Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
jnra
Contributor
Jump to solution

Maestro HTTPS Inspection

We have a single gateway acting as a perimeter firewall and a maestro setup with 1 security group. Both are being managed by a Single SMS. Our testing aims to access Facebook but block Facebook-Posting. This requires HTTPS inspection and we enabled it on both gateway and maestro.

Behind the gateway we have a test PC and it is working properly. Facebook posting is blocked, However, on the test PC behind Maestro, it's not working. Please see attached images for reference. 

Anyone experienced this before? Thanks in advance. 

 

0 Kudos
1 Solution

Accepted Solutions
jnra
Contributor

Thank you everyone. the issue was resolved after blocking Quic and Quic Protocol. 

View solution in original post

9 Replies
MartinTzvetanov
Advisor

Maestro logs say Unreached OSCP, which for me means the certificate is not recognized which means GW behind Maestro doesn't decrypt the traffic. Dig in this direction.

0 Kudos
PhoneBoy
Admin
Admin
0 Kudos
jnra
Contributor

Yes. I tried getting the current value with fw ctl get command but I'm getting an error. Will update you once I get to work on our setup later. 

0 Kudos
jnra
Contributor

I performed sk178625 and change the value of appi_urlf_ssl_cn_perform_hold_for_cert_validation from 0 to 1 but still I encountered the same issue. I still get lots of "Unreached OCSP" https validation. 

I have opened a TAC case for this concern as well. 

0 Kudos
Timothy_Hall
Champion
Champion

Do you have Layer 4 distribution enabled?  It is by default...

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
jnra
Contributor

Yes. L4 mode was enabled. I also tried setting the interfaces distribution mode manually by setting external interface as network and internal interface as user. 

0 Kudos
emmap
Employee
Employee

Is the connection being HTTPS Inspected on both the Maestro SG and the perimeter gateway? Double inspection is not supported, so either just do it on the perimeter gateway or make sure that you exclude the Maestro IPs and the networks behind the Maestro from inspection on the perimeter gateway,

0 Kudos
jnra
Contributor

On my initial setup, Maestro SG is behind perimeter firewall. Currently, I have  a direct internet connection for Maestro SG.

0 Kudos
jnra
Contributor

Thank you everyone. the issue was resolved after blocking Quic and Quic Protocol.