Symptom

Connection event shows no "Action" and no "AC Rule" for a some connection events. The impacted connection events are for TLS/SSL (that is, HTTPS related traffic that were decrypted by the SSL Policy).

Conditions

1. Encrypted connection is closed soon after the TLS/SSL handshake 2. SSL policy is enabled (for example, rule with Decrypt-Resign action)

Workaround

Further Problem Description

When traffic is sent to SSL engine for decryption, it needs data to decrypt and evaluate the traffic for a verdict. Because the connection is dropped after SSL handshake, the SSL engine has no data to work with and hence traffic is not matched with any rule. Therefore no Action is attached to the connection. In this case, the action is "Allow", because the firewall allowed all packets up to this point through the firewall, because it was waiting for the session to continue so that it could see the needed information (that is, the server certificate) to determine which rule to match. It can not make an accurate decision on what AC rule to match because the session ended before the firewall could determine what rule. To know how much traffic went through the device, you can refer to the Initiator Bytes/Packets and Responder Bytes/Packets fields in the connection events.