topic HTTPS inspection doesn't work on R80.10 in General Topics

HTTPS inspection doesn't work on R80.10

efraim — Sun, 17 May 2020 02:27:08 GMT

Hello,

I have enabled HTTPS inspection on a SA machine running R80.10
Afterwards, I have created an outbound CA certificate, exported it, enabled, hit OK and installed policy.

Web traffic (https) is not being inspected for some reason even though everything was set correctly (it worked before on the same test environment).
I have tried to install the latest jumbo hotfix but it doesn't work. The client site gets the regular certificate of the server.

How should I debug it using clish?

I have tried to debug CPAS and WS and I'm able to see this in the kernel debug:
{ssl_insp} fw_https_inspection_set_conn_opq: [ERROR]: failed to set the https_inspection_conn_opq on the connection
Some of the debug is not properly formatted in notepad++, how should I open it?

Thank you

Re: HTTPS inspection doesn't work on R80.10

PhoneBoy — Tue, 19 May 2020 00:23:51 GMT

Recommend getting the TAC involved.
That said, if you're serious about using HTTPS Inspection it's highly recommended you upgrade to at least R80.30 which includes SNI support as well as improved HTTPS Inspection performance.

Re: HTTPS inspection doesn't work on R80.10

efraim — Wed, 20 May 2020 19:34:03 GMT

Thank you!

As far as I am aware, in previous version (let's say R77.30/R80.10) we are able to see the exact URL the user is trying to access.

So basically I'm trying to understand what State-of-the-Art SSL Inspection (R80.30) acts differently compared to previous versions.

Re: HTTPS inspection doesn't work on R80.10

PhoneBoy — Wed, 20 May 2020 23:27:02 GMT

First of all, R80.30 supports newer TLS ciphers and has an enhanced TLS engine that's faster (translating to better performance).
Second, we actually validate the SNI the client presents (i.e. check with the server to see that the SNI matches what the certificate says).
There's also a CLI tool to configure preferred ciphers (possible before, but wasn't as easy).
SNI can also be used for places where HTTPS Inspection isn't used for a specific HTTPS connection, allowing for more reliable bypass rules as well as App Control/URL Filtering categorization.

In R80.40, the HTTPS Inspection policy moves to SmartConsole and you get the ability to use Updatable Objects in the policy.
We include a specific Updatable Object of applications that are known not to work with HTTPS Inspection that can be used.
There is also support for HTTP/2.