Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tu2pel
Contributor

HTTPS inspection after Gateway Cert Renewal

We have enabled HTTPS inspection on a couple of clustered gateways. The gateway is also used as a proxy . The cert for the https inspection expired last friday and we had it renewed. Before this happened, there are traffic flows that are going to  Azure that is going thru the https inspection policy and being bypassed (as seen on the log). Since then, that same traffic is now showing on the log as being https inspected and as a consquence, the end user traffic is impacted. My question is, is there any other place or location that may alter the way https inspection policy is applied after a certificate renewal? 

 

0 Kudos
11 Replies
the_rock
Legend
Legend

Thats odd, because if the only thing thats different is renewed cert, that does not change the policy at all. Can you actually send us the logs you are referring to (screenshot is fine)? Please blur out any sensitive info.

We would need to see based on the policy, which rule the traffic is hitting.

Cheers mate.

Andy

0 Kudos
Tu2pel
Contributor

Hi Andy

I have attached the log entries before and after we have updated the cert on the gateway and what is the  https inspection policy that its hitting

 

chris 

0 Kudos
the_rock
Legend
Legend

Thank you Chris. Just wondering, what was the rule traffic was hitting BEFORE this happened? I mean, bypass rule in question...are you able to send that over?

0 Kudos
Tu2pel
Contributor

its the same rule. The name of the rule in the policy is named Predefined Rule and that is the same rule its hitting when its doing bypass action.

0 Kudos
the_rock
Legend
Legend

Ok, hang on, thats little confusing, sorry...how can it be same rule since action shows inspect? By default, thats the rule thats there out of the box.

0 Kudos
Tu2pel
Contributor

This is the only rule we have that matches this traffic and that is being logged. Yes, the action on this is https inspect but that https policy is the only one that I can see matching the flow and that is being logged. The only thing we have done is update the cert on the gateways and install policy ..

 

0 Kudos
the_rock
Legend
Legend

Something does not seem logical to me based on what you sent. Not sure what time zone you are in, IM in EST (GMT -4), so happy to do remote and help out, as I have really good lab in R81.20 with windows 10 host and https inspection enabled.

Let me know.

Cheers mate.

0 Kudos
Tu2pel
Contributor

Yes, it doesnt seem logically to me too as that traffic behaviour shouldnt change the https inspection with just an update on the certificate but I cant seem to see where it was being bypassed before. 

Im in GMT +13 and were running R81.10 on the gateways. 

0 Kudos
the_rock
Legend
Legend

I assume you are in new Zealand, at least that was time difference when I was there : - ). Anyway, version here makes no difference. As @emmap said, something had to be changed, as there is NO WAY anything would be bypassed with default out of the box inspect rule. The easiest way for you to fix this would be simply to add rule above inspect rule and specify networks to be bypassed, install policy and test.

Cheers mate.

Andy

0 Kudos
the_rock
Legend
Legend

Will send you some screenshots tomorrow (late Wednesday your time) from my lab, so you can see how those rules should roughly look like.

Cheers,

Andy

0 Kudos
emmap
Employee
Employee

I don't know why it was being bypassed before (outside of the policy having been changed by someone when you weren't looking - this'll be in the audit logs if you need to investigate) but I'd suggest that it's currently working as configured (in that the traffic is matching an inspect rule), so if this traffic should not be inspected, you should update the policy to reflect this.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events