Looking at awarrenhttp_access.log for FQDNs

I have an XG125w (SFOS 18.5.2 MR-2-Build380).

A while back, I had a website that needed a web exception for SSL/TLS decryption and scan.  The domain needed did not appear in the SSL/TLS log viewer. 

I opened a ticket with support and they gave me some commands to run to identify the domain, which worked  Support gave me the following commands:

Log into the console and go to putty -> click 5 then 3 

type "service awarrenhttp:debug -ds nosync"

type "cd /log"

type "tail -f awarrenhttp_access.log | grep -I ‘IP of device’ | tee /log/zzzzz.txt" 

(test the software on the the device from start to finish) then ctrl + c when done. 

type "service awarrenhttp:debug -ds nosync"

--send the log to Sophos with more commands but I just need to cat the log file locally for this one.

I tried this but the zzzzz.txt log is zero bytes. As a test, I did a cat on the entire awarrenhttp_access.log, but the IP of the test device doesn't even show up in the

awarrenhttp_access.log  file.

I then made a bunch of https connections on that device, but still nothing from the device IP showed up in the awarrenhttp_access.log.

What am I doing wrong?  This has worked in the past.

Thanks. 



Edited TAGs
[edited by: emmosophos at 12:42 AM (GMT -7) on 24 Jun 2022]
Parents Reply
  •  I used Wireshark and found a connection to SNI pax-manager.myparallels.com.  The connection to the Parallels Access server fails right after pax-manager.myparallels.com appears in Wireshark.  pax-manager.myparallels.com has a fixed IP but then in the SSL/TLS logs there is always a failure for an IP address, and the failure is always due to "Blocked due to using client certificate." 

    I have an exception for pax-manager.myparallels.com and it is successful do not decrypt.

    Any ideas?

Children
  • Could you show us the exception? 

    __________________________________________________________________________________________________________________

  • The exceptions are:

    ^([A-Za-z0-9.-]*\.)?parallels\.com\.?/ and ^([A-Za-z0-9.-]*\.)?myparallels\.com\.?/ --  these work from what I see in the SSL/TLS logs.

    As a test, I turned off decryption for the MacBook and was able to log in to the Parallels access server.  I became Access "available"; I then turned on decryption. Next, I made the MacBook "unavailable" and when I tried to make it "available" again, I got the secure server connection error again due to client certificate and was logged out of Access. Each time it tries to log in again, there is an attempted connection to an IP address . Each time the IP address changes and then it fails decryption due to client certificate.

    Right before the client error connection to an IP address, there is a good "do not decrypt" connection to pax-manager.myparallels.com.  I'm guessing that pax-manager.myparallels.com gives the IP address to connect to.

    Thanks,

    Brian1941