topic Re: Allow only specific site without SSL inspection for a server in Firewall and Security Management

Allow only specific site without SSL inspection for a server

DR_74 — Tue, 11 Aug 2020 13:55:01 GMT

Hi,

I have an issue with R80.10 Jumbo 275 on a Security Gateway.

I need that a server has only access to a specific URL (let's say https://www.perdu.com) without SSL inspection.

I've created an APP CTRL Rule allowing only the server to this specific site and a rule to bypass SSL inspection.

Below rule 4, the rule 5 is denying anything else.

For some reason I can see that the SSL rule is matched (bypass) but the APP CTRL rule is not matched correctly and the request is Droped when I use SSL. With HTTP it is working fine.

The Probe Bypass is conifugred that way [Expert@firewall:0]# fw ctl get int enhanced_ssl_inspection
enhanced_ssl_inspection = 1
[Expert@firewall:0]# fw ctl get int bypass_on_enhanced_ssl_inspection
bypass_on_enhanced_ssl_inspection = 0
[Expert@firewall:0]#

I think it has something to do with the fact that I am not doing SSL insepction, and that the gateway can't find the server name.

Any ideas how I can deal witht his config. Of couse I don't want to add the IP addess of the web server as it may change over time

Thank you

Re: Allow only specific site without SSL inspection for a server

Benedikt_Weissl — Tue, 11 Aug 2020 14:47:05 GMT

Hi,

try a Domain Object in FQDN mode (see sk120633 for details).

Re: Allow only specific site without SSL inspection for a server

Wolfgang — Tue, 11 Aug 2020 19:41:39 GMT

@DR_74

Your last log entry shows a hide NAT of the source. Your configured rule for allowing these application/website does only contain your my_server object as source.

If you don‘t use automatic NAT on the my_server Object you have to allow both IPS, the real and the NAT-IP.

Wolfgang