I need help designing the Https Inspection Policy rules.
I learned this week that it's important where and what type of https inspection bypass rule you have to place.
I have the R80.30 version with the Take 155 in use.
I use the following objects in the Https Inspection Policy:
- Any as source or destination
- Ip addresses as source or destination
- Groups objects as source or destination
- Access Role's (LDAP groups from domain controller, AD Query)
- Category as Services
Currently, I have set up the Https Inspection Policy as follows:
1. Bypass IP base (IP address, host object, network object or group objects)
2. Bypass Service with Category (Src: Host,Network, Group Object, Any Dst: Internet Srv: Category)
3. Bypass Src:Access Role Dst: Internet Srv: Category
4. Inspect Src: Access Role Dst: Internet Srv:Any
5. Bypass Cleanup Rule Src:any Dst:any Srv:any
Now I've tried the following rules construct:
1. Bypass Src: Group Object Dst: Internet Srv:Custom_Category
2. Bypass Src: Access Role Dst: Internet Srv: Custom_Category(same as above)
3. Inspect Src:Access Role Dst: Internet Srv:Any
Here, the rules with the group object do not match first, the rules with the access role match. But i dont know why.
From the past I learned that you should define IP-Base Bypass rules first and then the Category/Application Bypass Rules.
But what about bypass Policy with Access Role objects, where should the AccessRole objects be placed?
Is there a specific order in which I should build the HTTPS Inspection Policy?
And had anyone already make experience with the R80.40 when updatable objects are in the https inspction Policy add?