5 Replies Latest reply on Jun 28, 2012 1:06 AM by Ahmed Eissa

    UNKNOWN TCP error ,DENY ALL rule blocking port 443 traffic

    Arshad

      I have allowed ssl for a specific rule to a set of destination IPs. My user IP request is  hitting one of my destination allowed ip 216.193.216.159 but in audit it says Unknown TCP and my user gets blackholed at that time.

       

      2012-06-19 08:16:58 +0500 f_http_proxy a_aclquery t_attack p_major

      pid: 1610 logid: 0 cmd: 'httpp' hostname: mblfw02.meezanbank.com

      category: policy_violation event: ACL deny attackip: 172.30.1.187

      attackzone: internal application: <Unknown TCP> srcip: 172.30.1.187

      srcport: 55398 srczone: internal protocol: 6 dst_geo: US

      dstip: 216.193.216.159 dstport: 443 dstzone: external rule_name: Deny All

      cache_hit: 1 reason: Traffic denied by policy.

       

      Although 443 is allowed through nontransparent http proxy in connection tab of Application defense. What is the issue ?

        • 1. Re: UNKNOWN TCP error ,DENY ALL rule blocking port 443 traffic

          Hello,

           

          Whenever I see <Unknown TCP> in the audit, it usually means that the firewall did not see enough of the traffic to identify it as HTTPS (or whatever application it is). This might come up if the client or server close the connection too early. Tcpdumps would allow us to see this.

           

          I would contact support however because the way that the firewall is auditing is causing your clients to be blackholed.

           

          -Matt

          1 of 1 people found this helpful
          • 2. Re: UNKNOWN TCP error ,DENY ALL rule blocking port 443 traffic
            Ahmed Eissa

            SSl decrypt and encrypt act as Man in the middle , so every packet should be inspected to know what is the trafic inside it

            In this case SSl can`t detect what is trafic "Application " encrypted inside SSL.

            when u had this alert with Regular browsing or with Application ?

            1 of 1 people found this helpful
            • 3. Re: UNKNOWN TCP error ,DENY ALL rule blocking port 443 traffic
              sliedl

              You can get the same message yourself by doing this:

               

              - Find the IP of gmail.com

              $> dig gmail.com

              - On your PC, open the Command Prompt and do a telnet to that IP on port 443:

              $> telnet 173.194.64.83 443

              - It should sit there waiting for you input.  Hit a letter key.

              - It will close and you'll see the audit:

               

              2012-06-27 15:01:54 -0500 f_http_proxy a_aclquery t_attack p_major

              pid: 2409 logid: 0 cmd: 'httpp' hostname: sw8.fwdomain.com

              category: policy_violation event: ACL deny attackip: 10.11.1.2

              attackzone: internal application: <Unknown TCP> srcip: 10.11.1.2 srcport: 3756

              srczone: internal protocol: 6 dstip: 173.194.64.83 dstport: 443

              dstzone: external rule_name: Deny All cache_hit: 0 ssl_name: Exempt All

              reason: Traffic denied by policy.

               

              It closed the connection because it wasn't SSL/TLS.  It didn't see enough data to know what else was, like Matt said, and the only thing it knew was this was TCP, so <Unknown TCP>.

              1 of 1 people found this helpful
              • 4. Re: UNKNOWN TCP error ,DENY ALL rule blocking port 443 traffic
                Arshad

                Dear Ahmed Eissa,

                 

                Yes this issue was randomly while accessing WesternUnion Money trasfer application

                 

                Thanks

                • 5. Re: UNKNOWN TCP error ,DENY ALL rule blocking port 443 traffic
                  Ahmed Eissa

                  Dear Arshad

                  try first to install the cerificate of Sidewinder to Host machine and try using ssl , also i new that macafee made a new patch for this scenario , contact your support

                  I think the soultion for this error to creat a new ssl rule which make no decryption when u are destinated for the destination host for western union,

                  it worked with me , i think macafee had a little issue with Some application which use 443

                   

                  Message was edited by: ahmed.eissa on 2012/06/28 1:06:09 AM