TLS is firewalled at SSL Labs

Options
PeterUK
PeterUK Posts: 2,709  Guru Member
First Anniversary 10 Comments Friend Collector First Answer
edited April 2021 in Security

I would like to ask what my USG/ZyWALL is doing to make TLS test at https://www.ssllabs.com/ssltest/viewMyClient.html is firewalled

This is my PC to modem

This is my PC through USG/ZyWALL


All Replies

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,296  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @PeterUK,

    I didn’t get the result “Firewalled” when connecting PC to USG’s LAN.

    The USG is running with the default configuration file.


    Can you share the screen shot of the settings in CONFIGURATION > Security Policy > Policy Control with us?

    Besides, are there any blocked logs for any UTM services?

  • PeterUK
    PeterUK Posts: 2,709  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited December 2019
    Options

    I'm running the PC by a bridge ZyWALL 110 as the firewall and then a bridge by ZyXEL VPN300 as the QoS (even with the bug of going over the egress limit but that another bug).

    I can get to any HTTPS site fine even with the SSL labs saying firewalled.

    I have under a 100 rules on the ZyWALL 110 and allow TCP port 443 and I don't have any of the UTM services enabled.


  • PeterUK
    PeterUK Posts: 2,709  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited January 2020
    Options

    Was this ever solved?

    When testing at SSL Labs

    https://www.ssllabs.com/ssltest/viewMyClient.html

    With USG40 V4.35(AALA.2)

    bridge PC to internet shows as firewalled but connection is fine to SSL

    SNAT PC to internet shows user agent has good protocol support


    With USG60 V4.35(AAKY.2)

    bridge PC to internet shows as firewalled but connection is fine to SSL


    With ZyWALL 110 V4.35(AAAA.0)ITS-WK46-r90773

    bridge PC to internet shows as firewalled but connection is fine to SSL

    SNAT PC to internet shows as firewalled but connection is fine to SSL


    With ZyXEL VPN300 V4.35(ABFC.0)ITS-WK47-2020-01-02-1912000979D

    bridge PC to internet shows user agent has good protocol support

    SNAT Cellular PC to internet shows user agent has good protocol support

  • [Deleted User]
    [Deleted User] Posts: 213  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    edited January 2020
    Options

    Hello @PeterUK,

    I am testing this right now with my USG40W (Firmware 4.35 patch 2, Weekly 01).

    When my client is connected to a port where a "LAN-to-WAN: Any service allowed" security policy applies, I get "Good protocol support" as a result.

    When my client is connected to a port with DMZ role where the default security policy "DMZ-to-WAN: any service allowed" applies, I get "Good protocol support" as a result.


    Is there a specific reason why devices in the DMZ zone should not be allowed to send out all services into the WAN?

    I can send you a packet capture (done on my Windows 10 client, browser is Chrome) while doing the successful test so that you can see the ports in use.


    I guess there might be services missing in your DMZ-to-WAN rule.

    But instead of adding more and more allowed ports and services to the DMZ-To-WAN rule, I guess it would be easier to use the default DMZ-To-WAN: any service allowed rule.

    Maybe you can test it for a few seconds and switch back to your old security policy.


    Best regards

    Lukas

  • PeterUK
    PeterUK Posts: 2,709  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Port 443 for DMZ to WAN is allowed the PC can get to any SSL site like ssllab but the test shows as firewalled when DMZ and WAN are bridged but not SNAT on the USG40.

  • PeterUK
    PeterUK Posts: 2,709  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited January 2020
    Options

    Took a look at SSL LABS by Wireshark turns out they test the connection on not only 443 but also on ports 10200,10300-10303 and 10444-10446 and now 8443 so this is now solved.

Security Highlight