TLS version logs for Web Server Protection

Question

We have a Sophos XGS2100 running V21 and I am looking for logs indicating the TLS versions used by external connections that are hitting our Web Protection rules that the Sophos uses to handle SSL Certificates and protection of our on-site web servers. So far I haven't been able to find them anywhere. 
 We run an on-prem web server that handles an API for our customers. After a recent security audit we would like to force TLS 1.2 or higher. Currently it is set to TLS 1.1 or higher. I know this setting can be changed by going to Protect > Web Server > General Settings and changing the TLS version from the drop down menu. The problem is that we would like to verify our customers are not using TLS 1.1 before changing this setting. If any connections are using TLS 1.1 we want to get those logs so we can contact the customer and warn them of this change. Because of the critical nature of this API to our business we are currently unwilling to trust an email to all registered API users is adequate and we need to verify changes based on the logs. On the Web Server Protection rule I do force all http traffic to https. 
 In the log viewer I can see logs for the various requests on our API, but nowhere in the log viewer can I find anything that includes the TLS version. Sample from the log viewer for web server protection is below (some info redacted of course): 2025-01-29 14:37:18Web server protectionmessageid="17071" log_type="WAF" log_component="Web Application Firewall" user="-" server="www.CONTOSO.com" src_ip="XXX.XXX.XXX.XXX" local_ip="XXX.XXX.XXX.XXX" protocol="HTTP/1.1" url="/api/v1/Track" query_string="?ReferenceNum=123456789&BeginDate=2025-01-27&EndDate=2025-02-03" cookie="-" referer="-" method="GET" response_code="200" reason="-" extra="-" content_type="application/json" user_agent="Apache-HttpClient/5.2.3 (Java/17.0.12)" response_time="52555" bytes_sent="2358" bytes_received="1273" fw_rule_id="133" fw_rule_name="WEB_CONTOSO.COM" fw_rule_section="Local rule" 
 Does anybody know where or how I can get TLS version information on these requests going through our firewall to look for what might get blocked if I enforce TLS 1.2?

Adam_Spooner · Accepted Answer

For those of you subscribed and future people who find this. I ended up opening a support ticket. The WAF logs (or /log/reverseproxy.log) don't currently include anything to identify the TLS version at the time of me writing this. 
 The method I have right now is to do packet capture on the firewall using tcpdump then get the capture off and analyze with Wireshark. Wireshark can identify the TLS version. Thankfully I also found some examples of packet captures using tcpdump that filter to only include TLS traffic. So the below command will only capture TLS handshakes which are very small and allow collection of a lot of TLS handshakes. For me it is about 7000 captured packets over a few minutes are 4.7 MB in size. 
 tcpdump -w /tmp/dump.pcap 'host xxx.xxx.xxx.xxx and port 443 and (tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16)' 
 There are also examples of how to only capture specific versions of TLS with tcpdump out there, but I wanted to be able to prove that are largest customers will work while also finding anyone who won't after we force the TLS version.

TLS version logs for Web Server Protection

Top Replies