move to purely OAuth2 login, probably due to all the legacy Xbox/Windows installations.

Combination of Google Gemini, Copilot and plain Googling reveals that Microsoft's Passport 1.4 has not been in use for many years in their services. Similarly NTLM and Negotiate should not be allowed on any egress traffic; Digest is also obsolete.

For everyone reading this, I recommend leaving Digest, NTLM and Passport1.4 in the list and adding also Negotiate to the list. Then change the actions the other way around: strip if matched; non-matching allowed. There are many other types of Authorization headers not in Watchguard defaults or in WG documentation about it, and keeping up with all of them would be difficult. Easier to just blacklist the unwanted ones.

NTLM, Negotiate and Digest may be necessary in your VPN/intranet HTTP traffic, but should not be allowed into the Any-External address.

I would really like Watchguard to include best practices and more commentary about all their settings, in the style of CIS Benchmarks. In fact, participating in the CIS Benchmark program would be a step up anyway.

I would also like for Watchguard to check all their defaults from time to time to remove obsolete cruft. At some point you need to break old stuff to keep things safe, just like with PPTP was removed. Similary DH groups <14 and other should be removed completely and the "About Diffie-Hellman Groups" documentation page should state directly that DH1,2,5 are completely broken and not just give vague "For greater security, we recommend that you use Diffie-Hellman Group 14 or higher", which implies that these older DH Groups are still useful in IKE tunnels.

Comments

  • Dave_Daniels
    Dave_Daniels WatchGuard Representative

    Thanks for bringing this up. If you are wanting to make suggestions on what the defaults should be on our proxy action or better (up-to-date) documentation on what are best practices, then the forums is not the place to request this. You will want to leave your feedback in the WatchGuard Idea Portal.
    https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA1Vr000000EgnNKAS&lang=en_US

    The people in charge of the products and making those changes that you want to see, will see your feedback that you submit there.

    Otherwise, you can always create a case to verify what needs to be changed to more align with modern applications. We can then bring up those scenarios to the appropriate teams to see if the default settings need to change.

Categories