I have allowed ssl for a specific rule to a set of destination IPs. My user IP request is hitting one of my destination allowed ip 184.108.40.206 but in audit it says Unknown TCP and my user gets blackholed at that time.
2012-06-19 08:16:58 +0500 f_http_proxy a_aclquery t_attack p_major
pid: 1610 logid: 0 cmd: 'httpp' hostname: mblfw02.meezanbank.com
category: policy_violation event: ACL deny attackip: 172.30.1.187
attackzone: internal application: <Unknown TCP> srcip: 172.30.1.187
srcport: 55398 srczone: internal protocol: 6 dst_geo: US
dstip: 220.127.116.11 dstport: 443 dstzone: external rule_name: Deny All
cache_hit: 1 reason: Traffic denied by policy.
Although 443 is allowed through nontransparent http proxy in connection tab of Application defense. What is the issue ?
Whenever I see <Unknown TCP> in the audit, it usually means that the firewall did not see enough of the traffic to identify it as HTTPS (or whatever application it is). This might come up if the client or server close the connection too early. Tcpdumps would allow us to see this.
I would contact support however because the way that the firewall is auditing is causing your clients to be blackholed.
try first to install the cerificate of Sidewinder to Host machine and try using ssl , also i new that macafee made a new patch for this scenario , contact your support
I think the soultion for this error to creat a new ssl rule which make no decryption when u are destinated for the destination host for western union,
it worked with me , i think macafee had a little issue with Some application which use 443Message was edited by: ahmed.eissa on 2012/06/28 1:06:09 AM
SSl decrypt and encrypt act as Man in the middle , so every packet should be inspected to know what is the trafic inside it
In this case SSl can`t detect what is trafic "Application " encrypted inside SSL.
when u had this alert with Regular browsing or with Application ?
You can get the same message yourself by doing this:
- Find the IP of gmail.com
$> dig gmail.com
- On your PC, open the Command Prompt and do a telnet to that IP on port 443:
$> telnet 18.104.22.168 443
- It should sit there waiting for you input. Hit a letter key.
- It will close and you'll see the audit:
2012-06-27 15:01:54 -0500 f_http_proxy a_aclquery t_attack p_major
pid: 2409 logid: 0 cmd: 'httpp' hostname: sw8.fwdomain.com
category: policy_violation event: ACL deny attackip: 10.11.1.2
attackzone: internal application: <Unknown TCP> srcip: 10.11.1.2 srcport: 3756
srczone: internal protocol: 6 dstip: 22.214.171.124 dstport: 443
dstzone: external rule_name: Deny All cache_hit: 0 ssl_name: Exempt All
reason: Traffic denied by policy.
It closed the connection because it wasn't SSL/TLS. It didn't see enough data to know what else was, like Matt said, and the only thing it knew was this was TCP, so <Unknown TCP>.