netscaler clients tls version reporting

[GeorgeD]

is it possible to see which clients negotiate at which tls levels? 

i have an audit to disable tls1.0 and it would be great to see how many things this will break.

 

thanks

 

Gd.

[CarlStalhood]

There are some counters on the reporting page. 

 

You might have to run a network trace and look in the trace to find client IPs connecting using TLS 1.

 

There's a client.SSL.VERSION expression. Maybe you can use that to send back an error page, or insert an HTTP header so your back-end web server can log the connection.

[GeorgeD]

doesnt seem to have detailed info for tls 1.1/1,2, just a a section for tls1. i'm assuming they roll up the reporting under tls1.

 

i guess we will test and disable. 

should be ok since most of the clients are fairly current.

[Ken]

We had a need for this, as well.  We use a rewrite policy (NOREWRITE) with a log action to send user name, IP, SSL version and user-agent string to syslog.

 

In the logs will show "SSL Version 7xx".

TLS v1.0 = SSL Version 769

TLS v1.1 = SSL Version 770

TLS v1.2 = SSL Version 771

[Sanjith Abraham1709153204]

Here is a way to get which client IP is trying to connection using which SSL version :

 

1) Create a logaction :

add audit messageaction TLS_logging ERROR "\"Client: \"+CLIENT.IP.SRC+\" using \"+CLIENT.SSL.VERSION" -logtoNewnslog YES -bypassSafetyCheck YES

 

2) Create a responder policy with action as NOOP (no action) and log action as the above :

add responder policy TLS_version_loging true NOOP -logAction TLS_logging

 

3) Bind it to the Vserver

bind lb vserver <VserverName> -policyName TLS_version_loging -priority 100 -gotoPriorityExpression END -type REQUEST

 

 

This is going to send the syslogs , I see them in my Commandcenter in this form :

default RESPONDER Message 577028 0 :  "Client: 1.2.3.2 using 771"

default RESPONDER Message 576926 0 :  "Client: 1.2.3.2 using 769"

 

Since the SSL version is shown as 771 & 769 , i did some search and found that they are code for TLS1.2 & TLS1.0 respectively .

Here are the full SSL version code :

 

SSL_LIBRARY_VERSION_2=2
SSL_LIBRARY_VERSION_3_0=768
SSL_LIBRARY_VERSION_TLS_1_0=769
SSL_LIBRARY_VERSION_TLS_1_1=770
SSL_LIBRARY_VERSION_TLS_1_2=771
SSL_LIBRARY_VERSION_TLS_1_3=772

 

 

So basically on the Command center(if you are using it) create a view in syslog with any 'Message' containing '769' .

[Eric Wiegand]

Expanding on the answer above, I created a stringmap lookup table to get the readable tls version in the logs.
ssl_version=\"" + CLIENT.SSL.VERSION.TYPECAST_TEXT_T.MAP_STRING("ssl_version_table")

where the ssl_version_table is a stringmap with key=770 and value=TLSv1.1, etc...

Sample log output:
"dst_ip="2.2.2.2" src_ip="1.1.1.1" ssl_version="TLSv1.2" ssl_cipher="TLS1.2-ECDHE-RSA-AES-128-SHA256""

You can also get the readable TLS version by turning on DEBUG in a syslog policy and looking for SSLLOG SSL_HANDSHAKE, but I didn't want to do this globally.

[Sunil Mujumdar1709160718]

Here is my flow end to end.. Lines beginning with # are comments .. rest is code or output. Hope this makes someone else's life easier. Trying to gather data to disable TLS 1.0 and 1.1 - on your SIEM, you should be able to build some rules to parse this data. and export it out to CSV. I realized that on some internal VIPs where TLS1.2 is enabled, but the DEFAULT Cipher is bound that the order of cipher suites is reversed from what it should be.. so I see them using  TLS1-AES-256-CBC-SHA instead of ECDHE (first example output event) - this is a good way to audit that nobody bound the wrong cipher group to VIPs.

 

#Sample Events sent to Syslog
2020-07-02T04:53:31.786Z 192.168.3.200 <130> 07/02/2020:04:53:31 GMT lb01-test 0-PPE-0 : default RESPONDER Message 2685782 0 :  "Server: test-fe.domain.com Client: 192.168.5.61 Client_SSL_VERSION: TLS_12 CIPHER_SUITE: TLS1-AES-256-CBC-SHA VSERVER: TEST-FE RESPONSE_TIME 0 HEALTH_PERCENT 100 CONN_COUNT: 2"

 

2020-07-01T07:41:57.857Z 192.168.3.201 <130> 07/01/2020:07:41:57 GMT lb01-test 0-PPE-1 : default RESPONDER Message 1953344 0 :  "Server: testvip2.domain.com  Client: 192.168.5.61 Client_SSL_VERSION: TLS_12 CIPHER_SUITE: TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 VSERVER: VSVR-TESTVIP2-443 RESPONSE_TIME 62929 HEALTH_PERCENT 100 CONN_COUNT: 3

 

=====

#Using 192.168.1.50 as my Syslog server placeholder, replace this with your syslog Server's IP
#Setting userDefinedAuditlog is required to get our custom messages to a log server, pick whatever other Levels you would like forwarded
#This will need to be run on the Netscaler over an SSH session

add audit syslogAction act_syslog_forward 192.168.1.50 -serverPort 514 -logLevel EMERGENCY ALERT CRITICAL ERROR WARNING -userDefinedAuditlog YES
add audit nslogAction act_nslog_forward 192.168.1.50 -serverPort 514 -logLevel EMERGENCY ALERT CRITICAL ERROR WARNING  -userDefinedAuditlog YES
add audit syslogPolicy pol-syslog-forward true act_syslog_forward
add audit nslogPolicy pol-nslog-syslogserver true act_nslog_forward

add policy stringmap CLIENT_SSL_VERSION -comment "SSL Version StringMap"
bind policy stringmap CLIENT_SSL_VERSION 771 TLS_12
bind policy stringmap CLIENT_SSL_VERSION 772 TLS_13
bind policy stringmap CLIENT_SSL_VERSION 770 TLS_11
bind policy stringmap CLIENT_SSL_VERSION 769 TLS_10
bind policy stringmap CLIENT_SSL_VERSION 3 SSL_3
bind policy stringmap CLIENT_SSL_VERSION 2 SSL_2

add audit messageaction TLS_logging CRITICAL "\"Server: \"+HTTP.REQ.HOSTNAME+\" Client: \"+CLIENT.IP.SRC+\" Client_SSL_VERSION: \"+CLIENT.SSL.VERSION.TYPECAST_TEXT_T.MAP_STRING_DEFAULT_TO_KEY(\"CLIENT_SSL_VERSION\")+\" CIPHER_SUITE: \"+CLIENT.SSL.CIPHER_NAME+\" VSERVER: \"+ HTTP.REQ.LB_VSERVER.NAME + \" RESPONSE_TIME \"+HTTP.REQ.LB_VSERVER.RESPTIME" -logtoNewnslog YES
add responder policy TLS_version_loging true NOOP -logAction TLS_logging

#At the moment having trouble getting the nsLog to forward Syslog Server, but keeping it. This is referred to as "NewNSLog" in the UI
bind audit nslogGlobal -policyName pol-nslog-syslogserver -priority 100

#Forwarding the Syslog to a syslog server works
bind system global pol-syslog-forward -priority 100

#This will bind the policy to the VIP, which will start logging. Do this for all your VIPs you would like to get TLS stats for
bind lb vserver VSVR-TESTVIP-443 -policyName TLS_version_loging -priority 100 -gotoPriorityExpression NEXT -type REQUEST

#Assuming this Netscaler is in the DMZ .. make sure it has a path to get this data to the Syslog Server.
#Troubleshooting - go to the Linux Shell by typing she'' at the netscaler prompt, running this will show UDP packets being sent to the syslog server
# /netscaler/nstcpdump.sh -X dst host 192.168.1.50 and port 514
 

=============

 

 

[Salman Mahmood]

Hi,

Thanks Sunil for the detailed instructions, I was able to bind the policy to one of my vserver LB.

 I have another vserver LB that is "SSL_TCP" based which I want to bind the Audit policy to but getting an error "Policy cannot be bound to specified policy label". 

 

Is there any alternative way to bind same/similar audit policy to LB vserver that are "SS_TCP" based?

[Josh Slaney]

On 8/24/2020 at 4:03 PM, Salman Mahmood said:

Hi,

Thanks Sunil for the detailed instructions, I was able to bind the policy to one of my vserver LB.

 I have another vserver LB that is "SSL_TCP" based which I want to bind the Audit policy to but getting an error "Policy cannot be bound to specified policy label". 

 

Is there any alternative way to bind same/similar audit policy to LB vserver that are "SS_TCP" based?

Were you able to figure out how to audit "SSL_TCP"?