In v18, with the new decryption policy, you can use exceptions by pointing to a URL group. Does this mean if I use DPI decryption (turn off proxy), the exceptions configured previously under Web -> Exceptions no longer apply?
Hi cryptochrome,
If a web exception for HTTPS decryption does not work, I'm pretty sure that adding the sites to the Local TLS exclusion list for DPI mode does not work either. So that is not an issue with Web Exception vs TLS Exclusion, which is the point of this thread.
Your problem sounds weird and does not match anything I've heard of before. Please start a new thread.
Please note that during the EAP, part of my duties as a member of the development team was to monitor and respond in the forums. Now that we are GA, Support is becoming the first point of contact, and they will forward to the development team.
Michael Dunn said:If a web exception for HTTPS decryption does not work, I'm pretty sure that adding the sites to the Local TLS exclusion list for DPI mode does not work either. So that is not an issue with Web Exception vs TLS Exclusion, which is the point of this thread.
Well actually it is. I opened this thread. The original question was whether web exceptions also apply in DPI mode, to which you said they do. But apparently, they don't. I have a comprehensive web exception rule to exclude a certain app from SSL decryption. That web exception rule no longer works in v18 with DPI mode enabled. When I disable DPI mode and force the connection through the proxy, the web exception rule applies and works.
By your logic, that should not happen. The web exception rule should also work in DPI mode, but it doesn't.
This is a long shot, but I had a problem where an explicit "Don't decrypt" rule was killing an app because I had set the decryption profile to "Block insecure SSL." I had assumed since the action was "Don't decrypt" that it wouldn't also block the traffic because it didn't like a cipher but I was wrong.
What I was trying to say is that a thread that starts "I am using XYZ app. It does not work in DPI mode, even if I have Web Exceptions or TLS Exclusion" then someone from Support can work with you and determine if it a bug in DPI mode, if it a duplicate to any existing bug, how many customers are experiencing it, and raise it to development with appropriate priority. When you start the thread "Does turning off decryption mean that Web Exceptions don't apply" that makes the thread sound like you are asking for documentation or help understanding the system.
cryptochrome said:The original question was whether web exceptions also apply in DPI mode, to which you said they do. But apparently, they don't.
Web exceptions also apply in DPI mode. Your app/website/client/whatever does not work in DPI mode. Do not assume that the problem is because of web exceptions. Raise it as a bug in DPI mode, don't raise as a bug in Web Exceptions.
Or not. You can go ahead and raise a bug that says "Web exceptions don't work in DPI mode for this app" and then raise a separate bug that says "TLS exclusions don't work in DPI mode for this app" because both are true. But rather than raising two separate issues for Web Exceptions and TLS exclusions, my recommendation raise a single issue for the app in DPI mode.
Michael Dunn said:
Web exceptions also apply in DPI mode. Your app/website/client/whatever does not work in DPI mode. Do not assume that the problem is because of web exceptions. Raise it as a bug in DPI mode, don't raise as a bug in Web Exceptions.
I didn't assume anything, I was merely describing the behavior that I am seeing. A certain web exception does not seem to apply in DPI mode. The second bug you want me to raise ("TLS exclusions don't work in DPI mode for this app") is not what I am seeing. I have no TLS exclusions in place for that app.
Bill Roland said:This is a long shot, but I had a problem where an explicit "Don't decrypt" rule was killing an app because I had set the decryption profile to "Block insecure SSL." I had assumed since the action was "Don't decrypt" that it wouldn't also block the traffic because it didn't like a cipher but I was wrong.
That's a good idea, but unfortunately not the issue in my case. It is really weird.
I have an exception and a decryption rule. When I set the corresponding firewall rule to use the proxy (turn off DPI mode), then the exception does not work unless I disable the decryption rule. Which shouldn't even apply in proxy mode. When I set the firewall rule to DPI mode (and re-enabled the decryption rule), then the exception rule does not work.
Hi cryptochrome
It sounds like you are having an issue. If you are a paid license user and not a home user, I would suggest that you open up a support request so that it can be looked via connection tracking and debug of DPI.
Thanks!
cryptochrome said:I don't necessarily agree that it is too complicated, but I agree that this should be pointed out better in the documentation. Once you understand what is what, it makes sense and isn't hard to understand, but the information about it is missing or not clear enough. So I second the request that the documentation gets a little update on this.
I have just finished working the the Docs team on getting this (TLS Exclusion Rules and Web Exceptions) better documented in the Help section for SSL/TLS Inspection Rules. I don't know when you guys will see the update, but it should be clearer in docs in the future.
Thanks for the update, Michael. I'll take a look once it's available.
Online help links:
