Syslog messages to GMS blocked by Application Control Advanced
03/26/2020 5 13993
DESCRIPTION: Syslog messages to GMS blocked by Application Control Advanced
Encrypted Syslog traffic sent by a SonicWall UTM appliance to a GMS sever is blocked by App Control Advanced as PROXY-ACCESS Encrypted Key Exchange -- UDP Random Encryption(UltraSurf), SID: 7, AppID: 2900, CatID: 27.
Resolution or Workaround:
App Control Advanced Signature ID 7, introduced in SonicOS 18.104.22.168-57o, identifies encrypted UDP packets and, if enabled, blocks it. This signature is intended to block proxy applications that try to bypass firewall detection. Encrypted Syslog messages coming from a SonicWall UTM appliance to a GMS server / appliance could be falsely identified as coming from a proxy application and blocked.
The following workaround could be applied to allow such Syslog traffic:
1. Add the GMS server/appliance IP address to the Exclusion List of App Control Advanced.
2. Exclude the GMS server/appliance IP address from SID 7 (PROXY-ACCESS Encrypted Key Exchange UDP Random Encryption(UltraSurf), SID)CatID: 27.
Create an Address Object for the GMS server IP under Network > Address Objects page
To add the GMS server/appliance IP address to the Exclusion List of App Control Advanced.
Navigate to the Firewall > App Control Advanced page.
Click on the Configure App Control Settings button.
In the App Control Config View pop-up window, enable check box Enable App Control Exclusion List
Select radio button Use Application Control Exclusion Address Object.
Select the earlier created Address Object of the GMS server from the drop-down list.
Click on OK to save.
To exclude the GMS server/appliance IP address from SID 7
In the Firewall > App Control Advanced page, enter 7 under Lookup Signature ID and click on the configure button.
In the Edit App Control Signature window, select the address object of the GMS server IP address under Excluded IP Address Range.