Symptoms:
- You have configured TLS and layer 7 access on your Gateway firewall.
- You have configured an ANY ANY rule to reject traffic
- While running command get firewall <uuid> ruleset [type <rule-type>] stats as admin user on the NSX-T Edge Node CLI we can see the L7 profile reject gets hit.
Firewall rule count: 2
Rule ID : 1039
Input bytes : 2772
Output bytes : 1251
Input packets : 10
Output packets : 12
Evaluations : 3
Hits : 1
Active connections : 0
L7 profile allow : 0
L7 profile reject : 2 <<<<<<-------- It gets a HIT
L7 profile reject page : 0
- While running the command get tls-inspection traffic-stats lr-uuid <uuid> as admin user on the NSX-T Edge Node CLI we can see the TLS rules are being hit.
rule hits : 1 <<<<<<-------- It gets a HIT
cached certs : 1
cached cert hits : 0
cached cert misses : 1
open connections : 0
total connections : 1
decrypted connections : 1
bypassed due to rules : 0
bypassed due to failures : 0
failed connections : 0
client-to-server bytes : 114
server-to-client bytes : 367
- You observe the traffic is being forwarded although it is supposed to be rejected based on TLS and L7 profile.
root@10:~# curl -vk --tlsv1.2 --resolve www.example.com:443:1.1.1.10 https://www.example.com --http1.1
* Added www.example.com:443:1.1.1.10 to DNS cache
* Rebuilt URL to: https://www.example.com/
* Hostname www.example.com was found in DNS cache
* Trying 1.1.1.10...
* TCP_NODELAY set
* Connected to www.example.com (1.1.1.10) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=IN; ST=MH; L=Pune; O=trustsign; OU=servercert; CN=www.example.com; [email protected]
* start date: Sep 16 16:56:00 2021 GMT
* expire date: Sep 16 16:56:00 2029 GMT
* issuer: C=IN; ST=MH; L=Pune; O=trustsign; OU=certissuer; CN=Enterprise Trusted Root CA; emailAddress=enterprise_trusted_root_ca@trustsign
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.