Allow specific URLs but block non-URL 443 traffic

Question

I want to allow a PC to access specific web sites and nothing else. I have setup a firewall rule on XG 18 that allows HHTP/S services and set a web policy. 
 What happens if a program tries to make a direct connection from that PC to another computer on those ports? Won't that be allowed by the allowed services? How do you stop this from happening so only the allowed URLs will pass? 
 I've read loads of posts about web filtering but can't find the answer.

Michael Dunn · Accepted Answer

Hi JasP, 
 I'm glad to see that people are testing the firewall/proxy and I support you doing so. I am a QA who works directly in this area. 
 
 Let us first make sure your settings are correct. 
 Please go into the XG "device console" (this is not ssh / advanced shell) and do: show http_proxy 
 You should have: HTTP relay_invalid_http_traffic: off 
 If it is on then turn it off with set http_proxy relay_invalid_http_traffic off 
 In Web > General Settings Block unrecognized SSL Protocols. Please make sure that it is on. 
 The interpretation of these two are slightly different whether you use the web proxy or DPI mode, but both are involved with blocking invalid traffic. The relay_invalid_http_traffic will block traffic on ports that does not conform to the http standard. The block unrecognized SSL Protocols will block SSL/TLS traffic that is not supported. 
 As you were involved in the v18 EAP, you may remember that changing these settings away from their defaults was part of workarounds for EAP issues. However the default for all new installations is that relay_invalid_http_traffic is off. I suspect it is on in your system, because you likely set it so during EAP. 
 As for the testing, opening a connection with no data is not proof of anything, as this is just a TCP connection with no traffic. It might be valid HTTP or it might be an SSL handshake or it might be arbitrary binary data. The question is what is sent on the TCP connection afterwards, whether the data is sent on to the destination server, whether the far server sends data back that reaches the client, and what is virus scanned. 
 I don't know Packet Sender, we usually use netcat to do this and it can also act as the client and server, though I'll use telnet since you mentioned it. If you want a full end-to-end you also need to have a netcat server running on the WAN side (eg on the other side of your rule) so you can monitor what the server receives/sends. Or use TCP dump to watch both the WAN and LAN side of the firewall. 
 Note: If you are using telnet/netcat there are differences on how the data is sent in packets if you are typing it in (I think it sends a packet when you do a CR) or piping in the data (eg `cat myrequest.txt | nc www.example.com 80` will send a packet after max packet size or EOF). Also make sure that if you are manually typing HTTP there are two CR to indicate end of headers. 
 So if you do: 
 telnet www.example.com 80 GET / HTTP/1.1 Host: www.example.com 
 The client will get back the webpage. 
 If you do telnet www.example.com 80 Hello buddy 
 The client will get dropped. 
 In the second test: If you are using the web proxy, the far server does not get a connection or any data. The web proxy will only make a connection to the web server if is has a full and complete valid request. If you are using DPI mode, the far server gets a connection. IIRC whether the far server receives data depends on whether the data is sent in one packet or many. The DPI mode allows the connection to the web server and inspects the packets. It will drop the connection only after it receives enough to know it is invalid. 
 If you retry with relay_invalid_http_traffic on, the second test should not be dropped by the XG (though the far server might). 
 
 > if you have a rule that allows specific URLs, it also allows any malicious piece of software to open a direct IP connection on port 80/443 to any IP address and send whatever it wants. 
 That statement is true if relay_invalid_http_traffic is set to on. Port 80/443 traffic that does not conform to the HTTP specification is allowed. 
 If relay_invalid_http_traffic is off (default) then traffic is blocked, with slight variations based on proxy/DPI and packet breakdown.