Topic
  • 4 replies
  • Latest Post - ‏2012-11-05T10:32:16Z by SystemAdmin
SystemAdmin
SystemAdmin
6772 Posts

Pinned topic Common criteria mode

‏2012-08-29T11:20:53Z |
Hi

We are seeing error message in our logs that is a audit error entry. It says that the connect from an IP Address to 0.0.0.0:listening port has been rejected. The help text when I click on the error reads "Connection rejected - not allowed by ACL (CC Mode only).".

After some investigation we found that for some reason the appliance is in Common criteria mode.

The HTTPS front-side handler associated with the port on which the connection are being reject has an ACL configured.

We have 3 other appliance that are not in common criteria mode with the same HTTPS front side handler configuration, however we are not getting the same error entry in the log.

I have not been able to find out exactly what is changed in common criteria mode.

So the question is if I am only seeing the error logged on one DataPower because it is in common criteria mode, but the same behavior happens on all the appliance and is just not logged on the other.

Or is common criteria changing the working of the DataPower.
Updated on 2012-11-05T10:32:16Z at 2012-11-05T10:32:16Z by SystemAdmin
  • Liv2luv
    Liv2luv
    573 Posts

    Re: Common criteria mode

    ‏2012-08-29T12:40:57Z  
    As you've figured out, it is the Common Criteria (CC) mode not allowing a connection on 0.0.0.0

    CC mode enforces additional security (EAL4 in case of DataPower) , see below:

    http://en.wikipedia.org/wiki/Evaluation_Assurance_Level
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Common criteria mode

    ‏2012-08-29T15:30:46Z  
    • Liv2luv
    • ‏2012-08-29T12:40:57Z
    As you've figured out, it is the Common Criteria (CC) mode not allowing a connection on 0.0.0.0

    CC mode enforces additional security (EAL4 in case of DataPower) , see below:

    http://en.wikipedia.org/wiki/Evaluation_Assurance_Level
    Thanks for the feedback.

    I do have many other front-side handlers on the appliances that works perfectly without problems listening on 0.0.0.0. There is one difference and that this is the only FSH with an ACL.

    To further complicate the problem I can see accepted connection in the xact log from the same the same IP and looking closer at the logs, it seems like the connection is accepted, based on the exact log and rejected the audit error in the system log.

    It almost seems that it is incorrectly logging the event in the system log.
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Common criteria mode

    ‏2012-10-16T01:19:47Z  
    Thanks for the feedback.

    I do have many other front-side handlers on the appliances that works perfectly without problems listening on 0.0.0.0. There is one difference and that this is the only FSH with an ACL.

    To further complicate the problem I can see accepted connection in the xact log from the same the same IP and looking closer at the logs, it seems like the connection is accepted, based on the exact log and rejected the audit error in the system log.

    It almost seems that it is incorrectly logging the event in the system log.
    Can you check if you can connect to this box using HTTP?

    If you do not require CC mode, you will have to reinitialise your appliance to disable it.

    Cheers
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Common criteria mode

    ‏2012-11-05T10:32:16Z  
    Can you check if you can connect to this box using HTTP?

    If you do not require CC mode, you will have to reinitialise your appliance to disable it.

    Cheers
    Thanks.

    We did re-initialise the DataPower in the end.