SSL Proxy Logs
SSL Proxy Logs
SSL Proxy Logs
Table 1 shows SSL proxy logs.
| Syslog Type | Description |
|---|---|
|
SSL_PROXY_SSL_SESSION_DROP |
Logs generated when a session is dropped by SSL proxy. |
|
SSL_PROXY_SSL_SESSION_ALLOW |
Logs generated when a session is processed by SSL proxy even after encountering some minor errors. |
|
SSL_PROXY_SESSION_IGNORE |
Logs generated if non-SSL sessions are initially mistaken as SSL sessions. |
|
SSL_PROXY_SESSION_WHITELIST |
Logs generated when a session is allowlisted. |
|
SSL_PROXY_ERROR |
Logs used for reporting errors. |
|
SSL_PROXY_WARNING |
Logs used for reporting warnings. |
|
SSL_PROXY_INFO |
Logs used for reporting general information. |
Starting in Junos OS 23.4R1, we support the following new log messages on SRX Series Firewalls related to SSL configuration:
| Syslog Type |
Description |
|---|---|
|
SSL_CONFIG_MEMORY_ALLOCATION_FAILURE |
Logs for memory allocation failure |
|
SSL_CONFIG_PROFILE_PROCESS_ERR |
Error during processing of SSL profile |
|
SSL_CONFIG_CERT_PROCESS_ERR |
Error during processing of SSL certificate |
|
SSL_GLOBAL_CONFIG_PROCESS_ERR |
Error during processing of SSL global configuration |
|
SSL_CONFIG_PKI_IPC_ERR |
Error in IPC communication between SSL and PKI |
For details, see Syslog Explorer.
You we can use SSL_PROXY_SESSION_WHITELIST and SSL_PROXY_INFO logs to check the URLs logged in. Example:
For non-whitelisted session – SSL_PROXY_INFO [junos@2636.1.1.1.2.129 logical-system-name="root-logical-system" session-id="17" source-address="5.0.0.1" source-port="57558" destination-address="4.0.0.1" destination-port="10302" nat-source-address="5.0.0.1" nat-source-port="57558" nat-destination-address="4.0.0.1" nat-destination-port="10302" profile-name="ssl-inspect-profile" source-zone-name="trust" source-interface-name="ge-0/0/0.0" destination-zone-name="untrust" destination-interface-name="ge-0/0/1.0" message="NA" sni="www.facebook.com" url-category="NULL"]
For whitelisted session – SSL_PROXY_SESSION_WHITELIST [junos@2636.1.1.1.2.129 logical-system-name="root-logical-system" session-id="18" url="4.0.0.1" source-address="5.0.0.1" source-port="57560" destination-address="4.0.0.1" destination-port="10302" nat-source-address="5.0.0.1" nat-source-port="57560" nat-destination-address="4.0.0.1" nat-destination-port="10302" profile-name="ssl-inspect-profile" source-zone-name="trust" source-interface-name="ge-0/0/0.0" destination-zone-name="untrust" destination-interface-name="ge-0/0/1.0" message="session whitelisted url category match SNI www.youtube.com URL_CATEGORY CATEGORY-1"]
Check System Log Explorer for more details.
All logs contain similar information as shown in the following example (actual order of appearance):
logical-system-name, session-id, source-ip-address, source-port, destination-ip-address,destination-port, nat-source-ip-address, nat-source-port, nat-destination-ip-address, nat-destination-port, proxy profile name, source-zone-name, source-interface-name, destination-zone-name,destination-interface-name, message
The message field contains the reason for the log generation.
One of three prefixes shown in Table 3
identifies the source of the message. Other fields are descriptively labeled.
| Prefix | Description |
|---|---|
|
system |
Logs generated due to errors related to the device or an action taken as part of the SSL proxy profile. Most logs fall into this category. |
|
openssl error |
Logs generated during the handshaking process if an error is detected by the openssl library. |
|
certificate error |
Logs generated during the handshaking process if an error is detected in the certificate (x509 related errors). |
Sample logs:
Jun 1 05:11:13 4.0.0.254 junos-ssl-proxy: SSL_PROXY_SSL_SESSION_DROP: lsys:root 23 < 203.0.113.1/35090->192.0.2.1/443> NAT:< 203.0.113.1/35090->192.0.2.1/443> ssl-inspect-profile <untrust:ge-0/0/0.0->trust:ge-0/0/1.0> message:certificate error: self signed certificate
These logs capture sessions that are dropped by SSL proxy, not sessions that are marked by other modules that also use SSL proxy services.
For SSL_PROXY_SESSION_WHITELIST messages, an additional host
field is included after the session-id and contains the IP
address of the server or domain that has been allowlisted.
Jun 1 05:25:36 4.0.0.254 junos-ssl-proxy: SSL_PROXY_SESSION_WHITELIST: lsys:root 24 host:192.0.2.1/443<203.0.113.1/35090->192.0.2.1/443> NAT:< 203.0.113.1/35090->192.0.2.1/443 > ssl-inspect-profile <untrust:ge-0/0/0.0->trust:ge-0/0/1.0> message:system: session whitelisted
Enabling Debugging and Tracing for SSL Proxy
Debug tracing on both Routing Engine and the Packet Forwarding Engine can be enabled for SSL proxy by setting the following configuration:
user@host# set services ssl traceoptions file file-name
SSL proxy is supported on SRX340, SRX345, SRX380, SRX550M, SRX1500, SRX4100, SRX4200, SRX5400, SRX5600, SRX5800 devices and vSRX Virtual Firewall instances. Table 4 shows the supported levels for trace options.
Cause Type |
Description |
|---|---|
Brief |
Only error traces on both the Routing Engine and the Packet Forwarding Engine. |
Detail |
Packet Forwarding Engine–Only event details up to the handshake should be traced. Routing Engine–Traces related to commit. No periodic traces on the Routing Engine will be available |
Extensive |
Packet Forwarding Engine–Data transfer summary available. Routing Engine–Traces related to commit (more extensive). No periodic traces on the Routing Engine will be available. |
Verbose |
All traces are available. |
Table 5 shows the flags that are supported.
Cause Type |
Description |
|---|---|
cli-configuration |
Configuration-related traces only. |
initiation |
Enable tracing on the SSL-I plug-in. |
proxy |
Enable tracing on the SSL-Proxy-Policy plug-in. |
termination |
Enable tracing on the SSL-T plug-in. |
selected-profile |
Enable tracing only for profiles that have enable-flow-tracing set. |
You can enable logs in the SSL proxy profile to get to the root cause for the drop. The following errors are some of the most common:
Server certification validation error. Check the trusted CA configuration to verify your configuration.
System failures such as memory allocation failures.
Ciphers do not match.
SSL versions do not match.
SSL options are not supported.
Root CA has expired. You need to load a new root CA.
You can enable the ignore-server-auth-failure option in the SSL proxy profile to ensure that certificate validation, root CA expiration dates, and other such issues are ignored. If sessions are inspected after the ignore-server-auth-failure option is enabled, the problem is localized.