Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Replies 2 replies
  • Subscribers 41 subscribers
  • Views 130 views
  • Users 0 members are here
Options
Suggested

TLS on syslog

Jan Mareš

Hi,
we have a problem with transferring syslog from Sophos firewall to the Arcsight SmartConnector. When we try UDP, logs can be seen in connector. However, with TLS communication fails.


This is only example, but ours handshake also fails at Change Cipher Spec.
We have checked it in Wireshark and both Sophos and Arcsight agreed on the cipher.

4 0.003000    192.168.1.100    93.184.216.34   TLSv1.2  229   Client Hello
5 0.005000    93.184.216.34    192.168.1.100   TLSv1.2  148   Server Hello
6 0.005500    93.184.216.34    192.168.1.100   TLSv1.2  1500 Certificate
7 0.006000    93.184.216.34    192.168.1.100   TLSv1.2  143   Server Key Exchange
8 0.006500    93.184.216.34    192.168.1.100   TLSv1.2  89     Server Hello Done
9 0.007000    192.168.1.100    93.184.216.34   TLSv1.2  110   Client Key Exchange
10 0.007500  192.168.1.100    93.184.216.34   TLSv1.2  66     Change Cipher Spec
11 0.008000   93.184.216.34   192.168.1.100   TLSv1.2  85      Encrypted Alert

What I have checked:
1) Sophos trust CA that sign Arcsight connector certificate.
2) Arcsight connector certificate have correct hostname in CN and SAN field.
3) Both Sophos and Arcsight support same cipher.
4) Communication on FW allowed.
5) Arcsight listening on syslog port
6) Sophos sending data to syslog port

How should I troubleshoot this issue ?
Thanks and regards



Added TAGs
[edited by: Raphael Alganes at 11:47 AM (GMT -7) on 7 Oct 2024]
Parents
  • 0

    Check if the certificate chain is complete: Even though Sophos trusts the Certificate Authority (CA) that signed the ArcSight connector certificate, ensure the full chain (including intermediate CAs) is being sent by the ArcSight connector. The failure at the "Change Cipher Spec" step could indicate that the certificate chain is incomplete, causing the connection to be rejected

    Use OpenSSL to validate the certificate chain and test the handshake

    openssl s_client -connect <arcsight_ip>:<syslog_port> -showcerts

    Komala Yaganti
    Technical Support Engineer | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button

Reply
  • 0

    Check if the certificate chain is complete: Even though Sophos trusts the Certificate Authority (CA) that signed the ArcSight connector certificate, ensure the full chain (including intermediate CAs) is being sent by the ArcSight connector. The failure at the "Change Cipher Spec" step could indicate that the certificate chain is incomplete, causing the connection to be rejected

    Use OpenSSL to validate the certificate chain and test the handshake

    openssl s_client -connect <arcsight_ip>:<syslog_port> -showcerts

    Komala Yaganti
    Technical Support Engineer | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button

Children
No Data
Unfiltered HTML