USG110 Content Filter - SSLv3 drops not being logged
Yesterday we have searched the whole afternoon to discover why a client/server https connection could not be established outbound from our company LAN over port 443, while the same connection works via mobile network.
Only when switching off the entire Policy Control, it works. But the log was showing nothing in this regard, no drops etc., although all profiles are switched on for logging. Finally it has been turned out that the UTM Content Filter was the guilty one. It seems that the affected client software is using an obsolete SSLv2 or3 Version and that's why the USG has dropped the connection attempt because the USG option "Drop connection when HTTPS connection with SSL V3 or previous version" was checked.
So far so good. But such a drop has to be reported within the log as well, isn't it!?
0
Accepted Solution
-
Hi @USG_UserCurrently, we won’t show any log about "Drop connection when HTTPS connection with SSL V3 or previous version".We will put this suggestion into our future development evaluation.Thanks.
See how you've made an impact in Zyxel Community this year!
0
All Replies
-
Definitely.
What is your firmware version?
Can you please try the same check after upgrading to the latest firmware version, (currently v4.62).0 -
We are presently on 4.60 (AAPH.1). Didn't aware about another firmware update to 4.62 This was not officially announced until now.But regarding the Log issue I will wait for any response from Zyxel here.0
-
Same behaviour wth v4.62.No log entry about the connection drop with SSLv2 or v3.0
-
Hi @USG_User
Could you describe more specifically about your test method?
What kind of website do you navigate? And the browser, its version you used?
Thanks.
See how you've made an impact in Zyxel Community this year!
0 -
Hi Jeff,We have to use a stand-alone client software provided by a service provider to upload data onto a cloud database server. This client software is establishing a SSL encrypted connection via port 443 and works fine via mobile network but not from our company LAN via USG110.Our USG has a security policy rule for general website accesses. It includes outbound ports 80, 8080 and 443 and enables these port connections from LAN1 to WAN. Additionally an UTM Content Filter profile has been assigned to that security policy rule.The general profile settings of the UTM Content Filter contains a checkbox "Drop connection when HTTPS connection with SSL V3 or previous version". This is activated with us to protect us from unsafe encrypted connections.When unchecking this "SSL V3" checkbox, the connection to the cloud database server succeeded and the client software is showing the login screen as expected. But with activated checkbox the client software is searching and searching and finally presents only a proxy settings window for alternative connection settings since it doesn't find the server directly.But the USG log doesn't show this connection attempt drop due to an obsolete SSL method. After discovering it, we've informed the service provide to check the implemented SSL version of its client software, but unfortunately no reaction until now.From our point of view and in case the client is really using an obsolete SSL implementation, the USG works correct when dropping this connection attempt. That's why we only claim the missing Log entry about this connection drop.Jeff, I could provide you with the software client via PM. Then you could countercheck it in your test environment. Login credentials need not to be disclosed for that test. The aim is to reach the login screen only or to generate a USG Log entry.0
-
Jeff, are you interested in?
0 -
See how you've made an impact in Zyxel Community this year!
0 -
Hi @USG_UserCurrently, we won’t show any log about "Drop connection when HTTPS connection with SSL V3 or previous version".We will put this suggestion into our future development evaluation.Thanks.
See how you've made an impact in Zyxel Community this year!
0 -
Thanks for your effort. This is appreciated.Yes, please consider such log entries for future development. We spent a lot of time with discovering the reason for the connection fail.1
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight