After Chrome/Edge browser update, few websites being blocked by App Control signature "Traffic Anomaly Detection (SID: 6)"

08/10/2021 5 People found this article helpful 472,816 Views

Description

This article explains the Issue, Resolution, and Workaround for the websites being blocked by Application control on Chrome Browser version 92.0.4515.XXX & Microsoft Edge Browser version 92.0.902.XX as"Application Control Prevention Alert: PROXY-ACCESS Non-SSL traffic over SSL port -- Traffic Anomaly Detection, SID: 6, AppID: 2901, CatID: 27"

On Gen 6 and Gen 6.5 Firewalls, with firmwares below 6.5.4.5-53n, some websites such as Apple.com, Amazon.com etc. are being blocked by Application Control (if enabled). Below is the log as seen on the Event Logs when the website is being blocked:

Cause

The cause for this being that the latest Chrome & Edge browsers started using two-segment “CLIENT HELLO” for those blocked websites.

In 6.5.4.4-44n & below firmware, this two-segment “CLIENT HELLO” was detected under Sonicwall Application Control Signature "Traffic Anomaly Detection (SID: 6)".

Signature Complete Information:

Category: PROXY-ACCESS -- Traffic Anomaly Detection (CatID:27).
Application: Non-SSL traffic over SSL port (AppID:2901).
Signature: Traffic Anomaly Detection (SID:6).

Packet Capture with old Edge/Chrome browser versions:

Packet Capture with New updated Edge/Chrome browser versions:

Resolution

Resolution:

For Gen 6 TZ, NSA, SM (till 9600) devices:

This issue was resolved with 6.5.4.5-53n & above versions, click on the link below to find instructions on how the firmware can be upgraded.

How Can I upgrade SonicOS firmware?

For SM9800 & NSsp12k devices:

The issue has been fixed and a hotfix is available. A request can be sent to SonicWall support via a support case and the hotfix will be provided for the build on top of 6.5.1.13.

Workaround:

If firmware upgrade is not feasible, then exclude Website IP or disable SID: 6 under App control "Traffic Anomaly Detection" Signature under "Non-SSL traffic over SSL port" Application of "PROXY-ACCESS" Category.

To disable Signature:

Login to your SonicWall management page and click Manage tab on top of the page.
Navigate to Rules | Advanced Application Control page, select category as Proxy-Access.
Change the viewed by style to Signature.
Select the signature: Non-SSL traffic over SSL port, click on the configure button alongside to bring up the Edit App Control window.
Select Disable under Block. Log could be set to either use Category Settings, Enable or Disable.
Click OK.

To whitelist the website IP:

Login to your SonicWall management page and click Manage tab on top of the page.
Navigate to Rules | Advanced Application Control page, select category as Proxy-Access.
Change the viewed by style to Signature.
Select the signature: Non-SSL traffic over SSL port, click on the configure button alongside to bring up the Edit App Control window.
Under Excluded IP Address Range, select the website IP/range of IPs to be excluded.
Click OK.

Not Finding Your Answers?

ASK THE COMMUNITY

Was This Article Helpful?

YES NO

After Chrome/Edge browser update, few websites being blocked by App Control signature "Traffic Anomaly Detection (SID: 6)"

Description

Cause

Resolution

Workaround:

Related Articles

Categories

Not Finding Your Answers?

Was This Article Helpful?

Article Helpful Form

Article Not Helpful Form

Follow Us

Subscribe to newsletter

Stay In Touch