SSL inspection - excluding a website from ssl inspection
All Replies
-
Hi @phphil
The reason of this situation should come from server is working on unsupported cipher suite.
So SSL inspection unable to exclude it.
Currently we known “AESGCM” doesn’t support in 4.38, but it will support in future release this year.
For make sure which cipher suite is working on server, you can capture the packets and find “Server Hello” packet.
It will list which cipher suite is working.
0 -
Many thanks for your reply, it was very helpful.I was able to capture the "Server Hello" and indeed the GCM is there.That this is an issue on the zywall firmware?There is there anything I can do in order to enable SSL inspection AND allowing this specific website to work correctly, without loosing security everywhere?I would really avoid to touch the following parameters:0
-
Hi @phphil
The SSL inspection function will exchanging the certificate between Server and client after TCP three-handshake.
But some of server support QUIC which working on UDP443.
You can drop UDP443 port by policy control rule prevent the web traffic forwarded to client without SSL inspection protecting.
The AESGCM will support in future release this year.
0 -
You can drop UDP443 port by policy control rule prevent the web traffic forwarded to client without SSL inspection protecting.I'm sorry i'm not really understanding, I should create a Configuration > Security Policy > Policy Control rule with action=deny for request leaving our network and going to this specific websiteBut we already have a similar rule which drop all connections on UDP443 in order to disable QUIC protocol, why it doesn't allow traffic on this website when SSL inpection is on?thank you and Best Regards
0 -
Hi @phphil,
You can add one policy to bypass those unsupported cipher suite site, and move this rule to priority one.
In this way, there is no need to change SSL inspection profile settings.
e.g. Create a security policy and move to priority 1.
From : LAN
To : any
Source : any
Destination: Apply unsupported cipher suite site FQDN object group
Action : allow
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight