SSL inspection - excluding a website from ssl inspection
All Replies
-
Hi @phphil
The reason of this situation should come from server is working on unsupported cipher suite.
So SSL inspection unable to exclude it.
Currently we known “AESGCM” doesn’t support in 4.38, but it will support in future release this year.
For make sure which cipher suite is working on server, you can capture the packets and find “Server Hello” packet.
It will list which cipher suite is working.
0 -
Many thanks for your reply, it was very helpful.I was able to capture the "Server Hello" and indeed the GCM is there.That this is an issue on the zywall firmware?There is there anything I can do in order to enable SSL inspection AND allowing this specific website to work correctly, without loosing security everywhere?I would really avoid to touch the following parameters:0
-
Hi @phphil
The SSL inspection function will exchanging the certificate between Server and client after TCP three-handshake.
But some of server support QUIC which working on UDP443.
You can drop UDP443 port by policy control rule prevent the web traffic forwarded to client without SSL inspection protecting.
The AESGCM will support in future release this year.
0 -
You can drop UDP443 port by policy control rule prevent the web traffic forwarded to client without SSL inspection protecting.I'm sorry i'm not really understanding, I should create a Configuration > Security Policy > Policy Control rule with action=deny for request leaving our network and going to this specific websiteBut we already have a similar rule which drop all connections on UDP443 in order to disable QUIC protocol, why it doesn't allow traffic on this website when SSL inpection is on?thank you and Best Regards
0 -
Hi @phphil,
You can add one policy to bypass those unsupported cipher suite site, and move this rule to priority one.
In this way, there is no need to change SSL inspection profile settings.
e.g. Create a security policy and move to priority 1.
From : LAN
To : any
Source : any
Destination: Apply unsupported cipher suite site FQDN object group
Action : allow
0
Categories
- All Categories
- 184 Beta Program
- 1.7K Nebula
- 89 Nebula Ideas
- 63 Nebula Status and Incidents
- 4.7K Security
- 236 Security Ideas
- 1.1K Switch
- 51 Switch Ideas
- 915 WirelessLAN
- 27 WLAN Ideas
- 5.4K Consumer Product
- 174 Service & License
- 295 News and Release
- 65 Security Advisories
- 14 Education Center
- 983 FAQ
- 426 Nebula FAQ
- 255 Security FAQ
- 100 Switch FAQ
- 115 WirelessLAN FAQ
- 21 Consumer Product FAQ
- 66 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 68 About Community
- 52 Security Highlight