As full HTTPS inspection was introducing too many issues for us, we decided to go with "Categorize HTTPS websites" setting enabled in Application Inspection settings.
However, we would still like to match custom URLs for http and https service by using "Custom site" objects in the policy.
We did some tests and the results are not very consistent, we have the following behavior:
- works correctly, policy matches, https traffic is allowed
- works only on the second https access to same site, the first one is blocked (no match)
- not working at all because the https site is using a certificate signed by their own CA (eg. RedHat subscription network)
So we were ending up using domain objects, although I would have preferred custom url because of possible wildcard/regex.
So my questions would be:
- As for https the url will not be available from the tcp stream without full https inspection, will the Gateway do a match to the website's certificate CN? Is it supposed to work this way?
- Is it also supposed to work with wildcard certficates used, eg. a certificate with cn "*.domain.com"?
- What can be done if the https site in question is using a certificate signed by it's own ca? Is there a way to import a trusted ca not only for full https inspection, but also for this kind of certificate inspection?