Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 28 subscribers
  • Views 6093 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Selective HTTPS decrypt

maph_

I'm a new XG customer on 17.1.2 coming from a competitor UTM.  I'm trying to set up HTTPS decrypt & scan and it works...but with some caveats.  I've got users claiming they can't download attachments from their email (G-Suite).  I also don't care to decrypt ALL traffic.  I'm in an EDU environment, so I really only care about Search Engines and maybe social networking.  

This is a little bit backwards from what I'm used to, but I am right in assuming the best way to accomplish this would be to create an exception and include all website categories in that exception other than search engines (i.e. attached)?  What's the best way in general to accomplish this.  Most traffic is HTTPS nowadays and I don't need to decrypt it all.



This thread was automatically locked due to age.
Parents
  • 0

    In 17.5 that would be one way to do it.  The firewall rule turns it on for everything, then exceptions turn it off for specific things.  Your list of specific things is unusually big.  Once you have done the hard work of putting the CA on all devices to do scanning, you might as well do it everywhere.  The most common use case is people who want it everywhere except financial, or specific sites that are known to not work well.

     

    Another approach would be if you know you only want specific domains (not categories) to be scanned you can create multiple firewall rules.  The first rule applies to destination FQDN *.google.com and has HTTPS scanning on, the second rule applies to all destinations and has HTTPS scanning off.

     

    Downloading attachment from GMail / G-Suite should work.  Turning off HTTPS scanning is a workaround solution rather than diagnosing the underlying issue.

     

    We do have future plans to do more selective HTTPS scanning, but there is no timeline.

     

     

Reply
  • 0

    In 17.5 that would be one way to do it.  The firewall rule turns it on for everything, then exceptions turn it off for specific things.  Your list of specific things is unusually big.  Once you have done the hard work of putting the CA on all devices to do scanning, you might as well do it everywhere.  The most common use case is people who want it everywhere except financial, or specific sites that are known to not work well.

     

    Another approach would be if you know you only want specific domains (not categories) to be scanned you can create multiple firewall rules.  The first rule applies to destination FQDN *.google.com and has HTTPS scanning on, the second rule applies to all destinations and has HTTPS scanning off.

     

    Downloading attachment from GMail / G-Suite should work.  Turning off HTTPS scanning is a workaround solution rather than diagnosing the underlying issue.

     

    We do have future plans to do more selective HTTPS scanning, but there is no timeline.

     

     

Children
No Data