Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
DarrenR
Participant

HTTPS Inspection Not Working

Hello,

I recently stood up a standalone R80.40 gateway in a lab environment to perform some testing for policy changes to support Office 365. I'm working through a scenario with a customer who has HTTPS inspection enabled globally, but I'm unable to get inspection working on my lab gateway. I've enabled HTTPS Inspection on the Gateway, have verified the HTTPS Inspection Policy is what I want, and have adjusted the Topology so respective interfaces are configured appropriately. 

There's not much to configure here, so I'm beating my head against a wall trying to figure out why this appliance isn't inspecting outbound HTTPS traffic. Any help would be appreciated!

 

0 Kudos
13 Replies
PhoneBoy
Admin
Admin

Screenshots of exactly what you've configured, what logs are getting generated with the relevant traffic would help.
Feel free to redact sensitive details.
DarrenR
Participant

Here are a few screenshots of the configuration and I've followed the guide here when putting this in place. 

firewall-policy.jpgfirewall-topology.jpghttps-inspection-configuration.jpghttps-inspection-policy.jpgoutbound-logs-no-inspection.jpg

0 Kudos
PhoneBoy
Admin
Admin

Your HTTPS Inspect rulebase should be more specific.
Specifically, the source should be the specific subnets from which you have traffic HTTPS inspected, not something general like any.
The destination of this rule can be any, not sure it works with the "All_Internet" object.
Second, for performance reasons, your last rule should always be any any bypass.
HeikoAnkenbrand
Champion Champion
Champion

Hi @DarrenR 

A few more tips:
1) Did you import the outbound certificate correctly in the browser?
2) Are there log entries for https inspection? If so, please take a picture.
3) Is the https interception enabled in the protocol tab?
ht1.JPG

4) Set "Internet" instead of "all internet" in the destination:
ht2.JPG

➜ CCSM Elite, CCME, CCTE
DarrenR
Participant

Boom! I missed the enabling the protocol signature. Thanks!

0 Kudos
Tomer_Noy
Employee
Employee

Are you referring to the protocol setting in the Threat Prevention Profile editor?
Trying to extrapolate from the small screenshot, it looks like the setting that exists for the various Threat Prevention engines.

Indeed, it's possible to specify which protocols will be included in the scanning, but the default value for these profiles is to be "On" for HTTP/HTTPS. Most customers should not encounter this issue or have to touch this setting for HTTPS inspection to work.

Did you deactivate this in the past for your environment?
I'd like to better understand this case to make sure more customers don't encounter it.

Thanks!

0 Kudos
Cmc
Explorer

Can you tell me where the config is in your step 3 ?  Because i couldn't find it. Thank you.

archie
Participant

Can somebody tell me, where can I find the protocol tab and setup the protocol signature feature? Is this a must config to work with HTTPS Inspection?

So without this feature the inspection not working? Thanks!

iko
Contributor

can't find it either. does it still exist in R81?

0 Kudos
chethan_m
Collaborator

Where do you find that "Protocol" option with the checkbox for "Web (HTTP/HTTPS)"?

0 Kudos
the_rock
Legend
Legend

Screenshot_1.png

chethan_m
Collaborator

Thank you. This I knew for Threat Prevention. I was wondering if there was another similar configuration available under HTTPS shared policies > inspection settings. 

0 Kudos
the_rock
Legend
Legend

Only one I know is this

Andy

 

Screenshot_1.png

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events