Technical Tip: Information disclosure through SSL-VPN URL

This article describes how to prevent information disclosure through SSL-VPN URL:

https://<Remote_Gateway_IP:Port_Number>/remote/fgt_lang?lang=en

The SSL-VPN URL:

https://<Remote_Gateway_IP:Port_Number>/remote/fgt_lang?lang=en

points to a language file but it is not considered as security concern or sensitive information on the device.

The language files are needed before user login, so it is not possible to disable it with restriction.

It is possible to try blocking the page using Web Application Firewall(WAF) policy but sslvpn login page would not display properly.

The language file Page while accessing SSL-VPN URL:

https://<Remote_Gateway_IP:Port_Number>/remote/fgt_lang?lang=en:

var fgt_lang =
{
"0": "Operation successful.",
"1": "CLI internal error",
"2": "CMDB operation error",
"3": "Memory allocation error",
"4": "Print incomplete",
"5": "System error",
"7": "Feature is not available",
"400": "Invalid HTTP request.",
"401": "Unauthorized.",
"403": "Access denied.",
"404": "The web page cannot be found.",
"424": "Failed Dependency",
"429": "Too Many Requests",
"500": "Internal Server Error",
"501": "Not implemented.",
"502": "Bad gateway. Please check the URL or DNS configuration.",
"503": "Required HTTP service is unavailable.",
"1001": "Please wait while the system restarts.",
.
.
.
.
"{TYPE}: Channel {CHANNEL} ({UTILIZATION}%)": "{0}: Channel {1} ({2}%)",
"{WATTS} Unallocated": "{0} Unallocated",
"{bits} bit(s)": "{0} bit(s)"
}