After Chrome/Edge browser update, few websites being blocked by App Control signature "Traffic Anomaly Detection (SID: 6)"

Description

This article explains the Issue, Resolution, and Workaround for the websites being blocked by Application control on Chrome Browser version 92.0.4515.XXX  & Microsoft Edge Browser version 92.0.902.XX as"Application Control Prevention Alert: PROXY-ACCESS Non-SSL traffic over SSL port -- Traffic Anomaly Detection, SID: 6, AppID: 2901, CatID: 27"

On Gen 6 and Gen 6.5 Firewalls, with firmwares below 6.5.4.5-53n, some websites such as Apple.com, Amazon.com etc. are being blocked by Application Control (if enabled). Below is the log as seen on the Event Logs when the website is being blocked:

 Image

Cause

The cause for this being that the latest Chrome & Edge browsers started using two-segment “CLIENT HELLO” for those blocked websites.

In 6.5.4.4-44n & below firmware, this two-segment “CLIENT HELLO” was detected under Sonicwall Application Control Signature "Traffic Anomaly Detection (SID: 6)".

Signature Complete Information:

  • Category: PROXY-ACCESS -- Traffic Anomaly Detection (CatID:27).
  • Application: Non-SSL traffic over SSL port (AppID:2901).
  • Signature: Traffic Anomaly Detection (SID:6).


Packet Capture with old Edge/Chrome browser versions:

Image


Packet Capture with New updated Edge/Chrome browser versions:

Image

Resolution

Resolution:

For Gen 6 TZ, NSA, SM (till 9600) devices:

This issue was resolved with 6.5.4.5-53n & above versions, click on the link below to find instructions on how the firmware can be upgraded.

How Can I upgrade SonicOS firmware?

For SM9800 & NSsp12k devices:The issue has been fixed and a hotfix is available. A request can be sent to SonicWall support via a support case and the hotfix will be provided for the build on top of 6.5.1.13.

 

Workaround:

If firmware upgrade is not feasible, then exclude Website IP or disable SID: 6 under App control "Traffic Anomaly Detection" Signature under "Non-SSL traffic over SSL port" Application of "PROXY-ACCESS" Category.

 

To disable Signature:

  • Login to your SonicWall management page and click Manage tab on top of the page.
  • Navigate to Rules | Advanced Application Control page, select category as Proxy-Access.
  • Change the viewed by style to Signature.
  • Select the signature: Non-SSL traffic over SSL port, click on the configure button alongside to bring up the Edit App Control window.
  • Select Disable under Block. Log could be set to either use Category Settings, Enable or Disable.
  • Click OK.

    Image

 

To whitelist the website IP:

  • Login to your SonicWall management page and click Manage tab on top of the page.
  • Navigate to Rules | Advanced Application Control page, select category as Proxy-Access.
  • Change the viewed by style to Signature.
  • Select the signature: Non-SSL traffic over SSL port, click on the configure button alongside to bring up the Edit App Control window.
  • Under Excluded IP Address Range, select the website IP/range of IPs to be excluded.
  • Click OK.

    Image

Related Articles

  • How to block ICMP (Ping ) using Application control
    Read More
  • SonicWall GEN8 TZ and NSa Firewalls FAQ
    Read More
  • How to configure Link Aggregation
    Read More

Categories

Firewalls
NSa Series
Firewalls
NSsp Series
Firewalls
SonicWall NSA Series
Firewalls
SonicWall SuperMassive 9000 Series
Firewalls
TZ Series
not finding your answers?
Ask the Community