[Answered] Feature request: SSL/TLS inspection feature to syslog

Good morning,

 

Quick question: In the new v18-firmware I don't see the ability to send the SSL/TLS Inspection logs to another device via syslog,

It'd be really helpful with troubleshooting if there would be a way to send these logs to a remote machine for processing.

 

Is there any chance or ETA on when the syslog-options will be extended to include this?

 

Kind regards,

Frank

Parents
  • Which of all checkboxes is used by the new SSL/TLS Inspection feature?

    If I check the appliance log viewer, I see there are log messages containing "log_type="SSL" log_component="SSL"". I would expect to be able to ship these via Syslog to my receiver, but even with all checkboxes checked these messages never show up.

     

  • In Log Viewer it is SSL/TLS Inspection.

    In syslog it is SSL/TLS Filter.  Right beside the Web Filter.

     

    I just confirmed on my box.

    Jan 13 23:00:34 _gateway device="SFW" date=2020-01-13 time=23:00:34 timezone="CET" device_name="SF01V" device_id=SFDemo-5e0e743 log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=5 user_name="" user_gp="" iap=1 category="Information Technology" category_type="Acceptable" url="https://www.example.com/" contenttype="text/html" override_token="" httpresponsecode="" src_ip=10.145.9.146 dst_ip=93.184.216.34 protocol="TCP" src_port=48132 dst_port=443 sent_bytes=79 recv_bytes=1578 domain=www.example.com exceptions= activityname="" reason="" user_agent="curl/7.58.0" status_code="200" transactionid=5df1925d-c83e-4743-ac76-f0826d89eb24 referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=0 application="" app_is_cloud=0 override_name="" override_authorizer="" used_quota="0"

    Jan 13 23:00:34 _gateway device="SFW" date=2020-01-13 time=23:00:34 timezone="CET" device_name="SF01V" device_id=SFDemo-5e0e743 log_id=148531619004 log_type="SSL" log_component="SSL" log_subtype="Decrypt" severity=Information user_name="" src_ip=10.145.9.146 status="" message="" timestamp=1578952834 connectionname="" dst_ip=93.184.216.34 user_gp="" src_country=R1 dst_country=USA src_port=48132 dst_port=443 app_name="" con_id=0 rule_id=3 profile_id=1 rule_name=aaa profile_name="Maximum compatibility" bitmask=Valid key_type=KEY_TYPE__RSA fingerprint="7b:b6:98:38:69:70:36:3d:29:19:cc:57:72:84:69:84:ff:d4:a8:89" resumed=0 cert_chain_served=TRUE cipher_suite=TLS_AES_256_GCM_SHA384 sni=www.example.com tls_version=TLS1.3 reason= exceptions="" key_type=KEY_TYPE__RSA key_param="std_event.tlsdata.server_cert_private_key_type_param" category=Information Technology

  • Hello Michael,

    this is the problem that there is not, but at least in my XG210 with EAP3 nothing like that is available. Most likely do you have a new version of EAP that already contains this option?

    Regards

    alda

     

  • It has been there for a while.  Perhaps a problem with upgrade vs new?

    I was just testing a 17.5 -> latest (unreleased) upgrade and it appears.

    What is the upgrade history of your box, including any rollbacks.

  • It's also not showing in my box.

    On v18 EAP 3. Fresh install.

     

    Thanks,


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

  • Hello Michael,

    if I remember well the clean installation of v17.5 MR8, next backup restore - EAP1 - EAP1Refresh - EAP2 - EAP3 and certainly not any rollback. Could I somehow verify how I installed the updates? UTM v9 has this function in CLI, I don't know if XG has a similar function too?

    Regards

    alda

  • Thanks.  Although I could not reproduce it is now tracked internally as a bug and will be investigated.

  • Hello Michael,

    I have two test installations of XG v18 EAP3-Refresh1.

    The first is HW appliance XG210 installed by MR8 - EAP1 - EAP1-Refresh1 - EAP2 -EAP3 - EAP3-Refresh1 - this installation does not offer SSL / TLS filter in the Content filtering section.

    The second is a virtual vmware appliance installed by EAP3 - EAP3-Refresh1 - this installation offers SSL / TLS filter in the Content filtering section.

    Does anyone have a similar experience with SSL / TLS filter in the Content filtering section?

    Regards

    alda

  • Hi alda,

    Same thing here,

    On my SW appliance - It's not showing SSL/TLS Filter in the log settings.

    While on my KVM VM It's showing as expected.

    Both are running EAP 3 Refresh-1.

    Thanks,


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

  • As far as I understand it was added in EAP2 but there is a missing upgrade script.

     

    Any box that was installed with 17.5 or 18.0 EAP1 and then upgraded, will not have the checkbox.

    Any box that was installed with 18.0 EAP2 or later and then upgraded, will have the checkbox.

    Regardless of the above, any box that upgrades to 18.0 GA, will have the checkbox, no matter where they came from.

     

    If you are missing the checkbox and really need it before GA, you'll have to backup, install a fresh copy of EAP3-refresh, and restore.

  • Actually, if you are missing the checkbox and really need it, you can PM me and I will give you a command to run that will fix it.

     

Reply Children
No Data