search cancel

Unexpected policy evaluation for TCP Tunnel traffic and SSL attributes do not appear in access log after upgrading to SGOS 6.7.4.x


Article ID: 173780


Updated On:


ProxyAV Software - AVOS Advanced Secure Gateway Software - ASG Secure Web Gateway Virtual Appliance ProxySG Software - SGOS


After upgrading ProxySG or Advanced Secure Gateway (ASG) to SGOS 6.7.4.x from a previous release:

  • SSL attributes do not appear in access logs
  • SSL attributes do not apply to TCP tunnel transactions in policy


Currently this is a known issue in SSL proxy. Please refer to latest release notes of SGOS 6.7.x under section "6.7.x Known Issues" bug ID SG-6161 

After upgrading to SGOS 6.7.4.x, information related to following  SSL level attributes do not appear in the access logs:

  • client.certificate.common_name
  • client.certificate.subject
  • client.certificate.subject_directory_attribute
  • client.connection.negotiated_cipher
  • client.connection.negotiated_cipher.strength
  • client.connection.negotiated_ssl_version
  • server.certificate.hostname
  • server.certificate.hostname.category
  • server.certificate.hostname.exact
  • server.certificate.subject
  • server.connection.negotiated_cipher.strength
  • server.connection.negotiated_cipher
  • server.connection.negotiated_ssl_version

When all of following conditions are true

  • Client request does not match with SSL interception policy . i.e a policy action ssl.forward_proxy(https) does not match or explicitly matches with a policy action ssl.forward_proxy(no) 
  • The final policy verdict of the request is allowed.

Note - This behavior does not apply when the SSL / HTTPS request is being denied by the policy

In addition to access logging changes, policies which rely on the SSL attributes listed above no longer apply to TCP Tunnel transactions.


Upgrade to SGOS or later to address bug SG-6161.