Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Justin_Sanders
Participant

How am I seeing application specific (youtube, facebook) logs without HTTPS Inspection?

After a lot of reading it seems to me that application control is almost impossible without HTTPS Inspection enabled. 

How is it that we see logs for things like youtube and facebook when HTTPS Inspection is disabled? 

Is it the flag for "Categorize HTTPS websites" - I thought this was based on CN of the certificate, which is *.google.com so not sure how youtube is determined from that. 

Or is it based on the IP address that it is connecting to? Or something else like SNI in the application signature? 

Thanks. Trying to justify enabling HTTPS inspection and the fact that it sees some applications in the logs has been difficult to explain. IE , it can see youtube and facebook so why is this other app different?

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

Categorize HTTPS Sites can see these sites sometimes, but it depends entirely on the CN of the certificate presented, which can change from time to time.
So while it works some of the time, it will sometimes produce inconsistent results with some properties (e.g. Google ones).
If the site in question is using CloudFlare, then the CN of the certificate will be not helpful for categorization purposes.

The way to resolve these ambiguities is SNI, which is planned to be supported in R80.30.
HTTPS Inspection can also resolve these ambiguities and give you visibility into the encrypted traffic.
0 Kudos
Justin_Sanders
Participant

Thank you for the input, although it doesn't fully answer the question. 

Lets not use google as I realize that can be troublesome. So in the example of mathtag.com we get the following log 

cplog.jpg

Where is it getting the application name from? Please correct me if I am wrong here but I understand the following to be true:

1. This is an HTTPS request and as such the URL is not visible to the CP gateway. The only unencrypted data in the HTTPS connection that contains anything to do with the URL is the SNI in the Client Hello 

2. A reverse lookup of the destination IP address yields nothing - so it is not learning the application based on reverse lookup of the destination IP address. 

3. The CN is *.mediamath.com - so it is not getting the application name from the CN. 

4. Is it pattern recognition based on the destination IP addresses? This would explain why ebay.com is sometimes categorized as shopping and other times it just sees it as akamai (seems to depend on which akamai server it ends up connecting to)

What other information can the gateway even look at? It seems to me that the only thing it could be using is the SNI field. 

Which circles me back to youtube.com. The CN does not say youtube, reverse lookup does not say youtube, and HTTPS Inspection is disabled so it cant actually see the traffic. How does it know that the traffic is youtube in the logs? 

I understand that in the end the solution is to enable HTTPS inspection, but I need to be able to answer why everything seems to be all over the place. It seems like more than 80% of applications can be correctly identified without it but its method of doing so seems inconsistent between applications. 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events