cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

HTTPS Inspection Probe Bypass on R80.20, should I enable?

Hello, I´m using R80.20 Take 33, when I enable the flag enhanced_ssl_inspection some sites don´t open in browsers like chrome (version 58 or 71)... example: www.uol.com, www.bitcointrade.com.br...etc... any tips or sugestions?

Thank you.

Alessandro

Tags (1)
0 Kudos
2 Replies
Kim_Moberg
Silver

Re: HTTPS Inspection Probe Bypass on R80.20, should I enable?

Hi Alessandro

Is it SNI domains your are trying to access?

Did you try to analyze and inspect domains via https://www.ssllab.com? It will show you certicate type and which encryption is enabled.

I had to enable some encryption protocol levels when using probe bypass.

Best regards

Kim

Best Regards
Kim
0 Kudos

Re: HTTPS Inspection Probe Bypass on R80.20, should I enable?

The behaviour has been changed, please look at sk104717:

 

Important:

  • In R80.10, before Jumbo Hotfix Accumulator for R80.10 Take 189, the probing feature is set, by default, to Fail Open.
  • From Take 189, the default behavior is changed to Fail Close.
  • You can return to the behavior as it was before Take 189, by setting bypass_on_enhanced_ssl_inspection 1

To set the default to Fail Open:

  1. Run: fw ctl set int bypass_on_enhanced_ssl_inspection 1
  2. In $FWDIR/modules/fwkern.conf, add this line: bypass_on_enhanced_ssl_inspection=1

The probing feature may fail in the following scenarios (and therefore it is not recommended):

  • Server requires an SNI extension in the SSL "Client hello" packet.
  • Missing cipher - The Security Gateway does not support any of the server allowed ciphers.
  • The server presents an incorrect certificate when SNI is not provided

To disable probing (Recommended):

  1. Run: fw ctl set int enhanced_ssl_inspection 0
  2. In $FWDIR/modules/fwkern.conf, add this line: enhanced_ssl_inspection=0
0 Kudos