Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 23 replies
  • Subscribers 31 subscribers
  • Views 8924 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DPI vs. Proxy exceptions

cryptochrome

In v18, with the new decryption policy, you can use exceptions by pointing to a URL group. Does this mean if I use DPI decryption (turn off proxy), the exceptions configured previously under Web -> Exceptions no longer apply? 



This thread was automatically locked due to age.
Parents
  • 0

    The Web > Exceptions apply to both proxy mode and DPI mode and can turn off HTTPS Decryption, certificate checks, Policy checks, AV and more.  It applies to web traffic.

    The TLS Inspection Rules apply to DPI mode and can only turn off HTTPS Decryption and certificate checks.  It applies to any type of SSL/TLS traffic.

     

    There is a bunch of new integration into the log viewer and dashboard to make it easy to add to the URL Group that is used by the TLS Inspection Rules.

     

    In WebAdmin we have tried to make a note of things that only work in proxy mode and not DPI mode (for example SafeSearch).  Web Exceptions work in both.

  • 0 in reply to Michael Dunn

    Hi Michael,

    I have to come back to this. To me it appears that the web exceptions do NOT fully apply in DPI mode. We are using an app that doesn't work with SSL decryption, so in v17, we created a web exception for this that contains about 20 RegEx expressions in order to get the app to work. With that web exception, we had no problems. Now we upgraded to v18 and switched the corresponding firewall rule to DPI mode. And sure enough, that app stopped working. When I disable DPI mode and go back to proxy mode for that rule, the app works again.

    This is clearly indicating that web exceptions do not fully apply in DPI mode. 

    Any thoughts?

    EDIT:

    Upon further inspection, it gets even more weird. When disabling DPI mode and force the connection through web proxy, it still doesn't work. We have to disable the decryption rule, which shouldn't even be used in proxy mode. Consider me mighty confused. 

    To re-iterate:

    1. Firewall rule is set to proxy mode
    2. Matching decryption rule is in place
    3. Matching web exception is in place
    4. Result: App doesn't work

    5. Disable matching decryption rule
    6. App works

  • 0 in reply to cryptochrome

    Hi cryptochrome,

    If a web exception for HTTPS decryption does not work, I'm pretty sure that adding the sites to the Local TLS exclusion list for DPI mode does not work either. So that is not an issue with Web Exception vs TLS Exclusion, which is the point of this thread.

    Your problem sounds weird and does not match anything I've heard of before. Please start a new thread.

    Please note that during the EAP, part of my duties as a member of the development team was to monitor and respond in the forums. Now that we are GA, Support is becoming the first point of contact, and they will forward to the development team.

  • 0 in reply to Michael Dunn

    Michael Dunn said:

    If a web exception for HTTPS decryption does not work, I'm pretty sure that adding the sites to the Local TLS exclusion list for DPI mode does not work either. So that is not an issue with Web Exception vs TLS Exclusion, which is the point of this thread.

    Well actually it is. I opened this thread. The original question was whether web exceptions also apply in DPI mode, to which you said they do. But apparently, they don't. I have a comprehensive web exception rule to exclude a certain app from SSL decryption. That web exception rule no longer works in v18 with DPI mode enabled. When I disable DPI mode and force the connection through the proxy, the web exception rule applies and works. 

    By your logic, that should not happen. The web exception rule should also work in DPI mode, but it doesn't. 

     

     
  • 0 in reply to cryptochrome

    This is a long shot, but I had a problem where an explicit "Don't decrypt" rule was killing an app because I had set the decryption profile to "Block insecure SSL."  I had assumed since the action was "Don't decrypt" that it wouldn't also block the traffic because it didn't like a cipher but I was wrong.  

Reply
  • 0 in reply to cryptochrome

    This is a long shot, but I had a problem where an explicit "Don't decrypt" rule was killing an app because I had set the decryption profile to "Block insecure SSL."  I had assumed since the action was "Don't decrypt" that it wouldn't also block the traffic because it didn't like a cipher but I was wrong.  

Children
  • 0 in reply to Bill Roland

    Bill Roland said:

    This is a long shot, but I had a problem where an explicit "Don't decrypt" rule was killing an app because I had set the decryption profile to "Block insecure SSL."  I had assumed since the action was "Don't decrypt" that it wouldn't also block the traffic because it didn't like a cipher but I was wrong.  

     

    That's a good idea, but unfortunately not the issue in my case. It is really weird. 

    I have an exception and a decryption rule. When I set the corresponding firewall rule to use the proxy (turn off DPI mode), then the exception does not work unless I disable the decryption rule. Which shouldn't even apply in proxy mode. When I set the firewall rule to DPI mode (and re-enabled the decryption rule), then the exception rule does not work. 

  • 0 in reply to cryptochrome

    Hi  

    It sounds like you are having an issue.  If you are a paid license user and not a home user, I would suggest that you open up a support request so that it can be looked via connection tracking and debug of DPI.  

    Thanks!