KB Article | Forcepoint Support

Notes & Warnings

This change affects Forcepoint Next Generation Firewall (NGFW). The change affects policy templates that use the HTTP Proxy service by default for traffic with a destination port of TCP 8080.

Problem Description

By default, policy templates in which inspection is enabled use the HTTP Proxy Service element for traffic with a destination port of TCP 8080. The HTTP Proxy Service element uses the HTTP protocol module. The use of this protocol module can potentially degrade performance or cause traffic with a destination port of 8080 to be terminated if the traffic is not HTTP. For example, when speedtest.net uses TCP port 8080 for TLS traffic, the TLS connection is terminated and the test fails.

Resolution

To resolve this issue, all policy templates in which inspection is enabled and the HTTP Proxy Service element is used have been updated to use a new default Service element that uses the Protocol Identification protocol module. The Protocol Identification module first identifies the protocol from the traffic, then parses the traffic in the correct context. Using the Protocol Identification protocol module improves performance and security when traffic that is not HTTP is sent to port 8080.

The change to policy templates is deployed in dynamic update package 1225-5242. No changes to policy configuration are required to start using the updated policy template.

In some networks, traffic with a destination port of 8080 is restricted to allow only the HTTP protocol. In these cases, this change can cause a notable decrease in performance. To avoid a decrease in performance, add a rule that uses the HTTP Proxy Service element with the HTTP protocol module to the policy template after the default rules.

Article Feedback



Thank you for the feedback and comments.