What it is in SSL log, Event Subtype "unallowed-version"

fortinetforumfiokom · ‎05-08-2024

HI,

In a policy I turned on ssl deep inspection on HTTPS, LAN to WAN.

In the security events logs\ssl I found this BLOCK logs entries. Microsoft address, what could be the problem?

What is meant in event subtype: unallowed-version?

Thanks

AEK · ‎05-08-2024

Hello

Which FortiOS version?

Can you share the following output?

config firewall ssl-ssh-profile
  edit deep_insp_1
    config ssl
      show full | grep min
    end
    config https
      show full | grep min
    end

AEK

fortinetforumfiokom · ‎05-09-2024

Hi @AEK ,

Fortigate 201F 7.4.3 build 2573

FG201F (utibvd) # config firewall ssl-ssh-profile

FG201F (ssl-ssh-profile) # edit deep_insp_1

FG201F (deep_insp_1) # config ssl

FG201F (ssl) # show full-configuration | grep min

FG201F (ssl) # end

FG201F (deep_insp_1) # config https

FG201F (https) # show full-configuration | grep min
set min-allowed-ssl-version tls-1.1

FG201F (https) # end

FG201F (deep_insp_1) #

pminarik · ‎05-09-2024

Szia!

As AEK suggested, on the face of it it looks like the client is attempting to establish an SSL/TLS session using an SSL/TLS version that is configured as unsupported/blocked.

If you would like to confirm whether this result is valid and not a mistake, you will need to take a packet capture sample of this traffic, and then inspect it in wireshark to find out if there's anything that would trigger such action.

[ corrections always welcome ]