One request on the client always brings up 3 log entrys:
is this the log card?
Just for clarification: The accessed webserver is TLS1.3 only.
First log entry gets accepted. I think this is the first ClientHello sent without supported_versions extension, which makes it an TLS1.2 request. This is not what the webserver expects, so he replies with some version_alert. So the Firewall sends the ClientHello again, this time with supported_versions extension included (TLS1.3) -> This is what log entries 2 & 3 are about.
I just wonder why the bypass entry comes second!? Wouldn't it make more sense if the decision to intercept or not, is made already before the first request is sent. or is the order not really accurate, since this all happens in very short time?
just my thoughts ...