USG110 Content Filter - SSLv3 drops not being logged

USG_User
USG_User Posts: 374  Master Member
5 Answers First Comment Friend Collector Sixth Anniversary
edited April 2021 in Security
Yesterday we have searched the whole afternoon to discover why a client/server https connection could not be established outbound from our company LAN over port 443, while the same connection works via mobile network.
Only when switching off the entire Policy Control, it works. But the log was showing nothing in this regard, no drops etc., although all profiles are switched on for logging. Finally it has been turned out that the UTM Content Filter was the guilty one. It seems that the affected client software is using an obsolete SSLv2 or3 Version and that's why the USG has dropped the connection attempt because the USG option "Drop connection when HTTPS connection with SSL V3 or previous version" was checked.
So far so good. But such a drop has to be reported within the log as well, isn't it!?

Accepted Solution

All Replies

  • chandan
    chandan Posts: 72  Ally Member
    First Comment Friend Collector Second Anniversary
    Definitely.
    What is your firmware version?
    Can you please try the same check after upgrading to the latest firmware version, (currently v4.62).
  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    We are presently on 4.60 (AAPH.1). Didn't aware about another firmware update to 4.62 :o This was not officially announced until now.
    But regarding the Log issue I will wait for any response from Zyxel here.
  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    Same behaviour wth v4.62.
    No log entry about the connection drop with SSLv2 or v3.
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,249  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary

    Hi @USG_User

     

    Could you describe more specifically about your test method?

    What kind of website do you navigate? And the browser, its version you used?

    Thanks.



    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    Hi Jeff,
    We have to use a stand-alone client software provided by a service provider to upload data onto a cloud database server. This client software is establishing a SSL encrypted connection via port 443 and works fine via mobile network but not from our company LAN via USG110.

    Our USG has a security policy rule for general website accesses. It includes outbound ports 80, 8080 and 443 and enables these port connections from LAN1 to WAN. Additionally an UTM Content Filter profile has been assigned to that security policy rule.
    The general profile settings of the UTM Content Filter contains a checkbox "Drop connection when HTTPS connection with SSL V3 or previous version". This is activated with us to protect us from unsafe encrypted connections.

    When unchecking this "SSL V3" checkbox, the connection to the cloud database server succeeded and the client software is showing the login screen as expected. But with activated checkbox the client software is searching and searching and finally presents only a proxy settings window for alternative connection settings since it doesn't find the server directly.

    But the USG log doesn't show this connection attempt drop due to an obsolete SSL method. After discovering it, we've informed the service provide to check the implemented SSL version of its client software, but unfortunately no reaction until now.

    From our point of view and in case the client is really using an obsolete SSL implementation, the USG works correct when dropping this connection attempt. That's why we only claim the missing Log entry about this connection drop.

    Jeff, I could provide you with the software client via PM. Then you could countercheck it in your test environment. Login credentials need not to be disclosed for that test. The aim is to reach the login screen only or to generate a USG Log entry.
  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    Jeff, are you interested in?
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,249  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary

    Hi @USG_User

    I will send private message to you.

    Thanks for your kind reminder.



    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,249  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary
    Answer ✓

    Currently, we won’t show any log about "Drop connection when HTTPS connection with SSL V3 or previous version".
    We will put this suggestion into our future development evaluation.
    Thanks.


    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    Thanks for your effort. This is appreciated.
    Yes, please consider such log entries for future development. We spent a lot of time with discovering the reason for the connection fail.

Security Highlight