Support Center > Search Results > SecureKnowledge Details
Traffic to HTTPS websites is dropped on "Unknown Traffic" category, if the certificate length sent from web server exceeds the limit
Symptoms
  • Traffic to HTTPS websites is dropped on "Unknown Traffic" category under Application Control / URL Filtering blades, if the certificate length sent from web server exceeds the maximum predefined value with Internal System Error occurred, blocking request (as configured in engine settings). See SK64162 for more information. error in SmartView Tracker.

  • The connection is being accepted by the Security Gateway Firewall blade rule, but dropped on Application Control or URL Filtering blades, in case there is a rule to drop "Unknown Traffic"

  • Debug of WSTLSD usermode process (# fw_debug WSTLSD on TDERROR_ALL_ALL=6), shows under $FWDIR/log/wstlsd.elg, the following messages:

    CptlUrlf::HandleTrap: _header 0x7fd965e0 data_size 1181 ssl_state 0 total_certificate_len 10811 packet_count 1, conn dir 0, <SourceIP>:57039 -> <DestinationIP>:443
    CptlsUrlfTrapData::AddNewData: failed certificat_len 10811 reach limit
    CptlUrlf::HandleTrap: AddNewData failed.

    Note: SourceIP and DestinationIP may be reverted in the debug, for example; instead of 10.1.2.30, it may show as 30.2.1.10

  • Issue does not occur when engine settings are configured for "Background" in Application URL Filering tab -> Advanced -> Engine Settings -> Website Categorization Mode.

  • Running kernel debug (fw ctl debug -m RAD_KERNEL all; fw ctl debug -m APPI all) is showing the following logs:
    appi_rad_uf_cmi_handler_server_response: parsing state "done";
    appi_rad_uf_cmi_handler_server_response: total_buffer_size 8453 , limit is 8000;
    appi_rad_uf_cmi_handler_remove_cmi_opaque: un set opaque id 0 ;
    ...
    appi_rad_uf_cmi_handler_remove_cmi_opaque: deleting http _opaque_id 0;
    ...
    appi_global_policy_get_rad_fail_action: RAD fail action is REJECT;
Cause

The received HTTPS certificate from the webserver, is bigger than the allowed predefined (8000 bytes) length.

Due to the above, the certificate cannot be parsed, HTTPS validation and categorization will fail, and as a result, "Unknown Traffic" category will be assigned to this traffic.


Solution
Note: To view this solution you need to Sign In .