topic Re: HTTPS inspection in Firewall and Security Management

HTTPS inspection

msantos — Fri, 09 Oct 2020 15:19:37 GMT

Hi checkmates, im looking to configure Https Inspection for web control and that sort of things.

My question is, now that i have it enabled, some of my users need the access for example to youtube, and if im blocking streams with the https inspection policy, the user can´t access the site.

is there any way to make some exceptions, how does this work with best practices.

thanks

Re: HTTPS inspection

Jessie_Rich — Fri, 09 Oct 2020 16:04:00 GMT

Yes you can make exceptions in your application control policy. Do you have identity awareness configured? If so you can create Access role objects mapped to user groups on your domain and use those objects in the source of your application control rule. You can also make object groups of specific hosts if you don't have Identity awareness and can't implement it for some reason. Those permit rules need to be above your more broadly defined drop rules.

Re: HTTPS inspection

msantos — Fri, 09 Oct 2020 17:08:49 GMT

i think i tried that, i mean in the url filtering policy, i do have identity awareness and i have access role objects mapped to AD users as you say. ill try to figure out if any other policy is blocking me, i have checked several times and find nothing, but still ill check it again.

Re: HTTPS inspection

Jessie_Rich — Fri, 09 Oct 2020 17:37:19 GMT

You should check an make sure you aren't getting any errors with identity awareness and users are getting matched to their PCs correctly. What does the log for the blocked person show?

Re: HTTPS inspection

msantos — Fri, 09 Oct 2020 21:56:42 GMT

identity awareness is fine, i just checked. the computer is responding to the correct user in AD.

app control says, traffic accepted, and https inspection log say Inspected. and still cant reach the site

Re: HTTPS inspection

PhoneBoy — Sat, 10 Oct 2020 01:40:37 GMT

Let's start with the basics: version/JHF in use?
Screenshots of precisely what you've configured would be helpful.
Screenshots and/or more precise descriptions of the behavior when it's not working would also be helpful.

Re: HTTPS inspection

_Val_ — Mon, 12 Oct 2020 11:39:56 GMT

HTTPS Inspection may only block sites with invalid certificates, and even that is configurable in the properties. Appropriate URLF/APC rule should allow or drop for specific user groups.

You can either share some screenshots here, or go directly to a TAC case with this.

Re: HTTPS inspection

msantos — Tue, 13 Oct 2020 21:54:16 GMT

hi, i was checking all the thins you all told me to check.

so i installed las JHF available, check URLF rules, and use access role.

im still having the same issue, i want to permit youtube on certain users, but block all other streams sites.

im working with one test user, and youtube is blocked, but other sites not hehe, funny.

i upload some screenshots i made about current config.

thanks

Re: HTTPS inspection

_Val_ — Wed, 14 Oct 2020 07:16:02 GMT

Firstly, there is no URLF filtering policy rule blocking the youtube for regular users. Why? Another issue, why are you only inspecting certain categories? How clean-up rule looks in HTTPSi layer?

Clearly, you are facing a config issue that can be easily fixed.

To fix:
1. leave just one single rule for HTTPSi to inspect:

Internal networks -> Internet-Any category-Inspect-Log

followed by a cleanup rule:

any - any- any- bypass-none

Then create AC/URLF rules in the Network Security:
Good Users - Any - YouTube-Accept (no limit)

Any - Any - Youtube - Drop / UserCheck Message

Check if it works.

Media stream is not the right category here