Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 23 replies
  • Subscribers 31 subscribers
  • Views 8924 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DPI vs. Proxy exceptions

cryptochrome

In v18, with the new decryption policy, you can use exceptions by pointing to a URL group. Does this mean if I use DPI decryption (turn off proxy), the exceptions configured previously under Web -> Exceptions no longer apply? 



This thread was automatically locked due to age.
  • 0 in reply to Michael Dunn

    Thanks Michael, the docs look really good. Except for one thing. In the first link, third paragraph, the docs say:

    SSL/TLS inspection rules do not affect the decryption of traffic handled by the web proxy.

    From my experience, this is not the case. I have one firewall rule which is set to proxy mode and which has web exceptions configured to disable decryption. During my tests, I also added a TLS decryption rule (DPI) that matches that traffic. Traffic is being decrypted, despite the rule being set to proxy mode. If I understand the docs correctly, this should not happen. Is this a bug in v18 or is the documentation not clear enough?

    Thanks
    Sascha

  • +1 in reply to Michael Dunn

    Special thanks to  and @ for getting this content to our help!

    Wanted to mention to any readers to visit our Feedback on User Assistance group to suggest new content for our online help, startup guides, knowledge base and videos, or tell us how we can improve what we already have!

  • 0 in reply to cryptochrome

    cryptochrome said:

    Thanks Michael, the docs look really good. Except for one thing. In the first link, third paragraph, the docs say:

    SSL/TLS inspection rules do not affect the decryption of traffic handled by the web proxy.

    From my experience, this is not the case. I have one firewall rule which is set to proxy mode and which has web exceptions configured to disable decryption. During my tests, I also added a TLS decryption rule (DPI) that matches that traffic. Traffic is being decrypted, despite the rule being set to proxy mode. If I understand the docs correctly, this should not happen. Is this a bug in v18 or is the documentation not clear enough?

     

    I suspect you have a misconfiguration somewhere and the traffic is not hitting what you think it is.  This should not happen, and I'm pretty confident we don't have a bug here.

    If you can reproduce it, can you please start a new thread and give plenty of details.