Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
KM1895
Contributor
Contributor

HTTPS Inspection issues

 

hi,

 

A customer i am assisting, have started testing https inspection. 

As usual, they have only added a few servers for testing purposes in their https inspection policy, but here is where the issue occurs.

 

When they activate it, we see that traffic that isnt included in the rules are still subject to inspection, and so we have had to create a lot of exception rules, that shouldnt have been there.

Why would this happen?

I  have done this several times before, but never seen this issue before.

The inspection is for outbound traffic, and the traffic we have seen beeing stopped is traffic going over vpn to their central datacenter.

The exception fixed this as a workaround, but i am curious as to why we would need to do this in the first place, as the rules doesnt include the traffic being stopped?

 

environment is R81.10.

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

Without seeing the exact rules in question…difficult to say.
I suspect your initial rules were overly broad.
Screenshots of the rules in question would be helpful.

0 Kudos
Timothy_Hall
Legend Legend
Legend

Sounds like to you tried to use a Service and/or Destination of "Any" in your HTTPS Inspection policy which you should never do, they should be "HTTPS Default Services" and object "Internet" (not All_Internet), respectively.  

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
KM1895
Contributor
Contributor

hi,

 

Thanks for the input. I went over the rules again, and they are quite limited.

The source is just a few servers, and destination is set to Internet, with the https default services chosen,

So there is no real logic as to why servers not added is subject to https inspection.

 

0 Kudos
Timothy_Hall
Legend Legend
Legend

Check your firewall/cluster topology and make sure it is complete and correct to ensure that the object Internet will match traffic properly in your HTTPS Inspection Policy, mainly:

1) The External interface is properly defined 

2) Note that selecting the "Interface leads to DMZ" checkbox on an interface will cause traffic heading for that interface to match object Internet as well, even though that interface's topology is defined as Internal

3) Make sure all interfaces are present in the defined topology, including all VLAN tag subinterfaces in use.  Traffic heading to interfaces missing from the topology definition will match object Internet as well.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
the_rock
Legend
Legend

Happy to assist via remote if you are able to. I have lots of experience with https inspection, as I had spent probably close to 200 hours or more troubleshooting it in the last 3 years or so.

You can always message me directly.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events