topic Re: HTTPS Inspection bypass issue in Firewall and Security Management

HTTPS Inspection bypass issue

AaronCP — Mon, 13 Dec 2021 18:08:13 GMT

Good evening,

I'm assisting a colleague with the set up of Remote Help (an app that works with InTune). When I install the client on my personal device from home (we use a split-tunnelling VPN that is configured to send Microsoft traffic via the users' local LAN), I can connect the client to Microsoft without any issues. When I attempt to do the same on a test host on-prem, the client fails to connect.

I have configured a test rule in the Access Control policy to allow access from this host to all of the relevant Microsoft domains using domain objects. I have also added a HTTPS Inspection bypass rule at the top of the HTTPS Inspection policy for this host. I can see in the logs that the traffic is hitting the correct Access Control and HTTPS Inspection bypass policies, but the client still fails to connect.

I have used the HTTPS Inspection bypass list (SK163595) but this hasn't helped either.

I am wondering if there is a way to totally bypass the HTTPS Inspection module altogether in R80.40?

Any advice/help on this would be much appreciated!

Thanks,

Aaron.

Re: HTTPS Inspection bypass issue

PhoneBoy — Mon, 13 Dec 2021 21:04:56 GMT

A bypass rule should do it provided it is correctly done.
However the issue may have nothing to do with HTTPS Inspection.
You might need to debug this issue in the application having trouble to determine what the precise issue is.

Re: HTTPS Inspection bypass issue

AaronCP — Tue, 14 Dec 2021 20:31:15 GMT

Hi @PhoneBoy

Is there any way in R80.40 to bypass the HTTPS Inspection module entirely? I don't want any packets in the connection hitting the HTTPS Inspection blade. I know I can use bypass rules, or specific HTTPS bypass updatable objects, but I wonder if there's any way of circumnavigating the whole module?

Thanks,

Aaron.

Re: HTTPS Inspection bypass issue

PhoneBoy — Wed, 15 Dec 2021 06:09:31 GMT

Short of disabling it entirely? Not that I'm aware of.

Re: HTTPS Inspection bypass issue

Timothy_Hall — Wed, 15 Dec 2021 13:01:54 GMT

You could try matching the problematic traffic using fast_accel, this would fastpath the traffic through SecureXL which performs minimal inspection and cannot do HTTPS Inspection. sk156672: SecureXL Fast Accelerator (fw fast_accel) for R80.20 and above

However I concur with Phoneboy that you'll probably need to gain more understanding about what is going wrong with the application, probably with some packet captures.