topic Re: HTTPS Inspection on Small Business Security Appliances in Spark Firewall (SMB)

HTTPS Inspection on Small Business Security Appliances

DeletedUser — Tue, 19 Dec 2017 20:10:46 GMT

Starting with the R77.20.70 firmware released in November of 2017, HTTPS inspection improves categorization of applications and URLs and detection of threats such as exploits, viruses and bot communications. In addition HTTPS inspection improves sandboxing detection of zero-day threats in files. Watch our video to find out how-to enable HTTPS inspection on the 700 Small Business Security Appliance.

Re: HTTPS Inspection on Small Business Security Appliances

Pablo_Barriga — Wed, 20 Dec 2017 03:44:43 GMT

Is there any measure of the impact of SSL on the 700 and 1400 family?

Re: HTTPS Inspection on Small Business Security Appliances

Jony_Fischbein — Wed, 20 Dec 2017 10:06:23 GMT

Nice video BOB!

Re: HTTPS Inspection on Small Business Security Appliances

Pedro_Espindola — Fri, 22 Dec 2017 13:28:43 GMT

I have a customer with 12 users, and it was a NO for them with a 1450.

CPU usage was less than 10% with SSL Inspection and throughput was rather low, but SFWD RSS memory usage would increase very fast and sfwd would restart, causing cluster failover every 2 hours. Increasing RSS memory limit to 300MB also increased this time to about 4 hours before failover.

Support responded that this is normal behavior for this model. Maybe with the 1470 or the 1490 that have more memory it will work well.

Re: HTTPS Inspection on Small Business Security Appliances

Miri_Ofir — Wed, 27 Dec 2017 10:40:40 GMT

Hi Pedro,

Cluster failover every 2-4 hours in not normal behavior for 1450 appliance.

Please contact support again, and tell them that SMB R&D wants to investigate it.

Re: HTTPS Inspection on Small Business Security Appliances

Pedro_Espindola — Thu, 28 Dec 2017 19:53:02 GMT

No problems, Miri. I will reopen the case then. Thank you!

Re: HTTPS Inspection on Small Business Security Appliances

DeletedUser — Thu, 04 Jan 2018 17:37:38 GMT

Some clarification on how exceptions are handled in the HTTPS policy as this section is a bit brief in the video. Exceptions can be added in 2 places:

(1) As a category in the Access Policy -> SSL Inspection -> Policy window.

Enable Bypass (other categories and sites)
Click other categories and sites to open SSL Inspection Bypass Other
Advantage: included as a category/site in the predefined SSL Inspection Bypass policy.

(2) As a new exception in the Access Policy -> SSL Inspection -> Exceptions window.

Click New
Create a policy for specific traffic, e.g. from Trusted networks to the DMZ network for the service HTTPS.
Advantage: provides granular control.
Best Practice Tip 1: Do not use ANY as the service for the custom exception. Instead choose HTTPS as the service to avoid a performance impact.
Best Practice Tip 2: Since exceptions are for a specific scope, do not define the source scope as ANY especially if you define a category or a site in this exception. If the appliance has a wireless network which is bypassed by default from the policy page (see 1 above), then defining a category/site based exception with the wireless network in it (as scope) will force the appliance to check the first packet of each new connection for the DN of the certificates and will effectively disable the default wireless bypass (see 1 above).