topic Re: Traffic Control in Firewall and Security Management

Traffic Control

Oscar_David_Gom — Sat, 01 Jun 2019 01:00:36 GMT

Hi,

We have a VSX environment with various VS, two of them are controlling traffic, but just one has HTTPS Inspection enabled, the other one is only using categorization, in order to work with HTTPS Inspection, we uncheck the option "Categorize HTTPS websites", but the VS without HTTPS Inspection is not enforcing rules because can not categorize that traffic.

I need to know how does that option works, is there a way to only activate Categorization for the VS that does not have HTTPS Inspection? Does the platform have trouble having both enabled? if so, how can I control this traffic without using https inspection and the option "Categorize HTTPS websites" disabled?

Thanks.

Re: Traffic Control

Chris_Atkinson — Sat, 01 Jun 2019 05:45:50 GMT

This should be possible in R80.20 per sk108202 i.e. HTTPSi + Categorise HTTPS websites

Re: Traffic Control

Zach_S — Sun, 02 Jun 2019 18:39:21 GMT

In order for Application Control and URL Filtering to work best, it is better to have HTTPS Inspection enabled. I think it's better to do the Application Control + URL Filtering on the perimeter firewall w/ outbound HTTPS Inspection enabled on that firewall for outbound connections.

Not sure why your topology requires 2 virtual systems to perform categorization, ideally this should only be done once on the way out to the internet. Are you able to share any more details?

Without HTTPS Inspection or HTTPS Categorization, you won't be able to use site/category in the policy for rules containing the https service. HTTPS Categorization will only categorize based on the subject common name of the trusted certificate returned by the server, so the results will be mixed when using HTTPS Categorization.