SSL inspection - excluding a website from ssl inspection

phphil
phphil Posts: 29
First Comment Fourth Anniversary
 Freshman Member
edited April 2021 in Security
I'm trying to exclude a website from SSL inspection,

for doing that, i've searched all the domain that reach the landing page using the browser inspector under Network tab.

I've added all the exclusions under UTM profile > SSL inspection > Excluding list
but the website is still inspected. Any idea what it could be?

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,296
    100 Answers 1000 Comments Friend Collector Sixth Anniversary
     Zyxel Employee

    Hi @phphil  

    The reason of this situation should come from server is working on unsupported cipher suite.

    So SSL inspection unable to exclude it.

    Currently we known “AESGCM” doesn’t support in 4.38, but it will support in future release this year.


    For make sure which cipher suite is working on server, you can capture the packets and find “Server Hello” packet.

    It will list which cipher suite is working.


  • phphil
    phphil Posts: 29
    First Comment Fourth Anniversary
     Freshman Member
    Many thanks for your reply, it was very helpful.

    I was able to capture the "Server Hello" and indeed the GCM is there.


    That this is an issue on the zywall firmware?
    There is there anything I can do in order to enable SSL inspection AND allowing this specific website to work correctly, without loosing security everywhere?

    I would really avoid to touch the following parameters:


  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,296
    100 Answers 1000 Comments Friend Collector Sixth Anniversary
     Zyxel Employee

    Hi @phphil  

    The SSL inspection function will exchanging the certificate between Server and client after TCP three-handshake.

    But some of server support QUIC which working on UDP443.

    You can drop UDP443 port by policy control rule prevent the web traffic forwarded to client without SSL inspection protecting. 

    The AESGCM will support in future release this year.

  • phphil
    phphil Posts: 29
    First Comment Fourth Anniversary
     Freshman Member
    edited July 2020
    You can drop UDP443 port by policy control rule prevent the web traffic forwarded to client without SSL inspection protecting.

    I'm sorry i'm not really understanding, I should create a Configuration > Security Policy > Policy Control rule with action=deny for request leaving our network and going to this specific website

    But we already have a similar rule which drop all connections on UDP443 in order to disable QUIC protocol, why it doesn't allow traffic on this website when SSL inpection is on?

    thank you and Best Regards



  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,310
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 50 Answers 1000 Comments
     Zyxel Employee
    edited July 2020

    Hi @phphil,

    You can add one policy to bypass those unsupported cipher suite site, and move this rule to priority one.

    In this way, there is no need to change SSL inspection profile settings.

    e.g. Create a security policy and move to priority 1.

    From          : LAN

    To               : any

    Source        : any

    Destination: Apply unsupported cipher suite site FQDN object group

    Action         : allow



    Untitled Image

Categories

Security Highlight


Read more

Security Help Center

  • FAQ
  • New & Release
  • Monthly Express
  • Threat Intelligence
  • Video Tutorials
    • EnglishTiếng ViệtРусскийไทย中文(台灣)