Allowing Exception to Download specific EXE Url within a HTTPS proxy rule

edited March 2022 in Firebox - Proxies

I believe I have found my own answer in a previous post from the Jedi Master, Bruce Biggs, but I thought I would ask because I figured there maybe an update since 2019 and I am missing it.

We have a HTTPS rule with inspection and certificates configured and working no issues. However, we are in the Body Content Types blocking EXE/DLL file downloads. My techs used the http exception to add python.org/*, .python.org/ and regardless it blocks the site. In the interim I changed the rule from Deny to AV, but I loathe the idea of allowing any EXE files to download, and I really loathe creating a half dozen rules for each Proxy Rule(VLAN/Schools) to enable allowing access via an http rule to download specific locations of known EXE files outside of the proxy rules that exist for those networks.

Is this just the way it is, or am I missing some creative way to enable the proxy to apply exemptions before applying body content type rules?

2022-03-23 14:27:45 Allow 192.x.x.x 146.75.32.223 https/tcp 58889 443 Default FIOS ProxyAllow: HTTP Request categories   (HTTPS-proxy.BCS_Lab-00) HTTP-Client.BCS_LAB proc_id="http-proxy" rc="590" msg_id="1AFF-0021" proxy_act="HTTP-Client.BCS_LAB" cats="Information Technology" op="GET" dstname=www.python.org arg="/ftp/python/3.9.11/python-3.9.11-amd64.exe" action="BCS_Class" src_user=lab10@noneofyour.business geo_dst="USA"                 Traffic
2022-03-23 14:27:45 Deny 192.x.x.x 146.75.32.223 https/tcp 58889 443 Default FIOS ProxyDeny: HTTP Body Content Type match   (HTTPS-proxy.BCS_Lab-00) HTTP-Client.BCS_LAB proc_id="http-proxy" rc="595" msg_id="1AFF-0012" proxy_act="HTTP-Client.BCS_LAB" rule_name="Windows EXE/DLL" src_user=lab10@noneofyour.business geo_dst="USA"                 Traffic
2022-03-23 14:27:45 Allow 192.x.x.x 146.75.32.223 https/tcp 58889 443 Default FIOS HTTP request   (HTTPS-proxy.BCS_Lab-00) HTTP-Client.BCS_LAB proc_id="http-proxy" rc="525" msg_id="1AFF-0024" proxy_act="HTTP-Client.BCS_LAB" op="GET" dstname=www.python.org arg="/ftp/python/3.9.11/python-3.9.11-amd64.exe" sent_bytes="977" rcvd_bytes="1051" elapsed_time="0.096770 sec(s)" app_id="8" app_cat_id="14" app_name="Google Chrome" app_cat_name="Web services" sig_vers="18.203" src_user=lab10@noneofyour.business geo_dst="USA" Traffic

Thank you, Greg Sweers

Comments

  • Exactly where were the HTTP exceptions added?

    While there is an order to when the various policy & proxy checks are done, any check which causes a deny can't be undone by an earlier allow check, and later checks won't be done.

    One example: an allowed URL Path will not prevent a Body Content Types deny.

  • I believe I have found my own answer in a previous post from the Jedi Master, Bruce Biggs, but I thought I would ask because I figured there maybe an update since 2019 and I am missing it.

    We have a HTTPS rule with inspection and certificates configured and working no issues. However, we are in the Body Content Types blocking EXE/DLL file downloads. My techs used the http exception to add python.org/*, .python.org/ and regardless it blocks the site. In the interim I changed the rule from Deny to AV, but I loathe the idea of allowing any EXE files to download, and I really loathe creating a half dozen rules for each Proxy Rule(VLAN/Schools) to enable allowing access via an http rule to download specific locations of known EXE files outside of the proxy rules that exist for those networks.

    Is this just the way it is, or am I missing some creative way to enable the proxy to apply exemptions before applying body content type rules?

    2022-03-23 14:27:45 Allow 192.x.x.x 146.75.32.223 https/tcp 58889 443 Default FIOS ProxyAllow: HTTP Request categories   (HTTPS-proxy.BCS_Lab-00) HTTP-Client.BCS_LAB proc_id="http-proxy" rc="590" msg_id="1AFF-0021" proxy_act="HTTP-Client.BCS_LAB" cats="Information Technology" op="GET" dstname=www.python.org arg="/ftp/python/3.9.11/python-3.9.11-amd64.exe" action="BCS_Class" src_user=lab10@noneofyour.business geo_dst="USA"                 Traffic
    2022-03-23 14:27:45 Deny 192.x.x.x 146.75.32.223 https/tcp 58889 443 Default FIOS ProxyDeny: HTTP Body Content Type match   (HTTPS-proxy.BCS_Lab-00) HTTP-Client.BCS_LAB proc_id="http-proxy" rc="595" msg_id="1AFF-0012" proxy_act="HTTP-Client.BCS_LAB" rule_name="Windows EXE/DLL" src_user=lab10@noneofyour.business geo_dst="USA"                 Traffic
    2022-03-23 14:27:45 Allow 192.x.x.x 146.75.32.223 https/tcp 58889 443 Default FIOS HTTP request   (HTTPS-proxy.BCS_Lab-00) HTTP-Client.BCS_LAB proc_id="http-proxy" rc="525" msg_id="1AFF-0024" proxy_act="HTTP-Client.BCS_LAB" op="GET" dstname=www.python.org arg="/ftp/python/3.9.11/python-3.9.11-amd64.exe" sent_bytes="977" rcvd_bytes="1051" elapsed_time="0.096770 sec(s)" app_id="8" app_cat_id="14" app_name="Google Chrome" app_cat_name="Web services" sig_vers="18.203" src_user=lab10@noneofyour.business geo_dst="USA" Traffic

    Thank you, Greg Sweers

  • Hey Bruce. In the http proxy action connected to the https rule. Under http exception. We added those. If I delete the body content rule we can download just fine. If I create a new http/https rule and apply a rule before the url as the destination it obviously applies that rule and does not go through proxy. I just don’t want o create a bunch of packet filters or new proxy actions for a set of websites that we need to download exe or other content types that are blocked. I also don’t want to allow all exe by removing the content type rule.

    Adding an exception and a domain or url seems to be the easiest thing inside of the same proxy but I guess it doesn’t work that way?

  • The HTTP Proxy Exception entry needs to be a Domain Name, not a URL.

    The following indicates which proxy checks are bypassed.

    HTTP-Proxy: Exceptions
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/proxies/http/http_proxy_exceptions_c.html?Highlight=HTTP Proxy Exception

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @PowderGDS
    You may be able to except this in the advanced view of your body content types in that proxy. With that said, the executable is going to change as versions update, so making an exception for python.org, or hosting the exe file locally somewhere the users can get to it may be a better option.

    See:
    (About Rules and Rulesets)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/proxies/general/rule_rulesets_about_c.html

    (Add, Change, or Delete Rules)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/proxies/general/rules_add_simple_c.html

    Personally, if it were my network I'd try to find a different place to host the file, or except python.org, as trying to keep up with whatever exact file you want would be an administrative nightmare (in my opinion.)

    -James Carson
    WatchGuard Customer Support

Sign In to comment.