Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
David_M_Almas
Contributor

Bypass HTTPS Inspection for a custom URL

Hi all!

We're using HTTPS Inspection with a custom outbound certificate in a R80.10 cluster.

Some sites (e.g. https://www.forbes.com/) aren't doing very well with this setup.

To create a Bypass, I created a User Category and a Custom Application/Site using that User Category as Primary Category.

When I try to use this User Category in column Site Category in a Bypass rule on HTTPS Inspection, the policy installation fails with message:

   "HTTPS Inspection: rule 2. In 'Site Category' column,  applications or groups with applications are not supported."

Any ideas on how to create this kind of exception/bypass for HTTPS Inspection?

Thanks in advance!

0 Kudos
5 Replies
G_W_Albrecht
Legend Legend
Legend

I would do this in https rulebase (R77.30 Dashboard opens nicely for that 😉 - just make sure that the traffic to bypass is NOT matched by https rules - then it is surely not inspected (and the cert not analyzed). Good help can be found in sk108202 Best Practices - HTTPS Inspection and maybe you need to use Probe Bypass from sk104717 HTTPS Inspection Enhancements in R77.30 and above.

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Vladimir
Champion
Champion

Gunther, can you please clarify what you mean by this: "just make sure that the traffic to bypass is NOT matched by https rules - then it is surely not inspected (and the cert not analyzed)"?

Are you implying that this rule:

Will prevent HTTPS inspection enforcement of any of these two rules:

According to my tests, this seem to work fine with exception of the above mentioned forbes.com.

That site does not work with or without probe bypass.

Thank you.

G_W_Albrecht
Legend Legend
Legend

Sorry for the confusion - this should work fine indeed. The only reliable solution i know of is Dest IP 😞

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
David_M_Almas
Contributor

Answering my own question 🙂

We're bypassing certain Site Categories (e.g. Health and Finantial Services) so I just created a Override Categorization for the site www.forbes.com changing the Primary Category for "Finantial Services" (the name www.forbes.com is actually a CNAME for g2.shared.global.fastly.net. so I add to Override this one too).

We're considering to Bypass the Very Low Risk Site Category and add future exceptions to this category thus overriding HTTPS Inspection.

If someone knows about a better/more specific solution for adding exceptions of HTTPS Inspection please let me (us!) know.

Regards!

0 Kudos
kb1
Collaborator

hi can you tell me what catgoreies you have bypassed for inspection apart from health and financial services?
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events