Re: HTTPS Inspection in SmartEvent shows no data

Danny · ‎2022-11-18

I copied the Rule UID of a HTTPS inspection rule to my clipboard.

I'm able to filter for this UID in SmartLog, however I'm unable to filter for it within SmartEvent / SmartView.
Is this a limitation? The behaviour is identical in every R81 / R81.10 environment I tried.

My goal was to create SmartEvent View for HTTPS Inspection to show the top HTTPSi bypass rules etc.

I checked sk144192 but I found no way to use these log fields in SmartEvent:

Security Gateway - HTTPS Inspection Fields
`https_inspection_rule_id`	HTTPS Inspection Rule ID	string	ID of the matched rule
`https_inspection_rule_name`	HTTPS Inspection Rule Name	string	Name of the matched rule
`app_properties`	Additional Categories	string	List of all found categories
`resource`	Resource	string	HTTPS resource Possible values: SNI or domain name
`https_validation`	HTTPS Validation	string	Precise error, describing HTTPS inspection failure
`https_inspection_action`	Inspection Action	string	HTTPS Inspection action (Inspect/Bypass/Error)

It seems that SmartEvent only has these two HTTPS Inspection fields:

PhoneBoy · ‎2022-11-18

Did you try just filtering on the rule UUID? (Treating it like a regular Access Policy rule)

Danny · ‎2022-11-18

That's what I did. Filtering the rule UID works in SmartLog,

but doesn't return anything in SmartEvent.

the_rock · ‎2022-11-18

Never really played around with https inspection filters in smart event, but will check next week. Yes, UUID does work in regular log filters.

Best,
Andy

Danny · ‎2022-11-20

I opened a SR with TAC. I'll update this thread when they find anything useful.

Are you a member of CheckMates?

HTTPS Inspection in SmartEvent shows no data