cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Bypass HTTPS Inspection for a custom URL

Hi all!

We're using HTTPS Inspection with a custom outbound certificate in a R80.10 cluster.

Some sites (e.g. https://www.forbes.com/) aren't doing very well with this setup.

To create a Bypass, I created a User Category and a Custom Application/Site using that User Category as Primary Category.

When I try to use this User Category in column Site Category in a Bypass rule on HTTPS Inspection, the policy installation fails with message:

   "HTTPS Inspection: rule 2. In 'Site Category' column,  applications or groups with applications are not supported."

Any ideas on how to create this kind of exception/bypass for HTTPS Inspection?

Thanks in advance!

0 Kudos
4 Replies

Re: Bypass HTTPS Inspection for a custom URL

I would do this in https rulebase (R77.30 Dashboard opens nicely for that 😉 - just make sure that the traffic to bypass is NOT matched by https rules - then it is surely not inspected (and the cert not analyzed). Good help can be found in sk108202 Best Practices - HTTPS Inspection and maybe you need to use Probe Bypass from sk104717 HTTPS Inspection Enhancements in R77.30 and above.

Vladimir
Pearl

Re: Bypass HTTPS Inspection for a custom URL

Gunther, can you please clarify what you mean by this: "just make sure that the traffic to bypass is NOT matched by https rules - then it is surely not inspected (and the cert not analyzed)"?

Are you implying that this rule:

Will prevent HTTPS inspection enforcement of any of these two rules:

According to my tests, this seem to work fine with exception of the above mentioned forbes.com.

That site does not work with or without probe bypass.

Thank you.

Re: Bypass HTTPS Inspection for a custom URL

Sorry for the confusion - this should work fine indeed. The only reliable solution i know of is Dest IP 😞

Highlighted

Re: Bypass HTTPS Inspection for a custom URL

Answering my own question 🙂

We're bypassing certain Site Categories (e.g. Health and Finantial Services) so I just created a Override Categorization for the site www.forbes.com changing the Primary Category for "Finantial Services" (the name www.forbes.com is actually a CNAME for g2.shared.global.fastly.net. so I add to Override this one too).

We're considering to Bypass the Very Low Risk Site Category and add future exceptions to this category thus overriding HTTPS Inspection.

If someone knows about a better/more specific solution for adding exceptions of HTTPS Inspection please let me (us!) know.

Regards!

0 Kudos