In v18, with the new decryption policy, you can use exceptions by pointing to a URL group. Does this mean if I use DPI decryption (turn off proxy), the exceptions configured previously under Web -> Exceptions no longer apply?
The Web > Exceptions apply to both proxy mode and DPI mode and can turn off HTTPS Decryption, certificate checks, Policy checks, AV and more. It applies to web traffic.
The TLS Inspection Rules apply to DPI mode and can only turn off HTTPS Decryption and certificate checks. It applies to any type of SSL/TLS traffic.
There is a bunch of new integration into the log viewer and dashboard to make it easy to add to the URL Group that is used by the TLS Inspection Rules.
In WebAdmin we have tried to make a note of things that only work in proxy mode and not DPI mode (for example SafeSearch). Web Exceptions work in both.
Thanks Michael.
Does it gonna to change in the next future?
In this way, users need to update and keep update the same objects inside 2 different lists.
So image the user is not able to open a website and he/she is using DPI, then the user puts the site inside the TLS URL group but the website still does not open. So the user puts the same websites (using regex this time) into exceptions and ticked all checkboxes and finally the website works.
The user to keep the things clean on XG, needs to understand first who is responsible for the blocking traffic, try and then clean the portion that is not responsible.
Sorry, but for the moment, logs do not help a lot. I would like to have another extra checkbox into web exceptions for skip DPI scanning or something like that to have a single section to deal with.
Also, I prefer regex to url or subdomains, as regex are more flexible to filter/bypass traffic.
No plan to change. If you are only dealing with Web traffic (80/443) and you want a single source use Web Exceptions. They are more flexible with RegEx and can exclude more than just HTTPS scanning.
The URL group for TLS/SSL Inspection Rules may be easier for some people who don't know RegEx or want a simpler way to exclude traffic from TLS decryption when using DPI mode. They are not a true "exception". It is a bit like creating a higher level firewall rule that treats traffic to a specific destination differently. We just created one out of the box and give a shortcut to using it.
Also remember - TLS decryption and DPI scanning are not the same thing. You cannot say "I want to create a Web Exception that uses DPI to find out the destination domain and then use that information to exclude the connection from DPI". You can only say "I want to create a Web Exception that uses DPI to find out the destination domain and then use that information to exclude that connection from TLS decryption".
lferrara said:This is a bit complicated to understand for “normal users”.
A better description should be provided inside the ui itself.
Uncomplicated answer: If are used to creating Web Exceptions, continue creating web exceptions.
I will let you know once my customers will start to move on v18. Customers' feedback are the most important part in our job.
Thanks
I don't necessarily agree that it is too complicated, but I agree that this should be pointed out better in the documentation. Once you understand what is what, it makes sense and isn't hard to understand, but the information about it is missing or not clear enough. So I second the request that the documentation gets a little update on this.
Cheers
cryptochrome said:I don't necessarily agree that it is too complicated, but I agree that this should be pointed out better in the documentation. Once you understand what is what, it makes sense and isn't hard to understand, but the information about it is missing or not clear enough. So I second the request that the documentation gets a little update on this.
I have just finished working the the Docs team on getting this (TLS Exclusion Rules and Web Exceptions) better documented in the Help section for SSL/TLS Inspection Rules. I don't know when you guys will see the update, but it should be clearer in docs in the future.
Thanks for the update, Michael. I'll take a look once it's available.
Online help links:
Thanks Michael, the docs look really good. Except for one thing. In the first link, third paragraph, the docs say:
SSL/TLS inspection rules do not affect the decryption of traffic handled by the web proxy.
From my experience, this is not the case. I have one firewall rule which is set to proxy mode and which has web exceptions configured to disable decryption. During my tests, I also added a TLS decryption rule (DPI) that matches that traffic. Traffic is being decrypted, despite the rule being set to proxy mode. If I understand the docs correctly, this should not happen. Is this a bug in v18 or is the documentation not clear enough?
Thanks
Sascha
Thanks Michael, the docs look really good. Except for one thing. In the first link, third paragraph, the docs say:
SSL/TLS inspection rules do not affect the decryption of traffic handled by the web proxy.
From my experience, this is not the case. I have one firewall rule which is set to proxy mode and which has web exceptions configured to disable decryption. During my tests, I also added a TLS decryption rule (DPI) that matches that traffic. Traffic is being decrypted, despite the rule being set to proxy mode. If I understand the docs correctly, this should not happen. Is this a bug in v18 or is the documentation not clear enough?
Thanks
Sascha
cryptochrome said:Thanks Michael, the docs look really good. Except for one thing. In the first link, third paragraph, the docs say:
SSL/TLS inspection rules do not affect the decryption of traffic handled by the web proxy.
From my experience, this is not the case. I have one firewall rule which is set to proxy mode and which has web exceptions configured to disable decryption. During my tests, I also added a TLS decryption rule (DPI) that matches that traffic. Traffic is being decrypted, despite the rule being set to proxy mode. If I understand the docs correctly, this should not happen. Is this a bug in v18 or is the documentation not clear enough?
I suspect you have a misconfiguration somewhere and the traffic is not hitting what you think it is. This should not happen, and I'm pretty confident we don't have a bug here.
If you can reproduce it, can you please start a new thread and give plenty of details.
