Quick question: In the new v18-firmware I don't see the ability to send the SSL/TLS Inspection logs to another device via syslog,
It'd be really helpful with troubleshooting if there would be a way to send these logs to a remote machine for processing.
Is there any chance or ETA on when the syslog-options will be extended to include this?
System Services > Log settings.
Which of all checkboxes is used by the new SSL/TLS Inspection feature?
If I check the appliance log viewer, I see there are log messages containing "log_type="SSL" log_component="SSL"". I would expect to be able to ship these via Syslog to my receiver, but even with all checkboxes checked these messages never show up.
In Log Viewer it is SSL/TLS Inspection.
In syslog it is SSL/TLS Filter. Right beside the Web Filter.
I just confirmed on my box.
Jan 13 23:00:34 _gateway device="SFW" date=2020-01-13 time=23:00:34 timezone="CET" device_name="SF01V" device_id=SFDemo-5e0e743 log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=5 user_name="" user_gp="" iap=1 category="Information Technology" category_type="Acceptable" url="https://www.example.com/" contenttype="text/html" override_token="" httpresponsecode="" src_ip=10.145.9.146 dst_ip=22.214.171.124 protocol="TCP" src_port=48132 dst_port=443 sent_bytes=79 recv_bytes=1578 domain=www.example.com exceptions= activityname="" reason="" user_agent="curl/7.58.0" status_code="200" transactionid=5df1925d-c83e-4743-ac76-f0826d89eb24 referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=0 application="" app_is_cloud=0 override_name="" override_authorizer="" used_quota="0"
Jan 13 23:00:34 _gateway device="SFW" date=2020-01-13 time=23:00:34 timezone="CET" device_name="SF01V" device_id=SFDemo-5e0e743 log_id=148531619004 log_type="SSL" log_component="SSL" log_subtype="Decrypt" severity=Information user_name="" src_ip=10.145.9.146 status="" message="" timestamp=1578952834 connectionname="" dst_ip=126.96.36.199 user_gp="" src_country=R1 dst_country=USA src_port=48132 dst_port=443 app_name="" con_id=0 rule_id=3 profile_id=1 rule_name=aaa profile_name="Maximum compatibility" bitmask=Valid key_type=KEY_TYPE__RSA fingerprint="7b:b6:98:38:69:70:36:3d:29:19:cc:57:72:84:69:84:ff:d4:a8:89" resumed=0 cert_chain_served=TRUE cipher_suite=TLS_AES_256_GCM_SHA384 sni=www.example.com tls_version=TLS1.3 reason= exceptions="" key_type=KEY_TYPE__RSA key_param="std_event.tlsdata.server_cert_private_key_type_param" category=Information Technology
this is the problem that there is not, but at least in my XG210 with EAP3 nothing like that is available. Most likely do you have a new version of EAP that already contains this option?
It has been there for a while. Perhaps a problem with upgrade vs new?
I was just testing a 17.5 -> latest (unreleased) upgrade and it appears.
What is the upgrade history of your box, including any rollbacks.
It's also not showing in my box.
On v18 EAP 3. Fresh install.
v18 MR 2 | Ryzen 3300x | 8GB RAM.
If a post solves your question use the 'Verify Answer' button.
if I remember well the clean installation of v17.5 MR8, next backup restore - EAP1 - EAP1Refresh - EAP2 - EAP3 and certainly not any rollback. Could I somehow verify how I installed the updates? UTM v9 has this function in CLI, I don't know if XG has a similar function too?
Thanks. Although I could not reproduce it is now tracked internally as a bug and will be investigated.
Thanks for all the replies and information!
For my box there is no upgrade path from v17.x:
I did a clean install using the SW-18.0.0_EAP1-102.iso on a newly created VM, and installed all updates that my box received from there. I have had SFOS 18.0.0 EAP2/ SFOS 18.0.0 EAP3 installed both, but neither have this option available/
Hence the question if it ever will be added: I'd understand not having the option could be a bug from the upgrading-proces from v17.x tot the new version, but on a clean install it felt a bit odd not to have all functionality available.
I have two test installations of XG v18 EAP3-Refresh1.
The first is HW appliance XG210 installed by MR8 - EAP1 - EAP1-Refresh1 - EAP2 -EAP3 - EAP3-Refresh1 - this installation does not offer SSL / TLS filter in the Content filtering section.
The second is a virtual vmware appliance installed by EAP3 - EAP3-Refresh1 - this installation offers SSL / TLS filter in the Content filtering section.
Does anyone have a similar experience with SSL / TLS filter in the Content filtering section?