Cisco VPN outgoing connection on SFVH (SFOS 17.5.0 GA) with https scanning & decrypting

Hey Rick,

Do you know the public IP where the Cisco VPN client connect ? If yes, you could create a firewall network rule on top, from LAN to WAN and with this public IP as destination host and with service "HTTPS". And you don't apply any scanning on this rule, so it will pass through.

Thanks I did this on the source however once I find the block of correct addresses I will reverse that to the destination.

So you are using Cisco AnyConnect (based on SSL VPN)? 

I would assume, this is not possible to intercept this traffic with a man-in-the-middle. 

Ether the Client will not connect, or the Cisco will drop the connection, because the certificate is not matching. 

Keep in mind: Https scanning is a man-in-the-middle. 

More information here: community.sophos.com/.../132997

I was assuming this was the case and though the client may have the proper cert built into the config there's not much chance the VPN endpoint would allow the secondary cert to setup a proper tunnel as it is expecting the client cert to verify the identity... 

I was assuming this was the case and though the client may have the proper cert built into the config there's not much chance the VPN endpoint would allow the secondary cert to setup a proper tunnel as it is expecting the client cert to verify the identity...