Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
D_TK
Advisor
Jump to solution

R82 - ssl inspection auto bypass question

Hi all - 

We've been using ssl inspection since pretty much the first version it was available so obviously our ssl inspect bypass rule is pretty long with specific sites that can't be inspected for whatever reasons.  The idea of having the gateway automatically make the decision if the site can be inspected or not, and if not, bypass it from ssl inspection is pretty awesome and much needed.  

Question:  What happens if the client machine doesn't even have the ssl inspect MiTM cert installed - would that user be able to surf all sites because clearly it would not be able to inspect any ssl traffic and all of it would fail open into bypass.  Or, is having the MiTM cert installed mandatory to even get to the point where the gateway makes the inspection decision?

 Thanks.

 

 

0 Kudos
2 Solutions

Accepted Solutions
the_rock
Legend
Legend

@D_TK Just tested it, since I had to finish something else and it was exactly the behavior as you described in scenario 2, both on R81.20 and R82, latest jumbos.

Andy

View solution in original post

0 Kudos
PhoneBoy
Admin
Admin

The first connection to the site will fail.
However, the gateway will see that the client/server combination cannot perform HTTPS Inspection because of not having the MITM certificate, because the app uses Certificate Pinning (thus won't accept the MITM certificate), or some other error.
Future connections to that site will be "bypassed."

View solution in original post

8 Replies
the_rock
Legend
Legend

Hey @D_TK ,

Its not mandatory to have that cert on clients machine, but then it sort of defeats the purpose of ssl inspection. If they dont have it, they would be seeing cert error on literally every site they visit. Personally, in my lab, I dont use those auto bypass features, I just bypass what I want to myself.

Mind you, Fortinet has had that forever now, cant recall whats included, but I believe its banking and medical categories and something else. But again, Im not a big fan of it, just my opinion.

Andy

0 Kudos
D_TK
Advisor

sure, not having the cert in pre-r82 mode makes surfing unusable as pretty much all sites are ssl and the user would get no clean page loads.  My Q is specific to what happens in client fail open mode if a client didn't have the cert.  It's got to be one of these two scenarios:

1)  Everything gets ssl inspect bypassed due to client fail-open, and pages load fine (uninspected).

2) works like it would currently without client fail-open enabled - every single page gets cert/privacy errors.

 

I would think that it would work like scenario 1, but i did test one laptop and every page threw the ssl error.  I just want to ensure that this is the expected result from being in client fail-open mode, and the client does not have the MiTM cert installed.

0 Kudos
the_rock
Legend
Legend

I can confirm tomorrow in the lab, but Im 99.99% sure it would be scenario 2.

Andy

0 Kudos
the_rock
Legend
Legend

@D_TK Just tested it, since I had to finish something else and it was exactly the behavior as you described in scenario 2, both on R81.20 and R82, latest jumbos.

Andy

0 Kudos
PhoneBoy
Admin
Admin

The first connection to the site will fail.
However, the gateway will see that the client/server combination cannot perform HTTPS Inspection because of not having the MITM certificate, because the app uses Certificate Pinning (thus won't accept the MITM certificate), or some other error.
Future connections to that site will be "bypassed."

the_rock
Legend
Legend

Its weird, cause when I tested in the R82 lab. EVERY site gave me cert warning and if I chose to continue, site would open.

Andy

0 Kudos
PhoneBoy
Admin
Admin

That cert warning is the first connection 😛

(1)
the_rock
Legend
Legend

You got me there LOL

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events