SSL inspection - excluding a website from ssl inspection

phphil
phphil Posts: 39  Freshman Member
First Comment Friend Collector Fifth Anniversary
edited April 2021 in Security
I'm trying to exclude a website from SSL inspection,

for doing that, i've searched all the domain that reach the landing page using the browser inspector under Network tab.

I've added all the exclusions under UTM profile > SSL inspection > Excluding list
but the website is still inspected. Any idea what it could be?

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,377  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @phphil  

    The reason of this situation should come from server is working on unsupported cipher suite.

    So SSL inspection unable to exclude it.

    Currently we known “AESGCM” doesn’t support in 4.38, but it will support in future release this year.


    For make sure which cipher suite is working on server, you can capture the packets and find “Server Hello” packet.

    It will list which cipher suite is working.


  • phphil
    phphil Posts: 39  Freshman Member
    First Comment Friend Collector Fifth Anniversary
    Many thanks for your reply, it was very helpful.

    I was able to capture the "Server Hello" and indeed the GCM is there.


    That this is an issue on the zywall firmware?
    There is there anything I can do in order to enable SSL inspection AND allowing this specific website to work correctly, without loosing security everywhere?

    I would really avoid to touch the following parameters:


  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,377  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @phphil  

    The SSL inspection function will exchanging the certificate between Server and client after TCP three-handshake.

    But some of server support QUIC which working on UDP443.

    You can drop UDP443 port by policy control rule prevent the web traffic forwarded to client without SSL inspection protecting. 

    The AESGCM will support in future release this year.

  • phphil
    phphil Posts: 39  Freshman Member
    First Comment Friend Collector Fifth Anniversary
    edited July 2020
    You can drop UDP443 port by policy control rule prevent the web traffic forwarded to client without SSL inspection protecting.

    I'm sorry i'm not really understanding, I should create a Configuration > Security Policy > Policy Control rule with action=deny for request leaving our network and going to this specific website

    But we already have a similar rule which drop all connections on UDP443 in order to disable QUIC protocol, why it doesn't allow traffic on this website when SSL inpection is on?

    thank you and Best Regards



  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    edited July 2020

    Hi @phphil,

    You can add one policy to bypass those unsupported cipher suite site, and move this rule to priority one.

    In this way, there is no need to change SSL inspection profile settings.

    e.g. Create a security policy and move to priority 1.

    From          : LAN

    To               : any

    Source        : any

    Destination: Apply unsupported cipher suite site FQDN object group

    Action         : allow



Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)