topic Policy Package HTTPS Settings? in API / CLI Discussion

Policy Package HTTPS Settings?

Bob_Zimmerman — Tue, 18 Apr 2023 02:29:40 GMT

I'm looking at management APIv1.9 right now. 'show package' returns a boolean value for "https-inspection-policy" and an object for "https-inspection-layer".

'set package' doesn't appear to accept a boolean for "https-inspection-policy", and the object reference is "https-layer" with no "inspection-" in the middle.

Is this intended? How do you remove HTTPS inspection from an existing policy package?

Re: Policy Package HTTPS Settings?

PhoneBoy — Thu, 20 Apr 2023 20:04:53 GMT

Have you tried using a null string for the HTTPS Inspection policy?
Otherwise, I'm not sure how you'd disable HTTPS Inspection in an existing policy package as there doesn't appear to be an official endpoint to do so.
Paging @Omer_Kleinstern

Re: Policy Package HTTPS Settings?

Bob_Zimmerman — Sat, 22 Apr 2023 17:54:11 GMT

The API accepts an empty string without an error, but it either leaves the https-layer alone or it sets it to "Default Layer" (I only have the one HTTPS layer in my lab, so I don't know which it's doing). "None", "null", "nil" all complain the object isn't found. Various special UUIDs such as 97aeb36a-9aea-11d5-bd16-0090272ccb30 (the UUID for the None object) all throw "Runtime error: HV000028: Unexpected exception during isValid call." (I didn't expect these to work).

This isn't a big deal, just odd.

Re: Policy Package HTTPS Settings?

Omer_Kleinstern — Sun, 23 Apr 2023 08:32:54 GMT

The only way to remove HTTPS inspection is by removing the access policy (access false).

This is true for API and SmartConsole.

Re: Policy Package HTTPS Settings?

Bob_Zimmerman — Sun, 23 Apr 2023 22:10:49 GMT

Derp. That's what I get for digging into the API surrounding a feature I don't really use much.

Is there any particular reason 'show package' includes 'https-inspection-policy' as a separate flag from 'access'? Is there ever a potential for the two of them to have different values?

Re: Policy Package HTTPS Settings?

Youssef_Obeidal — Mon, 24 Apr 2023 10:34:43 GMT

Why do you think not showing them separately in the show and set commands?

The values are different, Access holds the Access layers. and https-inspection-policy holds the the HTTPS inspection layer.

you can override the https inspection layer with other layers.

in case you don't want to use https. then make sure that the GW doesn't have https inspection on.

Re: Policy Package HTTPS Settings?

Bob_Zimmerman — Mon, 24 Apr 2023 20:09:24 GMT

It makes sense to show the HTTPS Inspection layer and the access layers separately, sure. Those are the keys 'https-inspection-layer' and 'access-layers', though. They are not what I'm talking about.

In 'show package', the returned data has a key 'access' containing a Bool for whether access control is enabled and a separate key 'https-inspection-policy' containing a Bool for whether HTTPS Inspection is enabled. It seems like those two will always have the same value, won't they? So having two separate keys is a little odd.

The description of 'https-inspection-policy' even says "True - enables, False - disables HTTPS Inspection policy, empty - nothing is changed." but you can't set it.

Re: Policy Package HTTPS Settings?

PhoneBoy — Tue, 25 Apr 2023 16:04:43 GMT

I suspect enabling/disabling HTTPS Inspection in a specific policy package is done through a non-REST API method.
Which would explain why the API doesn't have a way to specify it currently.