Syslog messages to GMS blocked by Application Control Advanced
Description
Resolution
Problem Definition:
Encrypted Syslog traffic sent by a SonicWall UTM appliance to a GMS sever is blocked by App Control Advanced as PROXY-ACCESS Encrypted Key Exchange -- UDP Random Encryption(UltraSurf), SID: 7, AppID: 2900, CatID: 27.
Resolution or Workaround:
App Control Advanced Signature ID 7, introduced in SonicOS 5.8.1.8-57o, identifies encrypted UDP packets and, if enabled, blocks it. This signature is intended to block proxy applications that try to bypass firewall detection. Encrypted Syslog messages coming from a SonicWall UTM appliance to a GMS server / appliance could be falsely identified as coming from a proxy application and blocked.
The following workaround could be applied to allow such Syslog traffic:
1. Add the GMS server/appliance IP address to the Exclusion List of App Control Advanced.
Procedure
To add the GMS server/appliance IP address to the Exclusion List of App Control Advanced.
- Navigate to the Firewall > App Control Advanced page.
- Click on the Configure App Control Settings button.
- In the App Control Config View pop-up window, enable check box Enable App Control Exclusion List
- Select radio button Use Application Control Exclusion Address Object.
- Select the earlier created Address Object of the GMS server from the drop-down list.
- Click on OK to save.
To exclude the GMS server/appliance IP address from SID 7
- In the Firewall > App Control Advanced page, enter 7 under Lookup Signature ID and click on the configure button.
- In the Edit App Control Signature window, select the address object of the GMS server IP address under Excluded IP Address Range.
- Click on OK to save.
