topic Re: HTTPS Inspection issues in Firewall and Security Management

HTTPS Inspection issues

KM1895 — Fri, 15 Sep 2023 10:36:09 GMT

hi,

A customer i am assisting, have started testing https inspection.

As usual, they have only added a few servers for testing purposes in their https inspection policy, but here is where the issue occurs.

When they activate it, we see that traffic that isnt included in the rules are still subject to inspection, and so we have had to create a lot of exception rules, that shouldnt have been there.

Why would this happen?

I have done this several times before, but never seen this issue before.

The inspection is for outbound traffic, and the traffic we have seen beeing stopped is traffic going over vpn to their central datacenter.

The exception fixed this as a workaround, but i am curious as to why we would need to do this in the first place, as the rules doesnt include the traffic being stopped?

environment is R81.10.

Re: HTTPS Inspection issues

PhoneBoy — Fri, 15 Sep 2023 15:16:32 GMT

Without seeing the exact rules in question…difficult to say.
I suspect your initial rules were overly broad.
Screenshots of the rules in question would be helpful.

Re: HTTPS Inspection issues

Timothy_Hall — Fri, 15 Sep 2023 20:29:54 GMT

Sounds like to you tried to use a Service and/or Destination of "Any" in your HTTPS Inspection policy which you should never do, they should be "HTTPS Default Services" and object "Internet" (not All_Internet), respectively.

Re: HTTPS Inspection issues

KM1895 — Mon, 18 Sep 2023 11:25:20 GMT

hi,

Thanks for the input. I went over the rules again, and they are quite limited.

The source is just a few servers, and destination is set to Internet, with the https default services chosen,

So there is no real logic as to why servers not added is subject to https inspection.

Re: HTTPS Inspection issues

Timothy_Hall — Mon, 18 Sep 2023 16:30:17 GMT

Check your firewall/cluster topology and make sure it is complete and correct to ensure that the object Internet will match traffic properly in your HTTPS Inspection Policy, mainly:

1) The External interface is properly defined

2) Note that selecting the "Interface leads to DMZ" checkbox on an interface will cause traffic heading for that interface to match object Internet as well, even though that interface's topology is defined as Internal

3) Make sure all interfaces are present in the defined topology, including all VLAN tag subinterfaces in use. Traffic heading to interfaces missing from the topology definition will match object Internet as well.

Re: HTTPS Inspection issues

the_rock — Mon, 18 Sep 2023 16:47:01 GMT

Happy to assist via remote if you are able to. I have lots of experience with https inspection, as I had spent probably close to 200 hours or more troubleshooting it in the last 3 years or so.

You can always message me directly.

Andy