Filtering X-Frame-Options is bad for security. Filtering anti CSRF headers like in Drupal and ShopWare is bad for security.

But this seems to be the current reality with enterprise firewalls. :-(

(No, TLS doesn't help in the long run. If your boss wants to know which pages you are reading he will let the experts setup this: https://www.howtoforge.com/filtering-https-traffic-with-squi...)

Or this WatchGuard HTTPS proxy config: http://www.watchguard.com/help/docs/wsm/xtm_11/en-us/content...

Nice.

I'm just the victim. Whenever I suspect the firewall to be the cause of a problem I use a proxy via a ssh tunnel. As long as it's not forbidden for me to actually solve problems.

The list of software that isn't usable behind a WatchGuard firewall (and maybe similar enterprise firewalls) is getting longer and longer. No Google fonts, no Drupal, no ShopWare 5.2, JIRA barely usable, etc.

I'm sure I can find plenty of examples just by searching (and I'll do that in just a moment) but do you happen to have a list of these issues that you've encountered that can be attributed to WatchGuard firewalls?

I am (primarily) a network engineer and such a list would be wonderful to have when recommending for or against specific products.

Cisco ASA firewalls perform "application inspection" (enabled by default) that breaks EDNS0, (SMTP) STARTTLS, and others.