Configuring tunneled protocol detection

Tunneled protocol detection analyzes traffic to discover protocols that are tunneled over HTTP and HTTPS. Traffic that is allowed to tunnel over specific ports is also analyzed. Such traffic is reported to Filtering Service for protocol-based policy enforcement. When tunneled protocol detection is enabled, analysis is performed on both inbound and outbound traffic, regardless of other settings.

HTTP tunneling occurs when applications that use custom protocols for communication are wrapped in HTTP (meaning that standard HTTP request/response formatting is present) in order to use the ports designated for HTTP/HTTPS traffic. These ports are open to allow traffic to and from the Web. HTTP tunneling allows these applications to bypass firewalls and proxies, leaving a system vulnerable.

The tunneled protocol detection feature analyzes HTTP and HTTPS traffic and, when it detects a protocol, forwards it to Filtering Service for policy enforcement. At this point, a protocol is blocked or allowed based on policy definitions. This feature can be used to block protocols used for instant messaging, peer-to-peer applications, and proxy avoidance. Note that some applications running over HTTP (for example, Google Video) may not display the protocol block page. See Managing access to categories, protocols, and cloud apps, for information about protocol-based policy enforcement.

Note: Tunneled protocol detection is performed before content categorization. As a result, when a tunneled protocol is identified, protocol policy is enforced and content categorization is not performed.

Use the Settings > Scanning > Scanning Options page to enable and configure tunneled protocol detection:

Steps

  1. Select Off to disable tunneled protocol detection.
  2. Select On (default) to analyze all traffic to detect protocols tunneling over HTTP or HTTPS. Such traffic is reported to Filtering Service for policy enforcement.
  3. Click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

    Use the Settings > Scanning > Scanning Exceptions page to specify trusted sites that are never analyzed (Configuring exceptions to Content Gateway analysis).