cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Highlighted

HTTPS Inspection on Small Business Security Appliances

Starting with the R77.20.70 firmware released in November of 2017, HTTPS inspection improves categorization of applications and URLs and detection of threats such as exploits, viruses and bot communications. In addition HTTPS inspection improves sandboxing detection of zero-day threats in files. Watch our video to find out how-to enable HTTPS inspection on the 700 Small Business Security Appliance.

Tags (1)
6 Replies

Re: HTTPS Inspection on Small Business Security Appliances

Is there any measure of the impact of SSL on the 700 and 1400 family?

Employee+
Employee+

Re: HTTPS Inspection on Small Business Security Appliances

Nice video BOB!

0 Kudos

Re: HTTPS Inspection on Small Business Security Appliances

I have a customer with 12 users, and it was a NO for them with a 1450.

CPU usage was less than 10% with SSL Inspection and throughput was rather low, but SFWD RSS memory usage would increase very fast and sfwd would restart, causing cluster failover every 2 hours. Increasing RSS memory limit to 300MB also increased this time to about 4 hours before failover.

Support responded that this is normal behavior for this model. Maybe with the 1470 or  the 1490 that have more memory it will work well.

Employee+
Employee+

Re: HTTPS Inspection on Small Business Security Appliances

Hi Pedro,

Cluster failover every 2-4 hours in not normal behavior for 1450 appliance.

Please contact support again, and tell them that SMB R&D wants to investigate it.

Re: HTTPS Inspection on Small Business Security Appliances

No problems, Miri. I will reopen the case then. Thank you!

0 Kudos

Re: HTTPS Inspection on Small Business Security Appliances

Some clarification on how exceptions are handled in the HTTPS policy as this section is a bit brief in the video. Exceptions can be added in 2 places:

(1) As a category in the Access Policy -> SSL Inspection -> Policy window.

    1. Enable Bypass (other categories and sites)
    2. Click other categories and sites to open SSL Inspection Bypass Other
    3. Advantage: included as a category/site in the predefined SSL Inspection Bypass policy.

(2) As a new exception in the Access Policy -> SSL Inspection -> Exceptions window.

    1. Click New
    2. Create a policy for specific traffic, e.g. from Trusted networks to the DMZ network for the service HTTPS.
    3. Advantage: provides granular control.
    4. Best Practice Tip 1: Do not use ANY as the service for the custom exception. Instead choose HTTPS as the service to avoid a performance impact. 
    5. Best Practice Tip 2: Since exceptions are for a specific scope, do not define the source scope as ANY especially if you define a category or a site in this exception. If the appliance has a wireless network which is bypassed by default from the policy page (see 1 above), then defining a category/site based exception with the wireless network in it (as scope) will force the appliance to check the first packet of each new connection for the DN of the certificates and will effectively disable the default wireless bypass (see 1 above).