This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
efraim
Explorer
‎2020-05-16 07:07 PM

HTTPS inspection doesn't work on R80.10

Hello,

I have enabled HTTPS inspection on a SA machine running R80.10
Afterwards, I have created an outbound CA certificate, exported it, enabled, hit OK and installed policy.

Web traffic (https) is not being inspected for some reason even though everything was set correctly (it worked before on the same test environment).
I have tried to install the latest jumbo hotfix but it doesn't work. The client site gets the regular certificate of the server. 

How should I debug it using clish?

I have tried to debug CPAS and WS and I'm able to see this in the kernel debug:
{ssl_insp} fw_https_inspection_set_conn_opq: [ERROR]: failed to set the https_inspection_conn_opq on the connection
Some of the debug is not properly formatted in notepad++, how should I open it? 

Thank you 


debug.7z
0 Kudos
Reply
3 Replies
PhoneBoy
Admin
Admin
‎2020-05-18 05:23 PM

Recommend getting the TAC involved.
That said, if you're serious about using HTTPS Inspection it's highly recommended you upgrade to at least R80.30 which includes SNI support as well as improved HTTPS Inspection performance.
0 Kudos
Reply
efraim
Explorer
‎2020-05-20 12:34 PM
In response to PhoneBoy

Thank you! 

As far as I am aware, in previous version (let's say R77.30/R80.10) we are able to see the exact URL the user is trying to access.

So basically I'm trying to understand what State-of-the-Art SSL Inspection (R80.30) acts differently compared to previous versions.

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2020-05-20 04:27 PM
In response to efraim

First of all, R80.30 supports newer TLS ciphers and has an enhanced TLS engine that's faster (translating to better performance).
Second, we actually validate the SNI the client presents (i.e. check with the server to see that the SNI matches what the certificate says).
There's also a CLI tool to configure preferred ciphers (possible before, but wasn't as easy).
SNI can also be used for places where HTTPS Inspection isn't used for a specific HTTPS connection, allowing for more reliable bypass rules as well as App Control/URL Filtering categorization.

In R80.40, the HTTPS Inspection policy moves to SmartConsole and you get the ability to use Updatable Objects in the policy.
We include a specific Updatable Object of applications that are known not to work with HTTPS Inspection that can be used.
There is also support for HTTP/2.
0 Kudos
Reply