SSL/TLS inspection applies, although no filtering is enabled in the firewall rule

Question

Hej, 
 I have the following problem: 
 on certain pages the SSL/TLS inspection is effective although the filtering is not active in the firewall. This affects both the new XStream filtering and the filtering via the web proxy. A HTTPS connection cannot be established. I get the following error message e.g. from Firefox: 
 SSL_ERROR_RX_MALFORMED_HANDSHAKE 
 The problem can only be solved by switching off the SSL/TLS inspection completely. Also, the problem seems to occur only if the Web Protection is licensed. This also seems not to work with the web filtering of the UTM. 
 The following pages are affected among others: 
 
 www.bzga.de 
 www.familienplanung.de 
 
 The certificate of these sites is the same and includes many hosts. Maybe the problem is buried here as well. 
 Can the problem be confirmed by others?

Antonio Cienfuegos S · Answer

Hi, 
 
 Thats because XG will still look at the traffic because ATP and global security things. Having a plain source, destination rule with nothing enable is NOT enough to remove all the firewalls checks from happening. 
 To bypass that rule from the global check like ATP/IPS, run this command in the classic shell: 
 set ips ac_atp exception fwrules <number of the firewall rule that the data passes trhough> 
 
 Just tested on my lab and it worked. 
 
 Bye!

SSL/TLS inspection applies, although no filtering is enabled in the firewall rule

Top Replies