cancel
Showing results for 
Search instead for 
Did you mean: 
Arshad
Level 7
Report Inappropriate Content
Message 1 of 6

UNKNOWN TCP error ,DENY ALL rule blocking port 443 traffic

I have allowed ssl for a specific rule to a set of destination IPs. My user IP request is  hitting one of my destination allowed ip 216.193.216.159 but in audit it says Unknown TCP and my user gets blackholed at that time.

2012-06-19 08:16:58 +0500 f_http_proxy a_aclquery t_attack p_major

pid: 1610 logid: 0 cmd: 'httpp' hostname: mblfw02.meezanbank.com

category: policy_violation event: ACL deny attackip: 172.30.1.187

attackzone: internal application: <Unknown TCP> srcip: 172.30.1.187

srcport: 55398 srczone: internal protocol: 6 dst_geo: US

dstip: 216.193.216.159 dstport: 443 dstzone: external rule_name: Deny All

cache_hit: 1 reason: Traffic denied by policy.

Although 443 is allowed through nontransparent http proxy in connection tab of Application defense. What is the issue ?

5 Replies
mtuma
Level 13
Report Inappropriate Content
Message 2 of 6

Re: UNKNOWN TCP error ,DENY ALL rule blocking port 443 traffic

Hello,

Whenever I see <Unknown TCP> in the audit, it usually means that the firewall did not see enough of the traffic to identify it as HTTPS (or whatever application it is). This might come up if the client or server close the connection too early. Tcpdumps would allow us to see this.

I would contact support however because the way that the firewall is auditing is causing your clients to be blackholed.

-Matt

Arshad
Level 7
Report Inappropriate Content
Message 3 of 6

Re: UNKNOWN TCP error ,DENY ALL rule blocking port 443 traffic

Dear Ahmed Eissa,

Yes this issue was randomly while accessing WesternUnion Money trasfer application

Thanks

Re: UNKNOWN TCP error ,DENY ALL rule blocking port 443 traffic

Dear Arshad

try first to install the cerificate of Sidewinder to Host machine and try using ssl , also i new that macafee made a new patch for this scenario , contact your support

I think the soultion for this error to creat a new ssl rule which make no decryption when u are destinated for the destination host for western union,

it worked with me , i think macafee had a little issue with Some application which use 443

Message was edited by: ahmed.eissa on 2012/06/28 1:06:09 AM

Re: UNKNOWN TCP error ,DENY ALL rule blocking port 443 traffic

SSl decrypt and encrypt act as Man in the middle , so every packet should be inspected to know what is the trafic inside it

In this case SSl can`t detect what is trafic "Application " encrypted inside SSL.

when u had this alert with Regular browsing or with Application ?

sliedl
Level 14
Report Inappropriate Content
Message 6 of 6

Re: UNKNOWN TCP error ,DENY ALL rule blocking port 443 traffic

You can get the same message yourself by doing this:

- Find the IP of gmail.com

$> dig gmail.com

- On your PC, open the Command Prompt and do a telnet to that IP on port 443:

$> telnet 173.194.64.83 443

- It should sit there waiting for you input.  Hit a letter key.

- It will close and you'll see the audit:

2012-06-27 15:01:54 -0500 f_http_proxy a_aclquery t_attack p_major

pid: 2409 logid: 0 cmd: 'httpp' hostname: sw8.fwdomain.com

category: policy_violation event: ACL deny attackip: 10.11.1.2

attackzone: internal application: <Unknown TCP> srcip: 10.11.1.2 srcport: 3756

srczone: internal protocol: 6 dstip: 173.194.64.83 dstport: 443

dstzone: external rule_name: Deny All cache_hit: 0 ssl_name: Exempt All

reason: Traffic denied by policy.

It closed the connection because it wasn't SSL/TLS.  It didn't see enough data to know what else was, like Matt said, and the only thing it knew was this was TCP, so <Unknown TCP>.