- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-08-2018 08:21 AM - edited 11-08-2018 08:23 AM
CLI shows
Session 33880958
c2s flow:
source: 10.29.32.146 [_DMZ]
dst: 65.55.163.76
proto: 6
sport: 59760 dport: 443
state: INIT type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: 65.55.163.76 [_EXT]
dst: 198.160.191.5
proto: 6
sport: 443 dport: 32999
state: INIT type: FLOW
src user: unknown
dst user: unknown
qos node: ae1.3741, qos member N/A Qid 0
DP : 1
index(local): : 326526
start time : Thu Nov 8 08:56:49 2018
timeout : 90 sec
total byte count(c2s) : 263
total byte count(s2c) : 128
layer7 packet count(c2s) : 3
layer7 packet count(s2c) : 2
vsys : vsys1
application : ssl
rule : interzone-default
session to be logged at end : True
session in session ager : False
session updated by HA peer : False
address/port translation : source
nat-rule :x.x.x
layer7 processing : enabled
URL filtering enabled : True
URL category : computer-and-internet-info
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : ae1.3741
egress interface : ethernet1/13.4001
session QoS rule : N/A (class 4)
tracker stage firewall : proxy decrypt failure
end-reason : policy-deny
Rule is there to allow any app on port 443 tcp
11-08-2018 09:51 AM
This is because that session was denied for some reason in your security policy.
Session 33880958
...
tracker stage firewall : proxy decrypt failure end-reason : policy-deny
This article talks about the setup to ensure that a deny page is displayed (instead of a generic connection error). Your firewall has likely enabled that config, but was unable to display the page to the client. It could be as simple as the client not trusting the cert, which would make sense if you haven't set up decryption for your userbase.
11-08-2018 11:15 AM
The session you pasted before was on port 443, so the port 80 allowance wouldn't have helped this session:
Session 33880958 c2s flow: source: 10.29.32.146 [_DMZ] dst: 65.55.163.76 proto: 6 sport: 59760 dport: 443
If I had to hazard a guess, it was probably the destination blocks that were in place. But since you do have a next-gen firewall, if you are seeing TLS(ssl) traffic on port 80, the firewall will still know it's TLS and will try to display the block page if it's denied.
11-08-2018 09:51 AM
This is because that session was denied for some reason in your security policy.
Session 33880958
...
tracker stage firewall : proxy decrypt failure end-reason : policy-deny
This article talks about the setup to ensure that a deny page is displayed (instead of a generic connection error). Your firewall has likely enabled that config, but was unable to display the page to the client. It could be as simple as the client not trusting the cert, which would make sense if you haven't set up decryption for your userbase.
11-08-2018 11:05 AM
seems it was denying on port 80 and some destination ips.
Allowed the port 80 and those destination ips it was good then.
strange the cli gives error
tracker stage firewall : proxy decrypt failure
even though traffic was not decrypted?
any thoughts on that?
11-08-2018 11:15 AM
The session you pasted before was on port 443, so the port 80 allowance wouldn't have helped this session:
Session 33880958 c2s flow: source: 10.29.32.146 [_DMZ] dst: 65.55.163.76 proto: 6 sport: 59760 dport: 443
If I had to hazard a guess, it was probably the destination blocks that were in place. But since you do have a next-gen firewall, if you are seeing TLS(ssl) traffic on port 80, the firewall will still know it's TLS and will try to display the block page if it's denied.
11-08-2018 11:22 AM
on Gui it is showing as
type deny
action reset both
application ssl
session end reason policy deny
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!