Groupobject contain host or Networks objekts. 

Can I have a group of web servers (different IP addresses) grp.websites as the destination in https inspection policy or does each website need to be listed in destination separately.   I'm pretty sure you can't have groups in an inspection policy or at least you weren't able to at one time.  I'm using R81 exclusively today, manager and gw.

Inbound or outbound inspection?

inbound

For inbound, you use web site own certificate, with private keys. Does not make sense to group those, unless all your web servers are using exactly the same certificate, which is extremely unlikely.

Yes, I have 7 sites(objects with different IPs)  all using the same wildcard certificate.

Then yes, you can

No, having them all in a group didn't work for us.  We had to list each one out.   A group object like grp.websites isn't recognized of traversed.

Now you lost me. You do know an answer to your question, but you ask it anyways? 🙂

No, I went live with a group  after your post in production just after 10 am and it didn't work.  Then, after an 45 minutes I switched to the individual sites.

Sorry to mislead you. 

NO worries Val,  & no down time!  Thanks for your efforts!   It doesn't do anything with a group object, so the inspection was still by-passed.

I actually have a new question RE: https inspection.

An admin I work with said this after I started inspecting taffic.

"The app servers don't actually use http protocol they use the port because it's commonly open. This will only cause problems but not actually add any protection to inspect the app server traffic"

Would I be correct to reply that the IPS protections involve much more than looking at the http protocol?

In other words, they are oding TCP port 80', but not HTTP. Depending on how exactly they build the connection, and what flows in that tcp session, there might be an issue with some of http enforcement, if the traffic is matched on a rule with HTTP service, which uses a handler, or on a rule with ANY service. 

What are you trying to achieve, exactly?

I'm trying to achieve the best security I can with TCP port 443 traffic, not using the HTTP protocol.  

I am a bit confused. You do not need to HTTPS Inspection to have IPS for TCP port 80. The whole reason to run HTTPSi is to look inside encrypted traffic.

IPS and other software blade are inspecting all clear text traffic, on expected protocols. In your case, if someone is violating TCP state, it will be discovered and protected regardless on application level protocol using that session, on TCP level. In your case, I would be more concerned about false positive detections, since parsers will be expecting HTTP and failing to parse it. 

Need to see the nature of applications, their risk level and desired security level for your specific user case, to give you any further guidance.  

443 not 80, my bad.  The traffic comes in on 443.  I decrypt it, inspect it, re-encrypt it.  However it's not HTTP traffic.

If it is not HTTPS protocol, you cannot decrypt and inspect it in the first place. 

The https is coming in being decrypted, inspected and then re-encrypted.  I agree it's confusing.  The  developer is stating what is inside.  The app servers don't actually use http protocol they use the port because it's commonly open.  

Uh, now I get it. You encrypt non-HTTP with TLS, correct?

Same statement as I said above: as long as you can decrypt, the traffic is being inspected by advanced blades, according to your Threat Prevention policy. 

Yes.

So, in this case, is it good/safe to continue to inspect this traffic or it can cause problems?

You may want to keep an eye on HTTP related false-positive. I would add an exception for web related IPS protections, but it is hard to make any general recommendation without more details.

So, in general it's going to be management decision.  We'll discuss as a team if the non-HTTP IPS protections outweigh the risk of a false positive.    Thank you for the explanation.