This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
David_Miguel_Al
Participant
‎2018-03-28 03:32 AM

Bypass HTTPS Inspection for a custom URL

Hi all!

We're using HTTPS Inspection with a custom outbound certificate in a R80.10 cluster.

Some sites (e.g. https://www.forbes.com/) aren't doing very well with this setup.

To create a Bypass, I created a User Category and a Custom Application/Site using that User Category as Primary Category.

When I try to use this User Category in column Site Category in a Bypass rule on HTTPS Inspection, the policy installation fails with message:

   "HTTPS Inspection: rule 2. In 'Site Category' column,  applications or groups with applications are not supported."

Any ideas on how to create this kind of exception/bypass for HTTPS Inspection?

Thanks in advance!

0 Kudos
Reply
5 Replies
G_W_Albrecht
Champion
Champion
‎2018-03-28 04:42 AM

I would do this in https rulebase (R77.30 Dashboard opens nicely for that 😉 - just make sure that the traffic to bypass is NOT matched by https rules - then it is surely not inspected (and the cert not analyzed). Good help can be found in sk108202 Best Practices - HTTPS Inspection and maybe you need to use Probe Bypass from sk104717 HTTPS Inspection Enhancements in R77.30 and above.

Reply
Vladimir
Champion
Champion
‎2018-03-28 08:17 AM
In response to G_W_Albrecht

Gunther, can you please clarify what you mean by this: "just make sure that the traffic to bypass is NOT matched by https rules - then it is surely not inspected (and the cert not analyzed)"?

Are you implying that this rule:

Will prevent HTTPS inspection enforcement of any of these two rules:

According to my tests, this seem to work fine with exception of the above mentioned forbes.com.

That site does not work with or without probe bypass.

Thank you.

Reply
G_W_Albrecht
Champion
Champion
‎2018-03-29 12:31 AM
In response to Vladimir

Sorry for the confusion - this should work fine indeed. The only reliable solution i know of is Dest IP 😞

Reply
David_Miguel_Al
Participant
‎2018-03-29 03:38 AM

Answering my own question 🙂

We're bypassing certain Site Categories (e.g. Health and Finantial Services) so I just created a Override Categorization for the site www.forbes.com changing the Primary Category for "Finantial Services" (the name www.forbes.com is actually a CNAME for g2.shared.global.fastly.net. so I add to Override this one too).

We're considering to Bypass the Very Low Risk Site Category and add future exceptions to this category thus overriding HTTPS Inspection.

If someone knows about a better/more specific solution for adding exceptions of HTTPS Inspection please let me (us!) know.

Regards!

0 Kudos
Reply
kb1
Collaborator
‎2020-05-20 12:41 PM
In response to David_Miguel_Al

hi can you tell me what catgoreies you have bypassed for inspection apart from health and financial services?
0 Kudos
Reply