Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
lincolnwebber
Participant

TLS versions and NAT methods

Hi Guys,

I have noticed an issue with a particular Internet website depending on the NAT method used by the firewall when accessed by clients inside the network.

If I hide the traffic, the website will not load (timeout). However, if I static NAT, the website loads fine.

I took tcpdumps of both scenarios and noticed the following:

  • When using hide NAT, the TLS version proposed by the gateway/hidden address is TLSv1 (site times out)
  • When using static NAT, the TLS version proposed by the static NAT address is TLSv1.2 (site loads successfully)

Any idea what may cause this? Can I force the firewall to use TLSv1.2 as a client?

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

Version/JHF of the gateway?
What blades are enabled on the gateway?
Did you run a tcpdump to see what the actual clients are proposing?
The only time I'd think we'd mess with the TLS version is if HTTPS Inspection is on.
Not sure why the NAT type would make any difference.

0 Kudos