Re: HTTPS Inspection of remote user VPN traffic

ascoyne · ‎2023-02-28

We have HTTPS Inspection enabled on our R81.10 FW and it collects HTTPS inspection for all internet traffic that originates from the LAN, but for our remote users that use Remote Access VPN we see no HTTPS Inspection logs.

I have a feeling it is probably just a setting we don't have the correct set to allow inspection of Remote Access VPN.

Any ideas?

G_W_Albrecht · ‎2023-02-28

In the default configuration, internet access for Remote Access VPN clients is only inspected by local endpoint SW. But it is possible to use Hub Mode if the need arises to achieve this: sk101239: Route all traffic from Remote Access clients, including internet traffic, through Security...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

ascoyne · ‎2023-03-01

Thank you. We don't have Hub Mode enabled so that's something we need to look into.

PhoneBoy · ‎2023-02-28

Have you confirmed it's actually performing HTTPS Inspection on your Remote Access clients?

In any case, for inspecting HTTPS Traffic for Remote Access, it's far better to use either Harmony Browse or Harmony Connect Internet Access.

ascoyne · ‎2023-03-01

I have confirmed out Remote Access client subnet is part of the HTTPS Inspection policy. I will look into the other products, thank you.

the_rock · ‎2023-02-28

You definitely got valid responses. Btw, are vpn users going through the fw once they connect or is it split VPN tunnel? Because, keep in mind, if its split vpn, outbound https inspection will NOT apply, because their Internet traffic would go via their respected ISP providers.

Andy

Best,
Andy

G_W_Albrecht · ‎2023-02-28

Not using Hub mode, so traffic to the internet does not pass the GW.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

ascoyne · ‎2023-03-01

Thank you all for your help in steering me in the right direction.

We have a decision to make about HTTPS Inspection and remote access. Either,

a) We change to Hub Mode which allows HTTPS Inspection for VPN traffic, but we will lose split tunnelling

b) Leave it as it is and not have HTTPS Inspection for VPN users, but retain VPN split tunnelling

PhoneBoy · ‎2023-03-01

You actually have a third option here: Harmony Connect.
Internet-bound traffic can be subject to Threat Prevention (including HTTPS Inspection) without being routed on-premise.
It's a different service at extra cost and requires a second VPN client (which can run concurrently with your existing client).
However, it is another option.

the_rock · ‎2023-03-01

What @PhoneBoy told you makes 100% most sense and he perfectly explained why. So, if you think abot it, barebone VPN client is NOT and EDR solution at all, because it simply does just VPN, thats it. With harmony endpoint (Yes, I know, its more money and the whole thing, I get it), BUT, its an amazing product and its full EDR that actually lets you implement https inspection from the portal itself where you would create rules for users. We have customers doing this and they love it.

I will say though, just my honest feedback to you, sometimes adding exceptions for threat prevention blade can be pain, but TAC is usually good at fixing those fairly quickly.

Hope that helps in your decision making. At least, you have choices : - )

Best,
Andy

ascoyne · ‎2023-03-02

Thank you all for taking the time to respond to my original message. All your feedback has been beneficial, and we now have options moving forward. The Checkmates forum is brilliant.

the_rock · ‎2023-03-02

Glad we could help.

Best,
Andy

Are you a member of CheckMates?

HTTPS Inspection of remote user VPN traffic