Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 28 subscribers
  • Views 2881 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Trying to understand SSL/TLS inspection exclusions

pablol

Hello,

I have been slowly making everything work with SSL/TLS inspection. Trying to get as much as possible inspected and adding exclusions for things that I have not been able to find how to fix.

But I got to an impasse with two applications, that have the same issue. I feel I have something wrong in my settings but here it goes.

1) Webex. I have a rule to just pass *.webex.com. But for some reason some of the connections are going to an IP and XG is not reverse resolving such IP's. I can reverse resolve the IPs elsewhere and I get a webex domain. (I seldomly need to use webex so I have been disabling TLS inspection when I need it)

2) the reason I wrote today is becasuse of this problem. I have a new device that is tryign to contact aws server. Again the logs show multiple IPs so I do not know how I would be able to exclude each one of them. See the image of this capture.

The big issue is that the device is sending thousands of DNS queries per hour (about 1M in 12 hrs) trying to desperately connect to their home.

any ideas, direction would be greatly appreciated.

I am using SFVH (SFOS 18.0.3 MR-3)

Thank you



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to LuCar Toni

    Thank you LuCar,

    I thought adding webex.com would add every subdomain, is that not the case? I have an exception for webex:

    And if I try a webex connection, everything on the log that has those domains are getting passed without decryption. But then I have a bunch of IP's (no domain name, just raw IP's) that are being decrypted. If I do reverse DNS on those IP's I see they are on the webex.com domain.

    Same as with aws...

    To me it sounds like XG is not doing reverse dns lookup to figure out if a given IP is owned by the list of domains that are exempted. Is this a true statement?

    As with ips.log, I am trying to figure out the contents. Will write back once they make sense to me. Or if you have any suggestion I would appreciate.

    Meanwhile, I will try and add iot.us-west-2.amazonaws.com to the exception list and see what happens...

    Thank you

  • +1 in reply to pablol

    XG is not doing a reverse DNS. That would take to long for each request to do.

    You have only one packet timeframe to decide, if you decrypt or not. Its the TLS Syn packet (first in the handshake). If we would do a reverse lookup, this will likely timeout. So we are using the current called IP or DNS. 

    If the client calls something like domain.webex.com, this will hit the exclusion. 

    If the client calls something like 1.2.3.4, your exclusion will not hit. (This is bad design by the app, but some apps do this).

    If the clients calls a DNS from aws, it depends how this is build. Because in the end, you will call AWS, but the client could call something like test1.com. 

  • 0 in reply to LuCar Toni

    That makes sense...

    I think both webex in this specific case and this other appliance calling aws are doing so by IP address.

    And as far as I see, my option is to add every IP to the list, or do an exclusion from source IP. For the appliance calling AWS that should be easy to do as it is a static IP and I trust the appliance (It is a security device that only runs that application)

    But as for Webex I am at odds... we have another call today. I am implementing the article you sent me and I will check if it works with it.

    I guess SNI is what should have the domain name instead of the IP to hit:

    I will file a ticket to the company's appliance...

    Thank you for all your assistance.