[Answered] Feature request: SSL/TLS inspection feature to syslog

Good morning,

 

Quick question: In the new v18-firmware I don't see the ability to send the SSL/TLS Inspection logs to another device via syslog,

It'd be really helpful with troubleshooting if there would be a way to send these logs to a remote machine for processing.

 

Is there any chance or ETA on when the syslog-options will be extended to include this?

 

Kind regards,

Frank

  • Which of all checkboxes is used by the new SSL/TLS Inspection feature?

    If I check the appliance log viewer, I see there are log messages containing "log_type="SSL" log_component="SSL"". I would expect to be able to ship these via Syslog to my receiver, but even with all checkboxes checked these messages never show up.

     

  • In Log Viewer it is SSL/TLS Inspection.

    In syslog it is SSL/TLS Filter.  Right beside the Web Filter.

     

    I just confirmed on my box.

    Jan 13 23:00:34 _gateway device="SFW" date=2020-01-13 time=23:00:34 timezone="CET" device_name="SF01V" device_id=SFDemo-5e0e743 log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=5 user_name="" user_gp="" iap=1 category="Information Technology" category_type="Acceptable" url="https://www.example.com/" contenttype="text/html" override_token="" httpresponsecode="" src_ip=10.145.9.146 dst_ip=93.184.216.34 protocol="TCP" src_port=48132 dst_port=443 sent_bytes=79 recv_bytes=1578 domain=www.example.com exceptions= activityname="" reason="" user_agent="curl/7.58.0" status_code="200" transactionid=5df1925d-c83e-4743-ac76-f0826d89eb24 referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=0 application="" app_is_cloud=0 override_name="" override_authorizer="" used_quota="0"

    Jan 13 23:00:34 _gateway device="SFW" date=2020-01-13 time=23:00:34 timezone="CET" device_name="SF01V" device_id=SFDemo-5e0e743 log_id=148531619004 log_type="SSL" log_component="SSL" log_subtype="Decrypt" severity=Information user_name="" src_ip=10.145.9.146 status="" message="" timestamp=1578952834 connectionname="" dst_ip=93.184.216.34 user_gp="" src_country=R1 dst_country=USA src_port=48132 dst_port=443 app_name="" con_id=0 rule_id=3 profile_id=1 rule_name=aaa profile_name="Maximum compatibility" bitmask=Valid key_type=KEY_TYPE__RSA fingerprint="7b:b6:98:38:69:70:36:3d:29:19:cc:57:72:84:69:84:ff:d4:a8:89" resumed=0 cert_chain_served=TRUE cipher_suite=TLS_AES_256_GCM_SHA384 sni=www.example.com tls_version=TLS1.3 reason= exceptions="" key_type=KEY_TYPE__RSA key_param="std_event.tlsdata.server_cert_private_key_type_param" category=Information Technology

  • Hello Michael,

    this is the problem that there is not, but at least in my XG210 with EAP3 nothing like that is available. Most likely do you have a new version of EAP that already contains this option?

    Regards

    alda

     

  • It has been there for a while.  Perhaps a problem with upgrade vs new?

    I was just testing a 17.5 -> latest (unreleased) upgrade and it appears.

    What is the upgrade history of your box, including any rollbacks.

  • It's also not showing in my box.

    On v18 EAP 3. Fresh install.

     

    Thanks,

    ------------

    v18 MR 2 | Ryzen 3300x | 8GB RAM.

    If a post solves your question use the 'Verify Answer' button.

  • Hello Michael,

    if I remember well the clean installation of v17.5 MR8, next backup restore - EAP1 - EAP1Refresh - EAP2 - EAP3 and certainly not any rollback. Could I somehow verify how I installed the updates? UTM v9 has this function in CLI, I don't know if XG has a similar function too?

    Regards

    alda

  • Thanks.  Although I could not reproduce it is now tracked internally as a bug and will be investigated.

  • Thanks for all the replies and information!

     

    For my box there is no upgrade path from v17.x:

    I did a clean install using the SW-18.0.0_EAP1-102.iso on a newly created VM, and installed all updates that my box received from there. I have had SFOS 18.0.0 EAP2/ SFOS 18.0.0 EAP3 installed both, but neither have this option available/

    Hence the question if it ever will be added: I'd understand not having the option could be a bug from the upgrading-proces from v17.x tot the new version, but on a clean install it felt a bit odd not to have all functionality available.

     

    Kind regards,

    Frank

  • Hello Michael,

    I have two test installations of XG v18 EAP3-Refresh1.

    The first is HW appliance XG210 installed by MR8 - EAP1 - EAP1-Refresh1 - EAP2 -EAP3 - EAP3-Refresh1 - this installation does not offer SSL / TLS filter in the Content filtering section.

    The second is a virtual vmware appliance installed by EAP3 - EAP3-Refresh1 - this installation offers SSL / TLS filter in the Content filtering section.

    Does anyone have a similar experience with SSL / TLS filter in the Content filtering section?

    Regards

    alda