Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Contributor

Allow only specific site without SSL inspection for a server

Hi,

I have an issue with R80.10 Jumbo 275 on a Security Gateway.

I need that a server has only access to a specific URL (let's say https://www.perdu.com) without SSL inspection.

I've created an APP CTRL Rule allowing only the server to this specific site and a rule to bypass SSL inspection.

Below rule 4, the rule 5 is denying anything else.

Image 004.jpgImage 005.jpg

For some reason I can see that the SSL rule is matched (bypass) but the APP CTRL rule is not matched correctly and the request is Droped when I use SSL. With HTTP it is working fine.

Image 001.jpgImage 002.jpgImage 003.jpg

The Probe Bypass is conifugred that way [Expert@firewall:0]# fw ctl get int enhanced_ssl_inspection
enhanced_ssl_inspection = 1
[Expert@firewall:0]# fw ctl get int bypass_on_enhanced_ssl_inspection
bypass_on_enhanced_ssl_inspection = 0
[Expert@firewall:0]#

I think it has something to do with the fact that I am not doing SSL insepction, and that the gateway can't find the server name.

Any ideas how I can deal witht his config. Of couse I don't want to add the IP addess of the web server as it may change over time

Thank you

Labels (3)
0 Kudos
2 Replies
Highlighted
Collaborator

Hi,

try a Domain Object in FQDN mode (see sk120633 for details).

0 Kudos
Highlighted
Leader
Leader

@Rom_D 

Your last log entry shows a hide NAT of the source. Your configured rule for allowing these application/website does only contain your my_server object as source.

If you don‘t use automatic NAT on the my_server Object you have to allow both IPS, the real and the NAT-IP.

Wolfgang

0 Kudos