Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 3 subscribers
  • Views 4831 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

"Accept */*" http header added

Infosystem
Hi,

Our UTM 9.209-8 adds a line with "Accept */*" to http headers.

This is a wireshark log taken on the webserver when the request was issued by us (through the UTM):


This is a wireshark log taken on the webserver when the request was issued by a third party:



On the UTM we have all features disabled that could mess with this sort of thing. Only Firewall, RED, Wireless Protection, Site-to-Site VPN, Remote Access, Web Application Firewall and HA/Cluster are active.

IP, Web Filtering, Endpoint Protection etc is inactive.

Does anyone have an idea how this header gets added?


This thread was automatically locked due to age.
Parents
  • 0
    Hi, if you're not using the HTTP Proxy (Web Protection), it should not be possible for the UTM to be modifying L7 content.

    Do you have the WAF misconfigured to be listening to outgoing traffic?

    Here's an NGREP capture on a remote webserver (at AWS) of traffic which originated inside my 9.211 system (no WAF or Proxy) using FireFox: 
    T x.x.x.x:38777 -> 10.73.x.x:80 [AP]

      GET /asdfasdf HTTP/1.0..Host: foobar.net..User-Agent: Mozilla/5

      .0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0..Accept: te

      xt/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8..Accept-Langu

      age: en-US,en;q=0.5..Accept-Encoding: gzip, deflate..DNT: 1..Cache-Control: max-age=259200..Connection: keep-alive....


    Barry
Reply
  • 0
    Hi, if you're not using the HTTP Proxy (Web Protection), it should not be possible for the UTM to be modifying L7 content.

    Do you have the WAF misconfigured to be listening to outgoing traffic?

    Here's an NGREP capture on a remote webserver (at AWS) of traffic which originated inside my 9.211 system (no WAF or Proxy) using FireFox: 
    T x.x.x.x:38777 -> 10.73.x.x:80 [AP]

      GET /asdfasdf HTTP/1.0..Host: foobar.net..User-Agent: Mozilla/5

      .0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0..Accept: te

      xt/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8..Accept-Langu

      age: en-US,en;q=0.5..Accept-Encoding: gzip, deflate..DNT: 1..Cache-Control: max-age=259200..Connection: keep-alive....


    Barry
Children
No Data