TLS is firewalled at SSL Labs
I would like to ask what my USG/ZyWALL is doing to make TLS test at https://www.ssllabs.com/ssltest/viewMyClient.html is firewalled
This is my PC to modem
This is my PC through USG/ZyWALL
All Replies
-
Hi @PeterUK,
I didn’t get the result “Firewalled” when connecting PC to USG’s LAN.
The USG is running with the default configuration file.
Can you share the screen shot of the settings in CONFIGURATION > Security Policy > Policy Control with us?
Besides, are there any blocked logs for any UTM services?
0 -
I'm running the PC by a bridge ZyWALL 110 as the firewall and then a bridge by ZyXEL VPN300 as the QoS (even with the bug of going over the egress limit but that another bug).
I can get to any HTTPS site fine even with the SSL labs saying firewalled.
I have under a 100 rules on the ZyWALL 110 and allow TCP port 443 and I don't have any of the UTM services enabled.
0 -
Was this ever solved?
When testing at SSL Labs
https://www.ssllabs.com/ssltest/viewMyClient.html
With USG40 V4.35(AALA.2)
bridge PC to internet shows as firewalled but connection is fine to SSL
SNAT PC to internet shows user agent has good protocol support
With USG60 V4.35(AAKY.2)
bridge PC to internet shows as firewalled but connection is fine to SSL
With ZyWALL 110 V4.35(AAAA.0)ITS-WK46-r90773
bridge PC to internet shows as firewalled but connection is fine to SSL
SNAT PC to internet shows as firewalled but connection is fine to SSL
With ZyXEL VPN300 V4.35(ABFC.0)ITS-WK47-2020-01-02-1912000979D
bridge PC to internet shows user agent has good protocol support
SNAT Cellular PC to internet shows user agent has good protocol support
0 -
Hello @PeterUK,
I am testing this right now with my USG40W (Firmware 4.35 patch 2, Weekly 01).
When my client is connected to a port where a "LAN-to-WAN: Any service allowed" security policy applies, I get "Good protocol support" as a result.
When my client is connected to a port with DMZ role where the default security policy "DMZ-to-WAN: any service allowed" applies, I get "Good protocol support" as a result.
Is there a specific reason why devices in the DMZ zone should not be allowed to send out all services into the WAN?
I can send you a packet capture (done on my Windows 10 client, browser is Chrome) while doing the successful test so that you can see the ports in use.
I guess there might be services missing in your DMZ-to-WAN rule.
But instead of adding more and more allowed ports and services to the DMZ-To-WAN rule, I guess it would be easier to use the default DMZ-To-WAN: any service allowed rule.
Maybe you can test it for a few seconds and switch back to your old security policy.
Best regards
Lukas
0 -
Port 443 for DMZ to WAN is allowed the PC can get to any SSL site like ssllab but the test shows as firewalled when DMZ and WAN are bridged but not SNAT on the USG40.
0 -
Took a look at SSL LABS by Wireshark turns out they test the connection on not only 443 but also on ports 10200,10300-10303 and 10444-10446 and now 8443 so this is now solved.
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 218 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 245 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3.1K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight