Question/Issue:
You have added an additional port of 8080/TCP to the HTTPd proxy to listen on in order to pass HTTP traffic over that port. When scanning the firewall with a vulnerability scanner, the scanner reports that the HTTP proxy allows the CONNECT method, potentially exposing internal hosts.


Solution:
Technically, the firewall does allow the CONNECT method to the HTTPd proxy, but the proxy responds with a "503: Service Unavailable" message, ending the connection. The vulnerability scanner reports this as a successful CONNECT (which it is) and claims that it may be possible to exploit this to connect to internal hosts. This is a false positive reported by the vulnerability scanner because the firewall is behaving in a manner that the vulnerability scanner does not expect.

To verify that this is the case, filter the logfile on the firewall for the time that the vulnerability scan was run and the phrase "service unavailable." The log messages should indicate that the HTTPd proxy returned the 503 Service Unavailable message code when the vulnerability scanner attempted the CONNECT method to port 8080/TCP.

Document ID: 2003081814092654
Last Modified: 04/07/2006
Date Created: 08/18/2003
Product(s): Symantec Enterprise Firewall 6.5, Symantec Enterprise Firewall 7.x, Symantec Gateway Security 1600 Series v3.0.1, Symantec Gateway Security 1600 Series version 3.0, Symantec Gateway Security 5000 Series 3.0, Symantec Gateway Security 5000 Series v3.0.1, Symantec Gateway Security Appliance 1.0, Symantec Gateway Security Appliance 2.0, Symantec VelociRaptor 1.1, Symantec VelociRaptor 1.5
Release(s): 1620, 1660, 5620, 5640, 5660, Symantec Enterprise Firewall 6.5.2, Symantec Enterprise Firewall 7.0, Symantec Enterprise Firewall 7.04, Symantec Gateway Security Appliance 1.0, Symantec Gateway Security Appliance 2.0 [All Releases], Symantec VelociRaptor 1.1, Symantec VelociRaptor 1.5