I am having problems allowing traffic through to some printer mgmt software our new supplier needs us to use. He said I need to open up port 443 to https traffic and be able to reach the following websites
I get the following message in the logs regarding this traffic.
2012-03-01 09:51:12 -0600 f_http_proxy a_aclquery t_attack p_major
pid: 67147 logid: 0 cmd: 'httpp' hostname: nocgate1.humdev.com
category: policy_violation event: ACL deny attackip: 10.128.104.182
attackzone: internal application: <Unknown TCP> srcip: 10.128.104.182
srcport: 54174 srczone: internal protocol: 6 dst_geo: JP
dstip: 188.8.131.52 dstport: 443 dstzone: external rule_name: Deny All
cache_hit: 1 ssl_name: Exempt All reason: Traffic denied by policy.
I can't figure out why deny all is stopping this. I can't ping the IP above either. I know it is located in Japan but I don't have that geoblocked. I get another ip referenced in the logs regarding trying to get to these websites and it is 184.108.40.206. I'm stumped. I've had to open up several non standard tcp ports in the past 6 months but this doesn't reference that. 443 should be open already. Any suggestions are greatly appreciated. Thanks in advance for you help. JK
Instead of using the SSL/TLS (HTTPS) application in your rule, try creating a custom application on TCP port 443 and use that in your rule. That should work.
This traffic is probably not matching HTTPS and falling through that rule, hitting the Deny All rule. If you make a new rule with this custom 443 application and put it below your current HTTPS rule the traffic should work (because it will fall through one rule and hit the other).
Thanks for the response. I set up a custom app by choosing tcp/udp and specifying port 443. I did not select the "other" bullet. I selected ANY for endpts and that didn't work. I then selected the IP's in question for endpts and that didn't work. I set up subnets in defense bypass and selected them as endpts but that didn't work. I have a 'generic' ssl/tls rule set up upstream of this 443 rule with ANY as endpts. Still stumped.........I appreciate your info though. THanks. JK
I tested these sites with a 443 packet filter application and looked at tcpdumps:
- This site did not respond to my SYN requests. The connection timed out.
- This site FINed my connection
The firewall never blocked anything or threw any errors. The first site timed out and the second site refused my connection.
Very interesting. Again, thanks for the help. Apparently there is something amiss with these websites. In fact I suspect there is a chance they may be controlling access to these sites on their end. I tried to get to them over lunch from outside the firewall and still no luck.