Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
the_rock
Advisor

HTTPS inspection issue

Hello everyone and Happy New Year! 🙂

 

I wanted to post this to see if anyone has any suggestions at all. So I worked with escalation guy on it and he could not really offer a whole lot sadly. So, here is the story...customer has cloud smart-1 mgmt (though I dont think thats overly relevant) and 2 6400 gateways in HA cluster. We enabled https inspection and created simple ordered url layer with blacklist first and then any any allow at the bottom (I know thats recommendation, as odd as I find that, but whitelist first does not seem to work).

So what happens is that if we test PC from behind internal interface (10.50.0.135), we see it gets accepted on network layer, inline layer 5 and then certain categories are supposed to be blocked on rule 1 of ordered url layer, which does NOT happen.

To make things even worse, not even Internet access on that PC works, unless we create bypass https inspection rule for whole 10.50 net...which is pointless, since it defeats the purpose of even using https inspection.

Then TAC finds out that not even wstlsd process is working on gateway, so guy said there is noting to debugs. We tried disabling url filtering, app control. https blades, no go. Also rebooted, same issue.

These are brand new firewalls with latest R80.40 and jumbo hotfix...Im totally lost as far as why this happens. Maybe Im wrong when I say this, but if rule in network layer allows that PC to go anywhere on the Internet, should not url ordered layer still block the categories listed? As per escalation, thats totally fine, but I still have some doubts...

Any advice would be appreciated!

0 Kudos
4 Replies
Vincent_Bacher
Advisor

Unless I missed something in your post, the design with Access Control Layer and Application Control / URL Filter Layer should basically work.
Since you are talking about https inspection: Have you tried to access an unencrypted http page, like http://apache.org?
Is it possible to access such a page or does that not work either? Is categorization correct here?

and now to something completely different
0 Kudos
the_rock
Advisor

Hi Vincent,

 

See, even http access is very random, so that part makes no sense either.

0 Kudos
PhoneBoy
Admin
Admin

Can you send me the TAC SR in a PM?

0 Kudos
the_rock
Advisor

Its under control now : ). Looks like something got reset in guidbedit when we tried removing old cert for https inspection with Tier 3 few days ago. I will work with escalations again on Monday to see if we can sort out block page notification issue. Have a great weekend!!

0 Kudos