https://community.cisco.com/t5/network-security/anyconnect-url-redirection-issue/m-p/4921414#M1104147 <P>on it we have SSL VPN access configured. This therefore enables the ability to ‘browse’ to the outside of the firewall.</P><P>This in itself isn’t a problem, but what is a problem is that browsing to a random URL that is invalid sees the firewall redirect to an error page as opposed to returning a 404. This is causing PCI scans to fail.</P><P>For example, navigating to https://X.X.X.X/HiBtInet will see you redirected to https://X.X.X.X/+CSCOE+/message.html?mc=2</P><P>We would like to adjust the behavior of the firewall such that it doesn’t redirect but rather just 404s; this, you would perhaps think, would be default behavior given past DoS and path traversal vulnerabilities made possible by being able to browse on the outside.</P><P>I’ve attached the show tech output. We’ve tried implementing the following (we tried switching to 404) without any luck:</P><P>&nbsp;sh run webvpn | inc portal|keep<BR />portal-access-rule 1 deny code 403 any<BR />keepout "Denied"</P><P>Any questions please let me know.</P> Mon, 11 Sep 2023 12:56:14 GMT Rock29 2023-09-11T12:56:14Z https://community.cisco.com/t5/network-security/anyconnect-url-redirection-issue/m-p/4921414#M1104147 <P>on it we have SSL VPN access configured. This therefore enables the ability to ‘browse’ to the outside of the firewall.</P><P>This in itself isn’t a problem, but what is a problem is that browsing to a random URL that is invalid sees the firewall redirect to an error page as opposed to returning a 404. This is causing PCI scans to fail.</P><P>For example, navigating to https://X.X.X.X/HiBtInet will see you redirected to https://X.X.X.X/+CSCOE+/message.html?mc=2</P><P>We would like to adjust the behavior of the firewall such that it doesn’t redirect but rather just 404s; this, you would perhaps think, would be default behavior given past DoS and path traversal vulnerabilities made possible by being able to browse on the outside.</P><P>I’ve attached the show tech output. We’ve tried implementing the following (we tried switching to 404) without any luck:</P><P>&nbsp;sh run webvpn | inc portal|keep<BR />portal-access-rule 1 deny code 403 any<BR />keepout "Denied"</P><P>Any questions please let me know.</P> Mon, 11 Sep 2023 12:56:14 GMT https://community.cisco.com/t5/network-security/anyconnect-url-redirection-issue/m-p/4921414#M1104147 Rock29 2023-09-11T12:56:14Z https://community.cisco.com/t5/network-security/anyconnect-url-redirection-issue/m-p/4925830#M1104383 <P>I'm also seeing this issue &amp; its undesired redirects. It does seem like a big security threat.</P><P>We're on an ASA 5508 with software version 9.16(4)14.</P><P>I've tried code 403, 404 and 204 without success. The big issue is this redirect is causing us to fail on a PCI scan &amp; there doesn't seem to be a fix for it.</P> Tue, 19 Sep 2023 14:41:28 GMT https://community.cisco.com/t5/network-security/anyconnect-url-redirection-issue/m-p/4925830#M1104383 amaradino 2023-09-19T14:41:28Z