Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

User-agent Headers

The following list provides information about some common user-agent headers for software programs that are often found when TCP dumps created on Web Gateway are inspected.

Codes lines from the Wireshark packet tracing tool showing the relevant information are added for each user-agent header.

  • Firefox — A user-agent header for a Mozilla Firefox browser contains the text string "Firefox/" followed by the version number.
Mozilla/6.0 (Windows NT 6.2; WOW64; rv:16.0.1) Gecko/20121011 Firefox/16.0.1
  • Internet Explorer — A user-agent header for a Microsoft Internet Explorer browser contains the text string "MSIE" followed by the version number.
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
  • Chrome — A user-agent header for a Google Chrome browser contains the text string "AppleWebKit".
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/
25.0.1364.172 Safari/537.22

Do not confuse a header like this with a user-agent header for the Apple iPhone smartphone.

  • Windows Media Player — A user-agent header for Windows Media Player contains the two text strings shown in this sample code block.
Windows-Media-Player/10.0.0.xxxx
NSPlayer/10.0.0.xxxx WMFSDK/10.0
  • iTunes — A user-agent header for an Apple iTunes media player contains the text string "iTunes/" followed by the version number.
Mozilla/6.0 (Windows NT 6.2; WOW64; rv:16.0.1) Gecko/20121011 Firefox/16.0.1
  • Safari on iPhone — A user-agent header for an app that runs on an iPhone, for example, the Apple Safari browser, contains the text string "iPhone".
Mozilla/6.0 (Windows NT 6.2; WOW64; rv:16.0.1) Gecko/20121011 Firefox/16.0.1

 

Sample rule for working with the user-agent header

In a rule that performs an action on a request with a user-agent header for a particular software program, the user-agent is included in the rule criteria. If the rule is to apply for more than one user-agent, you can work with a list of user-agents.

NOTE: We recommend using a list, even if you are presently interested in a particular user-agent only. Using a list makes it easier to modify the rule when more user-agents must be addressed in the future.

The rule criteria contains a property that is set to the value for the user-agent in the user-agent header when the rule is processed. The rule applies if this value matches one of the entries in a list of user-agents or a single user-agent if you have configured the rule this way.

The list might, for example, contain the entry "MSIE 10" for version 10 of the Microsoft Internet Explorer. If a request includes a user-agent header for this browser, the rule criteria matches, as the string that you entered in the list is also contained in the user-agent header.

The property that is used to retrieve the value for the user-agent from the user-agent header in a request is Header.Request.Get. To use the property for retrieving this value, you configure the string "User-Agent" as a parameter of the property.

The purpose of the sample rule is to let a request skip SSL scanning, It looks as follows.

Name
Skip SSL Scanner for user-agents in list
Criteria                                                                         Action
Header.Request.Get("User-Agent") matches in list User Agent Whitelist       –>   Stop Rule Set

NOTE: We recommend including still another criteria part in a rule like this. As it is the client that provides the information about the user-agent, the client or a malware program might spoof a trusted user-agent to bypass filtering.

A sample rule that has its criteria extended by another part to protect the rule against user-agent spoofing looks as follows.

Name
Skip SSL Scanner for user-agents in list
Criteria                                                                         Action
Header.Request.Get("User-Agent") matches in list User Agent Whitelist AND   –>   Stop Rule Set
URL.Host matches
*samplesite.com

In the sample rules, Stop Rule Set is configured as action. To address issues that a user-agent causes with regard to a function of Web Gateway, you insert the rule in the rule set for that function.

For example, if a user-agent causes issues with SSL scanning, insert it at the beginning of the SSL Scanner rule set. If the rule applies, processing of this rule set is stopped, which means that the relevant request skips SSL scanning. The rule can be used in a similar way to skip, for example, user authentication.

If you do not want to let requests skip anything due to issues with user-agents, you can replace the Stop Rule Set action with Block. You can then create a rule set for globally blocking requests (if it does not yet exist in your rule set system) and insert the rule.

  • Was this article helpful?