search cancel

Unexpected policy evaluation for TCP Tunnel traffic and SSL attributes do not appear in access log after upgrading to SGOS 6.7.4.x

book

Article ID: 173780

calendar_today

Updated On:

Products

ProxyAV Software - AVOS Advanced Secure Gateway Software - ASG Secure Web Gateway Virtual Appliance ProxySG Software - SGOS

Issue/Introduction

After upgrading ProxySG or Advanced Secure Gateway (ASG) to SGOS 6.7.4.x from a previous release:

  • SSL attributes do not appear in access logs
  • SSL attributes do not apply to TCP tunnel transactions in policy

Cause

Currently this is a known issue in SSL proxy. Please refer to latest release notes of SGOS 6.7.x under section "6.7.x Known Issues" bug ID SG-6161 

After upgrading to SGOS 6.7.4.x, information related to following  SSL level attributes do not appear in the access logs:

  • client.certificate.common_name
  • client.certificate.subject
  • client.certificate.subject_directory_attribute
  • client.connection.negotiated_cipher
  • client.connection.negotiated_cipher.strength
  • client.connection.negotiated_ssl_version
  • server.certificate.hostname
  • server.certificate.hostname.category
  • server.certificate.hostname.exact
  • server.certificate.subject
  • server.connection.negotiated_cipher.strength
  • server.connection.negotiated_cipher
  • server.connection.negotiated_ssl_version

When all of following conditions are true

  • Client request does not match with SSL interception policy . i.e a policy action ssl.forward_proxy(https) does not match or explicitly matches with a policy action ssl.forward_proxy(no) 
  • The final policy verdict of the request is allowed.

Note - This behavior does not apply when the SSL / HTTPS request is being denied by the policy

In addition to access logging changes, policies which rely on the SSL attributes listed above no longer apply to TCP Tunnel transactions.

Resolution

Upgrade to SGOS 6.7.5.1 or later to address bug SG-6161.