How to disable SSL VPN Logon page

Good afternoon.

I have SSL VPN enabled in my Firebox and would like to completely disable the SSL VPN Logon page, where SSL VPN clients can login in order to download the SSL client. Is it possible? Since both the VPN and this logon page use port 443, it seems like I can't block one while allowing the other.

Model M370
Version 12.4.1.B595401

Comments

  • You are correct, if you block one you will block the other as they operate off of the same port/protocol.

    Why would you care about the VPN logon page being allowed? If your firewall stays patched all Web-related vulnerabilities should be accounted for... This and MFA would be the best advice as far as security is concerned.

    ~T

  • Thank you Tristan

    I wanted to reduce my risk quickly before starting the implementation of MFA over several fireboxes. There really isn't any simple configuration to eliminate this page?

  • Thank you, Kimmo!

    Do any of you know if this login page is affected by CVE-2022-26318?

    https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2022-00002

    Or is this vulnerability only related to the management login page of the firewall?

  • My version of firmware actually doesn't have this option in the CLI. Thanks anyway.

  • edited October 2022

    @marcelosb said:
    Thank you Tristan

    I wanted to reduce my risk quickly before starting the implementation of MFA over several fireboxes. There really isn't any simple configuration to eliminate this page?

    You of course are aware that on the very site that you asked this question - ANYONE can download the client...right? (depending on domain policies I suppose). I carry it and OpenVPN on a USB......

    plus, on the /sslvpn site you need a credential to download....

  • @TestingTester said:

    @marcelosb said:
    Thank you Tristan

    I wanted to reduce my risk quickly before starting the implementation of MFA over several fireboxes. There really isn't any simple configuration to eliminate this page?

    You of course are aware that on the very site that you asked this question - ANYONE can download the client...right? (depending on domain policies I suppose). I carry it and OpenVPN on a USB......

    plus, on the /sslvpn site you need a credential to download....

    Yes, I am aware. I am not afraid that people download the client, I am afraid of the possible existence of vulnerabilities in the http server that listens in this port.

  • @marcelosb said:

    @TestingTester said:

    @marcelosb said:
    Thank you Tristan

    I wanted to reduce my risk quickly before starting the implementation of MFA over several fireboxes. There really isn't any simple configuration to eliminate this page?

    You of course are aware that on the very site that you asked this question - ANYONE can download the client...right? (depending on domain policies I suppose). I carry it and OpenVPN on a USB......

    plus, on the /sslvpn site you need a credential to download....

    Yes, I am aware. I am not afraid that people download the client, I am afraid of the possible existence of vulnerabilities in the http server that listens in this port.

    WatchGuard patches the vulnerabilities in later firmware updates.

    I do advise updating your firewall to the latest firmware to mitigate any major HTTP vulnerabilities that they are aware of.

    Otherwise I also advise blocking Non-US countries from accessing the VPN Policy using Geolocation.

    ~T

  • The latest release for a M370 is V12.8.2 Update 1 - the current latest release.
    If you are concerned about the security of your firewall, you should be at the latest release, which happens to address the 2 issues which you list above.

  • Also, you can review the Release Notes for any version to see the fixes and enhancements in it.

    https://www.watchguard.com/wgrd-help/documentation/release-notes/fireware

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @marcelosb

    Amplifying what Bruce mentioned -- you seem concerned about a potential vulnerability on the webserver, but are running years old software on the firewall itself.

    You can disable the page on newer firmwares.
    I would strongly suggest upgrading to 12.7.2 Update 2 or better -- even if your firewall is no longer licensed you can upgrade to that version. 12.7.2 will allow you to disable that page if you wish.

    Please visit detection.watchguard.com to scan your firewall prior to upgrading.

    -James Carson
    WatchGuard Customer Support

  • You all are right. I will update the software of all firewalls. Thank you!

  • Ok, so I updated one of my firewalls to 12.7.2, and intend to do the same with all others.

    This solves CVE-2022-26318 as is clearly stated in the release notes.

    Do you know if it also solves CVE-2022-31789, CVE-2022-31790, CVE-2022-31791 and CVE-2022-31792?

    I find the phrase "Affected: Fireware OS before 12.8.1, 12.x before 12.1.4, and 12.2.x through 12.5.x before 12.5.10." quite confusing. Is 12.7.2 considered "before" 12.8.1?

  • edited October 2022

    Look at the Resolution releases:
    Resolution: Fireware OS 12.8.1, 12.1.4, 12.5.10

    The reason for the multiple resolution releases is that not all supported WG firewall models can run the latest versions of Fireware.
    The Release Notes indicate which firewall models can run that release.

    From the V12.8.1 Release Notes:

    Enhancements and Resolved Issues in Fireware v12.8.1

    General
    . This release resolves security vulnerabilities rated high impact or lower that are covered by these security advisories: WGSA-2022-00013, WGSA-2022-00014, WGSA-2022-00015, WGSA-2022-00016, WGSA-2022-00017, WGSA-2022-00018, WGSA-2022-00019. For more information, see psirt.watchguard.com. [FBX-22678, FBX-22762, FBX-23058, FBX-23059, FBX-23060, FBX-22818, FBX-22908, FBX-23202

  • @Bruce_Briggs ok, so it is my understanding that my current version (12.7.2) does not fix these issues. Version 12.8.x requires a "LiveSecurity key" which I imagine is a paid feature.

    However, they all seem to depend on my equipment having its management access page available to the internet, which they don't. The only question I have is related to CVE-2022-31790 which talks about "exposed authentication endpoints". What would be these authentication endpoints? The only http server my firewalls are offering to the internet right now is the one associated with the mobile SSL VPN. I even disabled the page like @kimmo.pohjoisaho suggested, but the server still exists, only it answers with error 404 instead of showing a login page, so I guess it is still listening to requests.

    I'm almost feeling safe here. Thank all of you for the help!

  • edited October 2022

    A "LiveSecurity key" comes with a support contract, which costs money.

    You can look up prices for these on the Internet:

    WatchGuard 1 Year Standard Support Renewal for Firebox M370 #WGM37201

    WatchGuard 3 Year Standard Support Renewal for Firebox M370 #WGM37203

    See the "Renewing Expired Licenses and Back Dating" section, here which can impact the length of time for a support license for expired support licenses.
    Terms & Conditions
    https://www.watchguard.com/wgrd-support/support-levels/terms-conditions

    I am just an end user of WG products.
    I don't know the answer to this: "What would be these authentication endpoints?"

  • Thanks @Bruce_Briggs

    @james.carson do you have an answer?

    A firebox with 12.7.2 offering only SSL VPN through port 443 to the internet is susceptible to CVE-2022-31789, CVE-2022-31790 and CVE-2022-31792?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    None of the vulnerabilities specifically cite SSLVPN, but to be patched you need Fireware OS 12.8.1, 12.5.10, and 12.1.4 or better.

    https://nvd.nist.gov/vuln/detail/CVE-2022-31790 -> This is fixed in Fireware OS 12.8.1, 12.5.10, and 12.1.4.
    https://nvd.nist.gov/vuln/detail/CVE-2022-31792 -> This is fixed in Fireware OS 12.8.1, 12.5.10, and 12.1.4.
    https://nvd.nist.gov/vuln/detail/CVE-2022-31789 -> This is fixed in Fireware OS 12.8.1, 12.5.10, and 12.1.4.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.