TLS is firewalled at SSL Labs

PeterUK
PeterUK Posts: 3,331  Guru Member
100 Answers 2500 Comments Friend Collector Seventh Anniversary
edited April 2021 in Security

I would like to ask what my USG/ZyWALL is doing to make TLS test at https://www.ssllabs.com/ssltest/viewMyClient.html is firewalled

This is my PC to modem

This is my PC through USG/ZyWALL


All Replies

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,385  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @PeterUK,

    I didn’t get the result “Firewalled” when connecting PC to USG’s LAN.

    The USG is running with the default configuration file.


    Can you share the screen shot of the settings in CONFIGURATION > Security Policy > Policy Control with us?

    Besides, are there any blocked logs for any UTM services?

  • PeterUK
    PeterUK Posts: 3,331  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited December 2019

    I'm running the PC by a bridge ZyWALL 110 as the firewall and then a bridge by ZyXEL VPN300 as the QoS (even with the bug of going over the egress limit but that another bug).

    I can get to any HTTPS site fine even with the SSL labs saying firewalled.

    I have under a 100 rules on the ZyWALL 110 and allow TCP port 443 and I don't have any of the UTM services enabled.


  • PeterUK
    PeterUK Posts: 3,331  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited January 2020

    Was this ever solved?

    When testing at SSL Labs

    https://www.ssllabs.com/ssltest/viewMyClient.html

    With USG40 V4.35(AALA.2)

    bridge PC to internet shows as firewalled but connection is fine to SSL

    SNAT PC to internet shows user agent has good protocol support


    With USG60 V4.35(AAKY.2)

    bridge PC to internet shows as firewalled but connection is fine to SSL


    With ZyWALL 110 V4.35(AAAA.0)ITS-WK46-r90773

    bridge PC to internet shows as firewalled but connection is fine to SSL

    SNAT PC to internet shows as firewalled but connection is fine to SSL


    With ZyXEL VPN300 V4.35(ABFC.0)ITS-WK47-2020-01-02-1912000979D

    bridge PC to internet shows user agent has good protocol support

    SNAT Cellular PC to internet shows user agent has good protocol support

  • [Deleted User]
    [Deleted User] Posts: 213  Freshman Member
    5 Answers First Comment Friend Collector First Anniversary
    edited January 2020

    Hello @PeterUK,

    I am testing this right now with my USG40W (Firmware 4.35 patch 2, Weekly 01).

    When my client is connected to a port where a "LAN-to-WAN: Any service allowed" security policy applies, I get "Good protocol support" as a result.

    When my client is connected to a port with DMZ role where the default security policy "DMZ-to-WAN: any service allowed" applies, I get "Good protocol support" as a result.


    Is there a specific reason why devices in the DMZ zone should not be allowed to send out all services into the WAN?

    I can send you a packet capture (done on my Windows 10 client, browser is Chrome) while doing the successful test so that you can see the ports in use.


    I guess there might be services missing in your DMZ-to-WAN rule.

    But instead of adding more and more allowed ports and services to the DMZ-To-WAN rule, I guess it would be easier to use the default DMZ-To-WAN: any service allowed rule.

    Maybe you can test it for a few seconds and switch back to your old security policy.


    Best regards

    Lukas

  • PeterUK
    PeterUK Posts: 3,331  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Port 443 for DMZ to WAN is allowed the PC can get to any SSL site like ssllab but the test shows as firewalled when DMZ and WAN are bridged but not SNAT on the USG40.

  • PeterUK
    PeterUK Posts: 3,331  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited January 2020

    Took a look at SSL LABS by Wireshark turns out they test the connection on not only 443 but also on ports 10200,10300-10303 and 10444-10446 and now 8443 so this is now solved.

Security Highlight