This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't print with IPPS.

I can't print when Mac and Printer are connected through XG Firewall's bridge.
Mac - XG br0 - Printer

I can print by disabling SSL/TLS engine. Or I can print by disabling IPv6.

IPPS (Internet Printing Protocol over TLS) is used for printing.
When IPv6 is enabled, IPPS uses link-local addresses (fe80::/64).

The firewall log is output as Allow.
If I can print, application is identified as 'SSL Traffic over Non-SSL Ports'.
If I can't print, application is blank and the SSL/TLS inspection and Web filter logs will not be output.

Does SSL/TLS engine have problems handling link-local addresses?

I'm using SFOS 19.5.1 MR-1-Build278.

This thread was automatically locked due to age.

Top Replies

rfcat_vk over 1 year ago in reply to core_memory +1 suggested

Hi, please try using the web proxy with allow all in the application and web policies. SSL/TLS is not very friendly to UDP traffic. Ian

Parents

0 core_memory over 1 year ago

I don't think it's a rule issue because there is a log output allowed by the expected rule, and No issue with IPv4.

Firewall rule(IPv6) are as follows:
Action Accept
Src LAN, Any host
Dst LAN, Any host Any service
Web Policy None
Scan HTTP and decrypted HTTPS disable
App control None
IPS None

There is no change in the behavior of either Decrypt or Don't decrypt with the SSL/TLS inspection rule.

I disabled the following in the Decryption profile:
Self-signed
Untrusted issuer
Name mismatch

BTW: I have also confirmed that there is no issue when using other firewall products.
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 1 year ago in reply to core_memory

Hi,

please try using the web proxy with allow all in the application and web policies. SSL/TLS is not very friendly to UDP traffic.

Ian

XG115W - v20 GA - Home

XG on VM 8 - v20 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +1 Vote Down

Cancel

Reply

0 rfcat_vk over 1 year ago in reply to core_memory

Hi,

please try using the web proxy with allow all in the application and web policies. SSL/TLS is not very friendly to UDP traffic.

Ian

XG115W - v20 GA - Home

XG on VM 8 - v20 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +1 Vote Down

Cancel

Children

0 core_memory over 1 year ago in reply to rfcat_vk

TCP is used.

Web Proxy is not used because the port number is not 443.
Setting it to use Web Proxy makes no difference.
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 1 year ago in reply to core_memory

The suggestion to use the proxy and put the port 631 in the services is because it stops the DPI engine from scanning the traffic. While the log will show allowed it does not show if the end devices do not like the packets being scanned.

Ian

XG115W - v20 GA - Home

XG on VM 8 - v20 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 core_memory over 1 year ago in reply to rfcat_vk

How can I enable Web Proxy to handle port 631?
However, there seems to be a problem with Web Proxy as well.
Cancel
Vote Up 0 Vote Down

Cancel