Thanks but this is not  whatsapp web. This is whatsapp application that installed on windows as win32 application. By the way there is no problem about messaging, the problem is when we try to download any sended picture or file we can not download.  I did not see any related logs. 

Some applications like WhatsApp use certificate pinning, which is incompatible with HTTPS Inspection.
These applications require specific bypass rules to be configured.
Not sure what should be used for WhatsApp specifically, though R82 is much better at "failing open" (meaning HTTPS Inspection is automatically bypassed) in these situations.

Just add custom app group with *whatsapp* in the list. It will work 100%.

Andy

How did you do this? I tried to create a https bypass rule, but it didn't work. First I tried to create a custom app/site group and added all the WhatsApp services to that group and included them in the category/custom application column, but it returned an error when I tried to install the policy.

Thank you

Just make sure urlf+appc is enabled on the layer, thats it.

Andy

The HTTPS Inspection policy does not support the usage of Applications.
It does allow the use of URL Categories and Custom Application/Site objects, which is what @the_rock was telling you to create.
While this will work probably, it will surely allow more than just whatsapp (say iamnotwhatsapp.com), so be careful.

Is there any way to create an https bypass rule so that the whatsapp application for windows works properly without affecting security as you mentioned? Im just a little bit confused about what to do.

To create a proper bypass rule, you'd need to get a list of domains used for the WhatsApp service.
These domains would be added to a Custom Application/Site object that would be used in your bypass rule.
Not sure there is a canonical list of WhatsApp domains, but you might also be able to figure it out from the HTTPS Inspection failure logs.

Good point.

Will take a video tomorrow and upload.

Andy

@andrepassos 

Video attached as promised.

Andy

Hello,

We' ve just  tried this solution. We did it exactly as shown in the video, but unfortunately, for some reason it didn't work and I still can't upload images using the WhatsApp app for Windows. Any further idea?

Thank you

Can you attach screenshot of the rule? MAKE SURE its allowed via urlf layer and bypassed in ssl inspection.

Andy

I can see in the logs that the traffic continues to be inspected. Do I need to mark the regular expression option as shown? 

Nope...make sure that is BYPASSED in ssl inspection policy, then, has to work 100%

Andy

Also, can you see whats blocking it via logs?

Andy

Hello.

As you can see, for some reason the bypass is not working

Can we see what bypass rule looks like?

Andy

Please show a full log card (sensitive details redacted).

Hello

We opened an SR and did a remote session with support. Some tests have been carried out, but it is still unclear why the bypass rule is not being respected

Question...is any any bypass at the end or you have inspect at the end? I ask that, because I know its recommended to have bypass at the bottom, but in my experience, I always found it works way better when you bypass things at the top and then inspect rest at the bottom.

Just my own experience.

Andy

Yes, there is an any/any bypass rule at the bottom,i.e. after the ispect rule

Personally, I would try the other way around...bypass whatever needs to be bypassed first, then inspect at the bottom and test, see if any difference.

Andy

Just for the context, this is my lab, never had a problem with this inspection policy.

Andy

We tested the bypass rule and it works for health, financial services, instant messaging (including WhatsApp) categories. The issue is related to this specific category created in a customized way with the aim of not inspecting the traffic linked to the WhatsApp application. The rule is not being respected even if an object is created with the url *whatspp* as stated in previous messages.

Thank You

Can you send a screenshot of how you have that rule at the moment?

Andy

There's been at least one instance in the community reported where the ability to identify sites was improved in R82.
Also, there are options in R82 to handle situations where applications do not support HTTPS Inspection (e.g. because of Certificate Pinning).

If you're not already using R82 here, I suggest trying it (possibly in the lab).