1 Reply Latest reply on Mar 30, 2015 10:47 AM by sliedl

    connection towards proxy is intermittent

    johnsonyong

      hi all! new to this forum and i would like to seek help or guidance from you guys.

       

      i have this sidewinder pair(MFE 1100F 8.2.1) with rules create to access proxy server(another infra) from client's web browser.

       

      however, i am seeing a lot of application Unknown TCP while some of the traffic are seeing HTTP as application.

       

      2015-03-30 13:04:20 +0800 f_kernel_ipfilter a_general_area t_nettraffic p_major

      hostname:xxxxxxxx event: session end

      application: <Unknown TCP> netsessid: 6191e5518d954 srcip: zzz.zzz.zzz.zzzz

      srcport: 52820 srczone: LAN protocol: 6 dstip: yyy.yyy.yyy.yyy

      dstport: 9090 dstzone: WAN bytes_written_to_client: 0

      bytes_written_to_server: 0

      rule_name: <Pending Application Identification> cache_hit: 0

      start_time: 2015-03-30 13:04:20 +0800

       

      from the same source, i can see some traffic passing through.

       

      2015-03-30 13:04:20 +0800 f_kernel_ipfilter a_general_area t_nettraffic p_major

      hostname: xxxxxxx event: session end application: HTTP

      app_risk: low app_categories: infrastructure netsessid: 6117d5518d953

      srcip: zzz.zzz.zzz.zzz srcport: 52784 srczone: NON-SOE protocol: 6

      dstip: yyy.yyy.yyy.yyy dstport: 9090 dstzone: SOE-WAN

      bytes_written_to_client: 12015 bytes_written_to_server: 7272

      rule_name: Surf rule 1 cache_hit: 0

      start_time: 2015-03-30 13:04:19 +0800

       

      SSL no decryption, policy rule as per below.

       

      Application: TCP4714(pac file port), tcp9090(proxy server), SSL/TLS and override ports

      tcp9090 configured with parent application as HTTP, with TCP and SSL configured as 9090.

       

      defense group wise, i have created a no proxy group,with most of the things leaving as default. did i miss out anything on the configurations?

       

      Thanks in advance!

        • 1. Re: connection towards proxy is intermittent
          sliedl

          If you are trying to do non-transparent HTTP and HTTPS through the firewall you must include the SSL/TLS application in your rules also and then override the SSL port to include the port you are doing HTTPS on (assuming you've changed this from the default of 443).  The "SSL" setting in the Applications does not pass SSL traffic, it is alerting you to the fact that this application may also tunnel over SSL.  The SSL/TLS application is the app. which can pass this traffic.

           

          Make sure you are at 8.2.1P08 at least, the latest version of 8.2.1.  I suggest you upgrade this firewall to 8.3.2P06 when you can also, to take advantage of the latest code-fixes and CVE fixes.