Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Matlu
Advisor

Traffic blocked by TP

Hello,

I currently have HTTPS Inspection || AntiBot || Antivirus enabled, on my ClusterXL HA.

The problem is that my local network cannot reach a URL that is on the Internet.

What I see in the logs is that the traffic to the URL is "activating" the AntiBot blade.

In the Cluster object in the SmartConsole, the Antibot&Antivirus section is set to "Detect Only" mode, but there is a rule in TP where the associated profile is the "Optimized" profile.

TP3.pngTP2.pngTP1.png

So, can the Cluster block the traffic ignoring the "Detect Only", and take more "priority" to the rule defined in the TP?

I share a log where you can see better the traffic that I expose.

Thanks

0 Kudos
6 Replies
Lloyd_Braun
Collaborator

That attached log shows 'detect' action and a bunch of bytes tx and rx.  Maybe the site is not compatible/getting broken by HTTPS inspection and it is not the threat policy directly dropping it?  Could try to make a lower level exception/bypass of the threat policy, based on destination IP, to see if the site works solely with HTTPS inspection enabled.

0 Kudos
Matlu
Advisor

Hello,

Your recommendation is to make an exception policy in the TP section?

Or is it to make a Bypass in the HTTPS Inspection section?

Could you give me an example, please?

Regards

0 Kudos
Lloyd_Braun
Collaborator

I was thinking a TP exception based on destination IP address, then if it is still broken, it would appear to be HTTPS inspection causing the issue.  You could also do HTTPS inspection bypass based on destination IP- I would assume that would fix it, but that also would blind the TP blade so you wouldn't know 100% if it was TP or HTTPSi that was breaking it. 

0 Kudos
Matlu
Advisor

I have the impression, that it is the blade of the Antibot.

I am not sure.

The Cluster object, in the "Antibot/Antivirus" section is set to DETECT ONLY, but other than that, we have an explicit rule in the TP section, and I'm not sure, if the CLUSTER, omits its global setting in the object and gives more importance to what is "explicitly" defined by rules.

The explicit TP rule has an OPTIMIZED profile, and that profile, as I see, has several "PREVENT" enabled.

Maybe this could be the root-cause of the problem.

I am not sure about this behavior.

0 Kudos
_Val_
Admin
Admin

In your policy, detect is set for low confidence protections only. Why do you think that Anti-Bot is on detect only fully? Does not seem to be the case, if looking on the screenshot above. The log shows "High" confidence level, and it is set to Prevent

0 Kudos
the_rock
Legend
Legend

I would say making an exception is your best bet.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events