AnsweredAssumed Answered

Custom URL matching with HTTPS categorization

Question asked by Markus Marquardt on Sep 20, 2018
Latest reply on Oct 1, 2018 by Dameon Welch-Abernathy

Hi,

 

we are still having issues with rules using custom URLs matching for HTTPS requests. It is working *sometimes*, but most often it is not working (rules doesn't match).

 

We are using HTTPS categorization only, as HTTPS inspection introduced other issues to us (nothing to discuss here).

 

From my understanding, while having HTTPS categorization in place, the firewall should match the URL against the CN of the SSL certificate of the site being accessed.

 

This indeed seems to work ok for cases where the CN is just a plain string. But for a wildcard certificate, it is apparently not working as expected. An actual example:

Site we would like the rule to match: https://www.docker.com/

SSL certificate CN of this site is "*.docker.com", also in the certificate there is a "Subject Alternative Name" attribute including "docker.io".

In the URL object on the firewall we used regex like ".*docker\.com.*" (which should match everything containing docker.com). But rule doesn't match.

 

Please clarify the expected behavior, because I couldn't find anything in documentation:

  • How is a site's wildcard certificate CN (eg. "*.docker.com") matched against the string in the custom URL object? Is the star in the CN treated as wildcard or just as a character without special meaning?
  • Is the SSL certificate's SAN (Subject Alternative Name) taken into account for matching at all?
  • If the latter is not the case, are there plans to improve matching to take it into account?

 

Together with support we got the rule working once - by adding ".*docker\.io.*" to the URL regex, but I am in doubt that this fixed the root cause. After some time the rule stopped working again without any change done on the firewall.

Outcomes