This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Justin_Sanders
Participant
‎2019-04-01 01:03 PM

How am I seeing application specific (youtube, facebook) logs without HTTPS Inspection?

After a lot of reading it seems to me that application control is almost impossible without HTTPS Inspection enabled. 

How is it that we see logs for things like youtube and facebook when HTTPS Inspection is disabled? 

Is it the flag for "Categorize HTTPS websites" - I thought this was based on CN of the certificate, which is *.google.com so not sure how youtube is determined from that. 

Or is it based on the IP address that it is connecting to? Or something else like SNI in the application signature? 

Thanks. Trying to justify enabling HTTPS inspection and the fact that it sees some applications in the logs has been difficult to explain. IE , it can see youtube and facebook so why is this other app different?

0 Kudos
Reply
2 Replies
PhoneBoy
Admin
Admin
‎2019-04-01 02:46 PM

Categorize HTTPS Sites can see these sites sometimes, but it depends entirely on the CN of the certificate presented, which can change from time to time.
So while it works some of the time, it will sometimes produce inconsistent results with some properties (e.g. Google ones).
If the site in question is using CloudFlare, then the CN of the certificate will be not helpful for categorization purposes.

The way to resolve these ambiguities is SNI, which is planned to be supported in R80.30.
HTTPS Inspection can also resolve these ambiguities and give you visibility into the encrypted traffic.
0 Kudos
Reply
Justin_Sanders
Participant
‎2019-04-01 08:09 PM
In response to PhoneBoy

Thank you for the input, although it doesn't fully answer the question. 

Lets not use google as I realize that can be troublesome. So in the example of mathtag.com we get the following log 

cplog.jpg

Where is it getting the application name from? Please correct me if I am wrong here but I understand the following to be true:

1. This is an HTTPS request and as such the URL is not visible to the CP gateway. The only unencrypted data in the HTTPS connection that contains anything to do with the URL is the SNI in the Client Hello 

2. A reverse lookup of the destination IP address yields nothing - so it is not learning the application based on reverse lookup of the destination IP address. 

3. The CN is *.mediamath.com - so it is not getting the application name from the CN. 

4. Is it pattern recognition based on the destination IP addresses? This would explain why ebay.com is sometimes categorized as shopping and other times it just sees it as akamai (seems to depend on which akamai server it ends up connecting to)

What other information can the gateway even look at? It seems to me that the only thing it could be using is the SNI field. 

Which circles me back to youtube.com. The CN does not say youtube, reverse lookup does not say youtube, and HTTPS Inspection is disabled so it cant actually see the traffic. How does it know that the traffic is youtube in the logs? 

I understand that in the end the solution is to enable HTTPS inspection, but I need to be able to answer why everything seems to be all over the place. It seems like more than 80% of applications can be correctly identified without it but its method of doing so seems inconsistent between applications. 

 

0 Kudos
Reply