Issues with NetBotz Appliances in Post-Only Mode and Some Firewalls
Potentially any version
Default configurations of some IP based firewalls may cause problems with NetBotz appliances operating in Post-Only mode due to the fact that NetBotz appliances inserts custom information in to the HTTP headers.
NetBotz appliances in post-only mode must include additional identification & session information in all HTTP traffic sent to a NetBotz Central. Many firewalls that perform packet inspection may remove the custom / proprietary headers from the HTTP traffic or drop the packets all together. Either of these actions will cause the NetBotz appliances to be unable to communicate with a NetBotz Central in post-only mode.
The symptom to this would be NetBotz appliances in post-only mode that can NOT successfully register with the NetBotz Central. Viewing the firewall's log may indicate that the packets from the NetBotz appliance contains proprietary or unknown headers.*
The solution is to change the configuration on the firewall to not remove unknown / proprietary headers or not drop packets with this information.
NetBotz has discovered that WatchGuard Firewalls are configured by DEFAULT to strip out unknown headers. To change configuration on a WatchGuard Firewall use this procedure:
- From the Watchguard Policy Manager bring up the current configuration for the Firewall
- Double click on the HTTP service
- Choose the properties tab
- Choose the settings button
- uncheck ""Remove unknown headers""
- Click the ok button
- Click the ok button again to exit the http service configuration
- Save the configuration for the changes to take affect.