Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
DeletedUser
Not applicable

HTTPS Inspection on Small Business Security Appliances

Starting with the R77.20.70 firmware released in November of 2017, HTTPS inspection improves categorization of applications and URLs and detection of threats such as exploits, viruses and bot communications. In addition HTTPS inspection improves sandboxing detection of zero-day threats in files. Watch our video to find out how-to enable HTTPS inspection on the 700 Small Business Security Appliance.

6 Replies
Pablo_Barriga
Advisor

Is there any measure of the impact of SSL on the 700 and 1400 family?

Jony_Fischbein
Employee
Employee

Nice video BOB!

0 Kudos
Pedro_Espindola
Advisor

I have a customer with 12 users, and it was a NO for them with a 1450.

CPU usage was less than 10% with SSL Inspection and throughput was rather low, but SFWD RSS memory usage would increase very fast and sfwd would restart, causing cluster failover every 2 hours. Increasing RSS memory limit to 300MB also increased this time to about 4 hours before failover.

Support responded that this is normal behavior for this model. Maybe with the 1470 or  the 1490 that have more memory it will work well.

Miri_Ofir
Employee
Employee

Hi Pedro,

Cluster failover every 2-4 hours in not normal behavior for 1450 appliance.

Please contact support again, and tell them that SMB R&D wants to investigate it.

Pedro_Espindola
Advisor

No problems, Miri. I will reopen the case then. Thank you!

0 Kudos
DeletedUser
Not applicable

Some clarification on how exceptions are handled in the HTTPS policy as this section is a bit brief in the video. Exceptions can be added in 2 places:

(1) As a category in the Access Policy -> SSL Inspection -> Policy window.

    1. Enable Bypass (other categories and sites)
    2. Click other categories and sites to open SSL Inspection Bypass Other
    3. Advantage: included as a category/site in the predefined SSL Inspection Bypass policy.

(2) As a new exception in the Access Policy -> SSL Inspection -> Exceptions window.

    1. Click New
    2. Create a policy for specific traffic, e.g. from Trusted networks to the DMZ network for the service HTTPS.
    3. Advantage: provides granular control.
    4. Best Practice Tip 1: Do not use ANY as the service for the custom exception. Instead choose HTTPS as the service to avoid a performance impact. 
    5. Best Practice Tip 2: Since exceptions are for a specific scope, do not define the source scope as ANY especially if you define a category or a site in this exception. If the appliance has a wireless network which is bypassed by default from the policy page (see 1 above), then defining a category/site based exception with the wireless network in it (as scope) will force the appliance to check the first packet of each new connection for the DN of the certificates and will effectively disable the default wireless bypass (see 1 above).

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events