GeorgeD Posted September 26, 2016 Share Posted September 26, 2016 is it possible to see which clients negotiate at which tls levels? i have an audit to disable tls1.0 and it would be great to see how many things this will break. thanks Gd. Link to comment Share on other sites More sharing options...
CarlStalhood Posted September 26, 2016 Share Posted September 26, 2016 There are some counters on the reporting page. You might have to run a network trace and look in the trace to find client IPs connecting using TLS 1. There's a client.SSL.VERSION expression. Maybe you can use that to send back an error page, or insert an HTTP header so your back-end web server can log the connection. 1 Link to comment Share on other sites More sharing options...
GeorgeD Posted September 27, 2016 Author Share Posted September 27, 2016 doesnt seem to have detailed info for tls 1.1/1,2, just a a section for tls1. i'm assuming they roll up the reporting under tls1. i guess we will test and disable. should be ok since most of the clients are fairly current. Link to comment Share on other sites More sharing options...
Ken Posted September 28, 2016 Share Posted September 28, 2016 We had a need for this, as well. We use a rewrite policy (NOREWRITE) with a log action to send user name, IP, SSL version and user-agent string to syslog. In the logs will show "SSL Version 7xx". TLS v1.0 = SSL Version 769 TLS v1.1 = SSL Version 770 TLS v1.2 = SSL Version 771 Link to comment Share on other sites More sharing options...
Sanjith Abraham1709153204 Posted September 28, 2016 Share Posted September 28, 2016 Here is a way to get which client IP is trying to connection using which SSL version : 1) Create a logaction : add audit messageaction TLS_logging ERROR "\"Client: \"+CLIENT.IP.SRC+\" using \"+CLIENT.SSL.VERSION" -logtoNewnslog YES -bypassSafetyCheck YES 2) Create a responder policy with action as NOOP (no action) and log action as the above : add responder policy TLS_version_loging true NOOP -logAction TLS_logging 3) Bind it to the Vserver bind lb vserver <VserverName> -policyName TLS_version_loging -priority 100 -gotoPriorityExpression END -type REQUEST This is going to send the syslogs , I see them in my Commandcenter in this form : default RESPONDER Message 577028 0 : "Client: 1.2.3.2 using 771" default RESPONDER Message 576926 0 : "Client: 1.2.3.2 using 769" Since the SSL version is shown as 771 & 769 , i did some search and found that they are code for TLS1.2 & TLS1.0 respectively . Here are the full SSL version code : SSL_LIBRARY_VERSION_2=2SSL_LIBRARY_VERSION_3_0=768SSL_LIBRARY_VERSION_TLS_1_0=769SSL_LIBRARY_VERSION_TLS_1_1=770SSL_LIBRARY_VERSION_TLS_1_2=771SSL_LIBRARY_VERSION_TLS_1_3=772 So basically on the Command center(if you are using it) create a view in syslog with any 'Message' containing '769' . 2 Link to comment Share on other sites More sharing options...
Eric Wiegand Posted February 20, 2018 Share Posted February 20, 2018 Expanding on the answer above, I created a stringmap lookup table to get the readable tls version in the logs. ssl_version=\"" + CLIENT.SSL.VERSION.TYPECAST_TEXT_T.MAP_STRING("ssl_version_table") where the ssl_version_table is a stringmap with key=770 and value=TLSv1.1, etc... Sample log output: "dst_ip="2.2.2.2" src_ip="1.1.1.1" ssl_version="TLSv1.2" ssl_cipher="TLS1.2-ECDHE-RSA-AES-128-SHA256"" You can also get the readable TLS version by turning on DEBUG in a syslog policy and looking for SSLLOG SSL_HANDSHAKE, but I didn't want to do this globally. Link to comment Share on other sites More sharing options...
Sunil Mujumdar1709160718 Posted July 2, 2020 Share Posted July 2, 2020 Here is my flow end to end.. Lines beginning with # are comments .. rest is code or output. Hope this makes someone else's life easier. Trying to gather data to disable TLS 1.0 and 1.1 - on your SIEM, you should be able to build some rules to parse this data. and export it out to CSV. I realized that on some internal VIPs where TLS1.2 is enabled, but the DEFAULT Cipher is bound that the order of cipher suites is reversed from what it should be.. so I see them using TLS1-AES-256-CBC-SHA instead of ECDHE (first example output event) - this is a good way to audit that nobody bound the wrong cipher group to VIPs. #Sample Events sent to Syslog 2020-07-02T04:53:31.786Z 192.168.3.200 <130> 07/02/2020:04:53:31 GMT lb01-test 0-PPE-0 : default RESPONDER Message 2685782 0 : "Server: test-fe.domain.com Client: 192.168.5.61 Client_SSL_VERSION: TLS_12 CIPHER_SUITE: TLS1-AES-256-CBC-SHA VSERVER: TEST-FE RESPONSE_TIME 0 HEALTH_PERCENT 100 CONN_COUNT: 2" 2020-07-01T07:41:57.857Z 192.168.3.201 <130> 07/01/2020:07:41:57 GMT lb01-test 0-PPE-1 : default RESPONDER Message 1953344 0 : "Server: testvip2.domain.com Client: 192.168.5.61 Client_SSL_VERSION: TLS_12 CIPHER_SUITE: TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 VSERVER: VSVR-TESTVIP2-443 RESPONSE_TIME 62929 HEALTH_PERCENT 100 CONN_COUNT: 3 ===== #Using 192.168.1.50 as my Syslog server placeholder, replace this with your syslog Server's IP #Setting userDefinedAuditlog is required to get our custom messages to a log server, pick whatever other Levels you would like forwarded #This will need to be run on the Netscaler over an SSH session add audit syslogAction act_syslog_forward 192.168.1.50 -serverPort 514 -logLevel EMERGENCY ALERT CRITICAL ERROR WARNING -userDefinedAuditlog YES add audit nslogAction act_nslog_forward 192.168.1.50 -serverPort 514 -logLevel EMERGENCY ALERT CRITICAL ERROR WARNING -userDefinedAuditlog YES add audit syslogPolicy pol-syslog-forward true act_syslog_forward add audit nslogPolicy pol-nslog-syslogserver true act_nslog_forward add policy stringmap CLIENT_SSL_VERSION -comment "SSL Version StringMap" bind policy stringmap CLIENT_SSL_VERSION 771 TLS_12 bind policy stringmap CLIENT_SSL_VERSION 772 TLS_13 bind policy stringmap CLIENT_SSL_VERSION 770 TLS_11 bind policy stringmap CLIENT_SSL_VERSION 769 TLS_10 bind policy stringmap CLIENT_SSL_VERSION 3 SSL_3 bind policy stringmap CLIENT_SSL_VERSION 2 SSL_2 add audit messageaction TLS_logging CRITICAL "\"Server: \"+HTTP.REQ.HOSTNAME+\" Client: \"+CLIENT.IP.SRC+\" Client_SSL_VERSION: \"+CLIENT.SSL.VERSION.TYPECAST_TEXT_T.MAP_STRING_DEFAULT_TO_KEY(\"CLIENT_SSL_VERSION\")+\" CIPHER_SUITE: \"+CLIENT.SSL.CIPHER_NAME+\" VSERVER: \"+ HTTP.REQ.LB_VSERVER.NAME + \" RESPONSE_TIME \"+HTTP.REQ.LB_VSERVER.RESPTIME" -logtoNewnslog YES add responder policy TLS_version_loging true NOOP -logAction TLS_logging #At the moment having trouble getting the nsLog to forward Syslog Server, but keeping it. This is referred to as "NewNSLog" in the UI bind audit nslogGlobal -policyName pol-nslog-syslogserver -priority 100 #Forwarding the Syslog to a syslog server works bind system global pol-syslog-forward -priority 100 #This will bind the policy to the VIP, which will start logging. Do this for all your VIPs you would like to get TLS stats for bind lb vserver VSVR-TESTVIP-443 -policyName TLS_version_loging -priority 100 -gotoPriorityExpression NEXT -type REQUEST #Assuming this Netscaler is in the DMZ .. make sure it has a path to get this data to the Syslog Server. #Troubleshooting - go to the Linux Shell by typing she'' at the netscaler prompt, running this will show UDP packets being sent to the syslog server # /netscaler/nstcpdump.sh -X dst host 192.168.1.50 and port 514 ============= Link to comment Share on other sites More sharing options...
Salman Mahmood Posted August 24, 2020 Share Posted August 24, 2020 Hi, Thanks Sunil for the detailed instructions, I was able to bind the policy to one of my vserver LB. I have another vserver LB that is "SSL_TCP" based which I want to bind the Audit policy to but getting an error "Policy cannot be bound to specified policy label". Is there any alternative way to bind same/similar audit policy to LB vserver that are "SS_TCP" based? Link to comment Share on other sites More sharing options...
Josh Slaney Posted January 11, 2022 Share Posted January 11, 2022 On 8/24/2020 at 4:03 PM, Salman Mahmood said: Hi, Thanks Sunil for the detailed instructions, I was able to bind the policy to one of my vserver LB. I have another vserver LB that is "SSL_TCP" based which I want to bind the Audit policy to but getting an error "Policy cannot be bound to specified policy label". Is there any alternative way to bind same/similar audit policy to LB vserver that are "SS_TCP" based? Were you able to figure out how to audit "SSL_TCP"? Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now